Мазмунга өтүү
WordPress.org

Кыргызча

  • Темалар
  • Плагиндер
  • Биз тууралуу
  • Байланыш
  • WordPress'ти жүктөп алыңыз
WordPress'ти жүктөп алыңыз
WordPress.org

Plugin Directory

LoginArmor – Email 2FA

  • Submit a plugin
  • My favorites
  • Кирүү
  • Submit a plugin
  • My favorites
  • Кирүү

LoginArmor – Email 2FA

Автору TechArk Solutions
Жүктөө
  • Кенен маалымат
  • Сын-пикирлер
  • Орнотуу
  • Development
Колдоо

Сүрөттөө

LoginArmor adds an extra layer of protection to WordPress logins by requiring a one-time verification code after a valid username and password are entered.

Key features

  • Email-based one-time passcodes for WordPress logins
  • Apply 2FA to selected user roles
  • Apply 2FA to specific users
  • Optional grace period before activation is enforced
  • Recovery codes for backup access
  • Customizable email subject and login code email template
  • Optional debug logging to wp-content/uploads/loginarmor-email-2fa/loginarmor-debug.log
  • Automatic log rotation to prevent unbounded log file growth
  • Compatible with WordPress application passwords and REST API clients
  • Dedicated settings screen inside the WordPress admin

How it works

  1. A user enters a valid username and password.
  2. LoginArmor sends a one-time code to the user’s email address.
  3. The user enters the code to complete login.
  4. If needed, the user can use a recovery code instead.

Recovery codes

The plugin includes recovery codes as a backup login option. Codes are stored securely as hashes in user meta. Plaintext codes are shown only temporarily so users can save or download them once.

Grace period

You can optionally set a grace period in days. During the grace period, eligible users can continue signing in while they complete activation. After the grace period ends, 2FA is enforced.

No external service required

LoginArmor uses WordPress email delivery and does not require a third-party 2FA service.

Developer notes

The plugin exposes a filter for sites running behind a reverse proxy (Cloudflare, load balancers, etc.) that need to supply the real visitor IP:

add_filter( 'la2fa_get_client_ip', function( $ip ) {
    return $_SERVER['HTTP_CF_CONNECTING_IP'] ?? $_SERVER['REMOTE_ADDR'] ?? 'unknown';
} );

Without this filter the plugin behaves exactly as before — it reads REMOTE_ADDR by default.

Privacy

LoginArmor does not connect to an external third-party verification service.

The plugin may process and store the following data on your WordPress site:

  • Email-based one-time passcodes for login verification
  • Recovery code hashes stored in user meta
  • Optional debug log entries in wp-content/uploads/loginarmor-email-2fa/loginarmor-debug.log
  • Temporary transients used for login, cooldown, and verification flow

This data stays on your site unless your own email delivery system or hosting stack routes it elsewhere.

Скриншоттор

Configure 2FA Setting
Configure 2FA Setting
Configure Email Template
Configure Email Template

Орнотуу

  1. Upload the plugin files to the /wp-content/plugins/loginarmor-email-2fa/ directory, or install the plugin through the WordPress plugins screen.
  2. Activate the plugin through the Plugins screen in WordPress.
  3. Go to LoginArmor in the WordPress admin menu.
  4. Enable two-factor authentication.
  5. Choose the user roles and/or specific users who should use 2FA.
  6. Configure the grace period if needed.
  7. Customize the email subject and email template if desired.
  8. Save your settings.

FAQ.KG

Can I apply 2FA to only some users?

Yes. You can apply 2FA by user role, by specific users, or both.

What happens if a user cannot access their email?

They can use a recovery code if one has been generated and saved.

Can I customize the email content?

Yes. You can customize the sender email address, subject line, and login code email template from the plugin settings.

Does the plugin require a third-party account?

No. It works with your WordPress site and its email sending setup.

Where are recovery codes managed?

Recovery codes are available from the user profile area and are intended to be saved by the user for emergency access.

Does 2FA affect REST API access or application passwords?

