Two-Factor Auth

The attack scenario that 2FA stops is straightforward. Your WordPress admin password appears in a credential-stuffing database from a breach at an unrelated service. An automated bot tries it against your login page. Without 2FA, that is game over. With 2FA, the attacker also needs to be holding your phone or have access to your email at the same moment – a combination that is effectively impossible in a mass automated attack. Credential stuffing (trying breached username/password pairs at scale) is responsible for the majority of WordPress account compromises, and it is stopped entirely by 2FA.

CloudScale implements all three major 2FA methods in a single plugin. You can start with email OTP (no app required, works immediately for every user) and upgrade to TOTP or Passkeys for higher-security accounts at your own pace. All three methods are available to users simultaneously – each person can configure whichever they prefer, and you can enforce a minimum method for administrators.

Two-Factor Methods

• Email OTP: a 6-digit code sent to the user’s WordPress email address after successful password entry. No app or prior setup required by the user. Each code expires after 10 minutes and is single-use. Best for non-technical users or as a fallback for when someone does not have their authenticator app available. Requires working SMTP – configure the SMTP mailer on the Email tab first so codes reliably reach inboxes rather than going to spam.
• Authenticator app (TOTP): standard RFC 6238 time-based one-time passwords, compatible with Google Authenticator, Authy, 1Password, Bitwarden, and any TOTP app. Generates a new 6-digit code every 30 seconds entirely on the device – no network connection required. More secure than email OTP because it is immune to email interception and works even when your email is down. Users scan a QR code once from their profile to link their account, then they are set up permanently.
• Passkey (WebAuthn): replaces the second-factor code prompt with a biometric confirmation: Face ID, Touch ID, Windows Hello, or a hardware security key tap. The fastest and most phishing-resistant method available. Unlike TOTP codes, which a fake login page can intercept and replay in real time, passkeys are cryptographically bound to your site’s exact domain and cannot be used on any other URL. See the Passkeys section for full setup details.

Brute-Force Protection

• Maximum login attempts: the number of consecutive failed password attempts before the account is temporarily locked. The default is 5 attempts. Lower this to 3 for high-security sites where you want to be aggressive, or raise it to 10 if legitimate users frequently mistype their passwords and you are receiving lockout support requests. Each failed attempt is recorded with the IP address, timestamp, and username tried.
• Lockout duration: how long (in minutes) a locked account is blocked from attempting login. The default 5-minute lockout stops most automated credential-stuffing scripts without seriously inconveniencing real users who mistyped their password. For sites with only administrator accounts (no customer-facing logins), a longer lockout (60 minutes or more) adds significantly more friction to automated attacks with no meaningful downside.

Admin Enforcement

• Force 2FA for administrators: when enabled, any administrator who has not yet configured a 2FA method is blocked from accessing the WordPress dashboard after login. They see a prompt to configure 2FA and cannot proceed until they do. There is no bypass. This ensures 2FA is never accidentally skipped on high-privilege accounts, which is the most common failure mode: admins know they should set it up, intend to do it later, and never do.
• Grace period: when you first enable forced 2FA, administrators who haven’t configured 2FA yet are given this many days before enforcement kicks in. This prevents locking out an existing admin team the moment you flip the switch. After the grace period expires, unconfigured accounts are blocked at login until 2FA is set up.

Session Duration

• Custom session length (days): overrides WordPress’s default session timeout (2 days for “Remember Me” sessions, 2 hours otherwise). When set, a persistent cookie keeps the session alive for the specified number of days across browser restarts – useful for admin team members who find constant re-authentication disruptive on a daily-use machine. The session is invalidated immediately when the user logs out. Note: longer sessions extend the window during which a stolen session cookie would be usable. For high-security admin accounts, keep sessions short or leave this at WordPress defaults.