A modern, secure Two-Factor Authentication (2FA) plugin for WordPress with support for TOTP authenticator apps and email-based verification.
- π TOTP Support - Compatible with Google Authenticator, Authy, and other authenticator apps
- π§ Email-Based 2FA - Alternative verification via email codes
- π¨ Modern UI - Clean, user-friendly interface for settings and setup
- π Backup Codes - Generate emergency backup codes for account recovery
- π₯ Role-Based Enforcement - Require 2FA for specific user roles
- π± QR Code Generation - Easy setup with QR codes for authenticator apps
- π Internationalization Ready - Fully translatable (i18n)
- β‘ Performance Optimized - Lightweight with modern JavaScript architecture
- π― WordPress Standards - Follows WordPress coding standards and best practices
- WordPress: 5.0 or higher
- PHP: 7.4 or higher
- Node.js: 18.0 or higher (for development)
- npm: 9.0 or higher (for development)
- Download the latest release
- Navigate to Plugins > Add New in WordPress admin
- Click Upload Plugin and select the downloaded zip file
- Click Install Now and then Activate
- Download and extract the plugin files
- Upload the
brain-2fafolder to/wp-content/plugins/ - Activate the plugin through the Plugins menu in WordPress
composer require braintum/brain-2fa- Navigate to Settings > Brain 2FA in WordPress admin
- Configure your preferred 2FA method (Authenticator App or Email)
- Optionally enable force 2FA for specific user roles
- Save settings
Users can set up 2FA from their profile page:
- Go to Users > Profile
- Scroll to the Brain 2FA section
- Enable 2FA and follow the setup instructions
- Save backup codes in a secure location
# Clone the repository
git clone https://github.com/braintum/brain-2fa.git
cd brain-2fa
# Install PHP dependencies
composer install
# Install JavaScript dependencies
npm install# Development mode (watch for changes)
npm run dev
# Production build
npm run build
# Development build (unminified)
npm run build:dev
# Lint JavaScript
npm run lint
npm run lint:fixbrain-2fa/
βββ assets/ # Compiled assets (auto-generated)
β βββ css/ # Compiled CSS
β βββ js/ # Compiled JavaScript
βββ includes/ # PHP classes (PSR-4)
β βββ Admin/ # Admin functionality
β βββ Auth/ # Authentication logic
β βββ TwoFactor/ # 2FA implementations
β βββ App.php # Main application class
βββ languages/ # Translation files
βββ src/ # Source files (development)
β βββ js/ # JavaScript source
β β βββ components/
β β βββ utils/
β βββ scss/ # SCSS source
β βββ _variables.scss
β βββ _components.scss
β βββ ...
βββ vendor/ # Composer dependencies
βββ webpack.config.js # Webpack configuration
βββ package.json # NPM dependencies
βββ composer.json # Composer configuration
The plugin uses a modern JavaScript build system:
- Webpack 5 for bundling
- Babel for ES6+ transpilation
- ESLint for code quality
- Sass for styling
- WordPress i18n for translations
- Functional programming approach (no classes)
See README-JAVASCRIPT.md for detailed JavaScript development documentation.
The plugin follows:
- WordPress PHP Coding Standards
- WordPress JavaScript Coding Standards
- PSR-4 autoloading for PHP classes
wp i18n make-pot . languages/brain2fa.pot --domain=brain2fa- Use Poedit or similar tool to create
.pofiles - Compile to
.mofiles - For JavaScript translations, generate JSON files:
wp i18n make-json languages --no-purgeIf you discover a security vulnerability, please email security@braintum.com. All security vulnerabilities will be promptly addressed.
- Secure TOTP implementation using industry-standard algorithms
- Rate limiting on login attempts
- Encrypted storage of secret keys
- Secure random generation for backup codes
- CSRF protection on all forms
We welcome contributions! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes following WordPress coding standards
- Test thoroughly
- Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Write clean, documented code
- Follow WordPress and PSR-4 standards
- Add translations for all user-facing strings
- Test on multiple WordPress versions
- Update documentation as needed
# Run PHP tests (if available)
composer test
# Run JavaScript linting
npm run lint
# Check for WordPress coding standards
composer phpcs- Initial release
- TOTP authenticator app support
- Email-based 2FA
- QR code generation
- Backup codes
- Role-based enforcement
- Modern JavaScript architecture
- i18n support
As an administrator, you can disable 2FA for any user from their profile page in WordPress admin.
Use one of your backup codes to log in, then set up 2FA again with a new device.
Yes, Brain 2FA is compatible with WordPress multisite installations.
Any TOTP-compatible app works, including:
- Google Authenticator
- Microsoft Authenticator
- Authy
- 1Password
- Bitwarden
- Documentation: README-JAVASCRIPT.md
- Issues: GitHub Issues
- Website: https://www.braintum.com/
This plugin is licensed under the GPLv2 (or later).
Brain 2FA - Two Factor Authentication for WordPress
Copyright (C) 2026 Braintum
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
Built with β€οΈ by Braintum
- OTPHP - TOTP implementation
- Endroid QR Code - QR code generation
- WordPress i18n - Internationalization
Made with modern JavaScript and WordPress best practices π