No. WordPress application passwords used for REST API access bypass the OTP flow by design. 2FA applies only to interactive browser-based logins via wp-login.php.

Does 2FA work with XML-RPC?

XML-RPC logins for accounts that have 2FA enabled will be blocked with a clear error message. This is intentional — XML-RPC cannot complete an OTP challenge. If you rely on XML-RPC for a specific integration, either exclude that user from 2FA targeting or switch to application passwords, which are fully supported.

My site is behind Cloudflare or a load balancer — will rate limiting work correctly?

By default the plugin reads REMOTE_ADDR for IP-based rate limiting, which may be the proxy’s IP rather than the real visitor’s. Use the la2fa_get_client_ip filter (see Developer notes in the Description tab) to supply the correct IP for your hosting environment.

Сын-пикирлер

Good Plugin

Denil Mehta Июнь 18, 2026-ж.
Great plugin! Easy to set up, works exactly as expected, and provides a secure email-based 2FA solution for WordPress. Reliable, lightweight, and user-friendly. Highly recommended!
Read all 1 review

Contributors & Developers

“LoginArmor – Email 2FA” is open source software. The following people have contributed to this plugin.

Мүчөлөрү
  • TechArk Solutions
  • Yogesh Damasiya

Translate “LoginArmor – Email 2FA” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Өзгөртүүлөр

1.2

  • Security: 2FA OTP challenge is now correctly skipped for REST API requests authenticated via WordPress application passwords, preventing broken API integrations.
  • Security: XML-RPC login attempts for 2FA-protected accounts now return a clear WP_Error instead of issuing a silent broken redirect.
  • Fix: Recovery code setup redirect now correctly passes the user to their original destination after saving codes (“Continue” button works as expected).
  • Improvement: Debug log file is now automatically rotated when it exceeds 5 MB, preventing unbounded disk usage on busy sites.
  • Improvement: Added la2fa_get_client_ip filter to allow sites behind reverse proxies (Cloudflare, load balancers) to supply the correct visitor IP for rate limiting.

1.1

  • Minor code optimizations.

1.0

  • Initial release
  • Improved settings handling and login flow stability
  • Refined admin UI and general plugin behavior

Мета

  • Нуска 1.2
  • Акыркы жаңыртуу 1 ай мурун
  • Активдүү орнотуулар 10+
  • WordPress нускасы 6.0 же андан жогору
  • Tested up to 7.0.1
  • PHP нускасы 7.4 же андан жогору
  • Тил
    English (US)
  • Тег:
    2FAEmail OTPlogin securitytwo factor authentication
  • Advanced View

Рейтинг

5 out of 5 stars.
  • 1 5-star review 5 жылдыз 1
  • 0 4-star reviews 4 жылдыз 0
  • 0 3-star reviews 3 жылдыз 0
  • 0 2-star reviews 2 жылдыз 0
  • 0 1-star reviews 1 жылдыз 0

Your review

See all reviews

Мүчөлөрү

  • TechArk Solutions
  • Yogesh Damasiya

Колдоо

Комментарийлер барбы? Жардам керекпи?

Колдоо форумун көрүү

  • Биз тууралуу
  • Жаңылыктар
  • Хостинг
  • Купуялык
  • Көргөзмө
  • Темалар
  • Плагиндер
  • Паттерндер
  • Үйрөнүү
  • Колдоо
  • Иштеп чыгуучулар
  • WordPress.tv ↗
  • Кошулуу
  • Иш-чаралар
  • Кайрымдуулук ↗
  • Келечек үчүн беш
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org

Кыргызча

  • Visit our X (formerly Twitter) account
  • Visit our Bluesky account
  • Биздин Mastodon түрмөгүбүзгө баш багыңыз
  • Visit our Threads account
  • Биздин Facebook баракчабызга кириңиз
  • Биздин Instagram баракчабызга баш багыңыз
  • Биздин LinkedIn баракчабызга баш багыңыз
  • Visit our TikTok account
  • Visit our YouTube channel
  • Visit our Tumblr account
Код деген бул — поэзия.
The WordPress® trademark is the intellectual property of the WordPress Foundation.