Four Two-Factor Methods Built Into WordPress, Free
WordPress two-factor authentication is usually sold as an add-on or a premium tier. ReportedIP Hive ships four 2FA methods in the core — TOTP, passkeys/WebAuthn, email and SMS — free in every plan, with recovery codes and a password-reset gate included.
This guide covers all four methods, how the rate-limit ladder stops code-guessing, and the reset-flow gap most 2FA plugins leave open.
What is ReportedIP Hive?
ReportedIP Hive is a complete WordPress security plugin: 12 attack sensors, the full 2FA suite described here, progressive blocking and opt-in community threat intelligence. The entire 2FA system is free and works offline. The full ReportedIP Hive feature set is on the product hub.
The four methods in the core
- TOTP — RFC 6238 codes, compatible with Google Authenticator, Authy, 1Password and Microsoft Authenticator. Secrets are encrypted at rest.
- Passkey / WebAuthn / FIDO2 — Face ID, Touch ID, Windows Hello and YubiKey. Phishing-resistant, with an in-house implementation and no Composer dependency.
- Email OTP — a 6-digit code valid for 10 minutes, rate-limited to 3 sends per 15 minutes with a 60-second resend cooldown and 5 verify attempts per code.
- SMS OTP — via the managed reportedIP SMS relay (Professional plan and up), EU-only with explicit DPA. Phone numbers are encrypted at rest.
Backing all four: 10 single-use recovery codes (hashed at rest, with a low-codes warning at 3 remaining), trusted devices with a configurable expiry (default 30 days), and role-based enforcement with a grace period (default 7 days) and a skip counter.
The rate-limit ladder stops code-guessing
Wrong 2FA codes share the same multi-stage ladder as failed logins: 3 wrong codes → 30 s, 5 → 5 min, 10 → 30 min, 15 → 1 h. The 15th IP-level failure graduates the IP to a real progressive block, so a brute-forcer can no longer just time out and retry every hour.
The password-reset gate most plugins miss
WordPress’s “lost password” flow is a classic 2FA bypass: if your only second factor is email, anyone with mailbox access gets both the reset link and the OTP on the same channel. Hive’s reset gate demands a non-email second factor — authenticator, SMS, passkey or recovery code — before a new password is accepted. Email is excluded by design. Accounts whose only factor is email and which hold no recovery codes are hard-locked with an admin alert. The behaviour aligns with NIST SP 800-63B §6.1.2.3 and OWASP ASVS V6.3.
How to enable it
In the setup wizard’s 2FA step (or Settings → Two-Factor), enable the methods you want to offer, choose which roles must enrol, and set the grace period and skip counter. For headless or custom flows, the reportedip-hive/v1 REST namespace exposes /2fa/challenge, /2fa/verify and /2fa/methods; shell admins can run wp reportedip 2fa reset <user> to clear a locked account.
Related guides
- Passkeys and WebAuthn: phishing-resistant WordPress login
- Managed mail and SMS relay for reliable OTP delivery
- WooCommerce 2FA that stays inside your theme
See the authentication documentation for setup detail, browse the full ReportedIP Hive plugin guides, or read the WebAuthn standard at the W3C.