When you care about security, user experience and maintainability, the question of enforcing two-factor authentication (2FA) for certain WordPress roles eventually comes up. In my case, I wanted to force 2FA for the admin role without installing a bloated security suite or an all-in-one plugin that adds dozens of features I’ll never use.
My requirement was simple:
Use the official Two-Factor plugin maintained by WordPress core contributors, and add a clean, minimal layer on top that enforces 2FA for administrators only. Unfortunately, while the Two-Factor plugin provides a fantastic foundation, it lacks any built-in UI for 2FA enforcement. That means no role-based rules, no policies and no way to require 2FA for admins out of the box.
So I built a small plugin that does exactly that: 2FA Enforcer
Why the official “Two-Factor” plugin is the right base
The Two-Factor plugin on wordpress.org is clean, simple and maintained by trusted WordPress developers. It doesn’t add security scanners, firewall rules, marketing popups, dashboards or any of the extra clutter that many security plugins bring along.
It does one thing:
Provide reliable two-factor authentication methods like TOTP, e-mail codes, and WebAuthn/U2F.
It’s also used internally for experimentation with future WordPress core features — so it stays in great shape.
The downside:
It doesn’t offer any way to enforce 2FA for specific roles.
That’s where my plugin comes in.
A small, focused plugin: “2FA Enforcer”
I created 2FA Enforcer as a purpose-built companion plugin for the official Two-Factor plugin. It doesn’t replace it — instead, it extends it with one specific feature:
Require Two-Factor Authentication for administrator users – or more specifically for users who have the manage_options capability.
That’s all it does.
No settings pages.
No overhead.
No extra features you don’t need.
If an administrator hasn’t set up 2FA yet, the plugin blocks their login attempt and informs them that 2FA is required. Other roles can log in normally. So make sure you have set up 2FA in some way before activating my plugin – otherwise you will lock yourself out… If that happens you can still disable my plugin my deleting it via FTP or renaming it – but you have been warned.
The plugin also checks whether the official Two-Factor plugin is active. If not, it displays a clear notice in the WordPress admin and gracefully disables itself to avoid any errors.
Why enforce 2FA for admins?
Well admins can do everything so a compromised admin account is kind of the worst that can happen as it can:
- alter site settings
- install malicious plugins
- inject code
- change passwords
- deface pages
- steal user data
If you require 2FA anywhere, it’s for this role.
How it works (in short)
The plugin hooks into WordPress’ authentication flow and checks two things:
- Is the Two-Factor plugin installed and active?
- Is the user logging in an administrator?
If both are true, it checks whether the user has 2FA enabled via the Two-Factor plugin. If not, login stops immediately. It’s a simple and effective approach that keeps your WordPress installation secure without clutter.
Future plans: role selection and policy control
I’m planning to add these features sometime in the future.
- a small settings page
- role-based 2FA enforcement
- optional grace periods
- per-role provider restrictions
But for now 2FA Enforcer does exactly what it should — it provides a clean way to force 2FA for admin role when using the “official” Two-Factor plugin.
Conclusion
If you want a lightweight way to improve your WordPress security without adopting an overly complex plugin ecosystem, combining the official Two-Factor plugin with my 2FA Enforcer extension is an elegant solution.
It uses only what’s needed, stays maintainable and ensures your admin accounts are properly protected.