Help Documentation

VMP™ Security plugin documentation and support

Free Support

Support for users of the free version of the plugin is available on our support forums. The majority of features shown are available in the free version of VMP™ Security which helps protect millions of sites around the world.

Go to support forums

Access Upgraded Support Now

Our support engineers, equipped in Premium tickets within a few hours on weekdays, will be pleased to help you with advanced topics, provide comprehensive answers to your questions, and respond to all others in 24 hours or less.

Premium Support

Two-Factor Authentication

Two-factor authentication (2FA) adds a second login factor — a six-digit code from an authenticator app — to your WordPress sign-in. It is the single most effective defense against password-based attacks: even if an attacker has your password, they still need the second factor, which they do not have.

VMP Security’s 2FA implementation is configured from VMP Security → Login Security.

In This Article

Enabling 2FA on your account

  1. Sign in to WordPress.
  2. Open VMP Security → Login Security.
  3. Find the Two-Factor Authentication section for your user. Click Activate.
  4. The plugin shows a QR code and a setup secret. Scan the QR code with your authenticator app.
  5. Type the current six-digit code from the app into the confirmation field and click Activate.
  6. The plugin saves your enrollment, and on your next sign-in WordPress will ask for the code from your authenticator app after you enter your password.

The QR code is shown only once during setup. If you do not have your phone with you when you turn 2FA on, write down the setup secret instead — you can enter it into your authenticator app manually later.

Supported authenticator apps

The plugin uses the standard TOTP algorithm (RFC 6238), so any compliant authenticator app works. Common choices:

  • Google Authenticator
  • 1Password (built-in TOTP)
  • Authy
  • Microsoft Authenticator
  • Bitwarden Authenticator
  • YubiKey Authenticator (for use with a YubiKey instead of a phone)

If you already use a password manager that supports TOTP, store the second factor there alongside the password. It keeps both halves of the sign-in in one synced, encrypted store, and you do not have to worry about losing your phone.

Recovery codes

When you turn 2FA on, the plugin shows you ten recovery codes. Each one is a single-use code that can substitute for an authenticator code if your phone is lost, replaced, or unavailable. After a recovery code is used, it is consumed and cannot be reused.

Save the recovery codes somewhere durable: a password manager, a printout in a locked drawer, or an encrypted note. Do not store them in plain text alongside your password — that defeats the point of 2FA.

You can regenerate the codes at any time from your profile. Doing so invalidates any unused codes from the previous set, so do this if you suspect a recovery code has been seen by someone you did not intend to share it with.

Per-role enforcement

An administrator can require 2FA for any role from VMP Security → Login Security (the 2FA Roles section). Once a role is required:

  • Existing users in that role are given a grace period to enroll. The grace period length is configurable; the default is one week.
  • During the grace period, every page in the WordPress admin shows a banner reminding the user to enroll, with a link to start the process.
  • After the grace period ends, users in the enforced role cannot sign in until they enroll. The sign-in page redirects them to the enrollment flow first.

For production sites, requiring 2FA on at least the administrator role is the strongly recommended baseline. The cost is one minute of setup per administrator; the benefit is removing password-based attacks as a viable compromise vector for the highest-privilege accounts.

Troubleshooting

The code from the app does not work

By far the most common cause is clock skew. TOTP codes are based on the current time; if your phone’s clock and the server’s clock disagree by more than 30 seconds, every code looks wrong. On the phone side, ensure automatic time is on. On the server side, the diagnostics page shows the current server time — compare it against an authoritative source like time.gov.

I lost my phone

Sign in using a recovery code. Once signed in, open your profile, remove the lost device’s 2FA enrollment, and set up a new one on your replacement phone. Generate fresh recovery codes for the new device.

I lost my phone and I do not have recovery codes

If another administrator on the site can help, they can clear your 2FA enrollment from Users → Edit user. After they do, sign in normally with your password, then re-enroll your 2FA on the new device.

If there is no other administrator, you have two paths: SFTP access to disable the plugin folder (described in the Blocking Troubleshooting article), or restore from a database backup taken before you set up 2FA. For sites where you cannot do either, contact support — recovery requires manual identity verification and is intentionally not a self-service path.

I cannot scan the QR code

Type the setup secret into the authenticator app manually. The setup secret is a string of letters and numbers shown next to the QR code; most authenticator apps have an “enter setup key” option for exactly this case.

Contents