Super Duper Two-Factor Login adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.

🇨🇭🇩🇪🇦🇹 Hinweis für DACH-Nutzer: Plugin und Support sind auf Deutsch (Schweiz/Deutschland/Österreich) verfügbar. Alle Texte und Einstellungen sind vollständig auf Deutsch übersetzt.

Fully translated out of the box in German (Switzerland, Germany, Austria), English, French, Spanish, Italian and Dutch – no separate language pack required.

Two Verification Methods

TOTP (Authenticator App) – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
Email – Receive a 6-digit code via email on every login. No smartphone required.

Comprehensive Fallback System

10 Backup Codes – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
Administrator Recovery Key – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
FTP Emergency Recovery – As a last resort, create an empty file named .sdtfa-recovery in wp-content/ via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.

Enforcement & Trust

Role-Based Enforcement – Require 2FA for administrators, editors, subscribers, or any role.
Grace Period – Set a deadline so users have time to set up 2FA before enforcement kicks in.
Hard Enforcement – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
Enforcement Areas – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
Trust This Device – Users can save their computer so the 2FA code isn’t required on every login. Configurable duration (1–365 days).

Integration

WooCommerce – Adds a “Two-Factor Authentication” tab to the My Account page. Enforce 2FA for the account area and checkout.
Shortcode – Display the user’s 2FA status anywhere with [sdtfa_status].
Setup Reminder – A dismissable admin notice with a “Set up now” button. No auto-popups; users open the setup flow only by clicking.

Security

AES-256-GCM encryption for TOTP secrets at rest
Secure HttpOnly cookies for trusted devices
Hashed token storage (never stored in plain text)
No external dependencies – everything runs locally in pure PHP
No external API calls, no tracking, no data collection

Privacy & Hardening (optional)

Hide user data in REST API – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names. Uses a strict whitelist that automatically drops any extra fields injected by SEO, page-builder or e-commerce plugins (Yoast, Rank Math, AIOSEO, Elementor, WooCommerce, …). Example response for an anonymous visitor on /wp-json/wp/v2/users/1:

{“id”:1,”name”:”Author”,”url”:””,”description”:””,”link”:”https:\/\/example.com\/”,”slug”:”author”,”avatar_urls”:{}}
Block author archives – Redirect unauthenticated visitors away from ?author=N and /author/<slug>/ to prevent user enumeration.
Disable password reset – Disable the “Lost your password?” function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
Users list column – A clean “SDTFA” column on Users All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.