Admins log in with password only, no 2FA.
Single-factor login on WordPress is risk. Plugins like Wordfence Login Security, Two Factor or WP 2FA add TOTP in five minutes.
Try this first
- 1Pick a 2FA plugin: Wordfence Login Security (free), Two Factor (from Plugin Contributors, free) or WP 2FA. All work with Google Authenticator or Authy.
- 2Make it mandatory for all admin roles. Give users a week to set it up, after that no access without.
- 3Document recovery codes. Lost phone means lost access; storing recovery codes in a password manager is mandatory.
- 4Test on your own account first before forcing it on other admins. Nothing worse than locking yourself and the team out.
- 5Combine with strong passwords via a password manager. 2FA on a weak password is still risk under phishing.
- 6For low-risk roles (authors, editors) make 2FA optional or recommended, not mandatory. Friction should match risk.
When to bring us in
Handle customer data, finance, healthcare or government clients? Beyond 2FA, SSO (Microsoft Entra ID, Google Workspace) is sensible. That moves you toward WP SAML or Auth0.
See also
- WordPress, plugins and theme have gone 6+ months without updatesOut-of-date WP is the number-one entry for malware. Don't just hit 'update all', back up first.
- Theme update broke the layout or threw a fatal errorThemes overwrite custom CSS on update unless you use a child theme.
- WordPress shows a blank screen after a plugin install or updateWSOD (white screen of death) is usually one crashing plugin. You isolate it.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.