app-sumo-popup

Good News!

All In One Login is live on

aoosumo
Save up to $600
Get Lifetime Deal Now
Two Factor Authentication

2FA Policies for WordPress Security

Estimated reading: 3 minutes 212 views

2FA Policies for WordPress Security

AIO Login Pro allows you to define Two-Factor Authentication (2FA) enforcement settings for WordPress users, giving you full control over who must use 2FA on your site. This is a Pro feature and requires Professional plan or higher.

2FA Policies define WHO is required to use 2FA, while the Authentication Methods tab defines HOW they authenticate (Email OTP or Authenticator App).

Accessing 2FA Policies

Navigates to WordPress Dashboard → AIO Login → 2FA → 2FA Policies

Accessing 2FA Policies

Important: Only site administrators can manage 2FA policies. Non-admin users will see the message “Only site administrators can manage 2FA policies.”

POLICY 1: Enforce 2FA for All Users

Enable global 2FA enforcement for WordPress login security across all user roles.

How to Enable

  • Toggle “Enforce for All Roles” ON
  • Click Save Changes

When Enabled

  • All users (Admins, Editors, Authors, Contributors, Subscribers, and custom roles) must use 2FA
  • Users without 2FA setup are prompted during login
  • This becomes a site-wide mandatory 2FA enforcement policy
  • “Enforce for Specific Roles” is automatically disabled

Best Use Cases

  • High-security WordPress websites
  • Membership or subscription platforms
  • E-commerce or payment-based systems
  • Sites handling sensitive user data

Important: This is the strictest security mode and applies to every user without exception.

POLICY 2: Enforce 2FA for Specific Roles

Enable role-based 2FA enforcement in WordPress, applying authentication only to selected user roles.

How to Enable

  1. Toggle “Enforce for Specific Roles” ON
  2. Select roles from the available list:
    • Administrator
    • Editor
    • Author
    • Contributor
    • Subscriber
    • Any custom roles (if available)
  3. Click Save Changes

When Enabled

  • Only selected roles are required to use 2FA
  • Other users can log in normally without 2FA
  • “Enforce for All Roles” is automatically disabled

Best Use Cases

  • Protect admin and editor accounts only
  • Reduce friction for subscribers or customers
  • Gradual rollout of WordPress 2FA security
  • Flexible role-based access control strategy

Important: 2FA policy behavior is mutually exclusive, meaning only one enforcement mode can be active at a time. If “Enforce for All Roles” is enabled, it will automatically disable “Enforce for Specific Roles”, and if “Enforce for Specific Roles” is enabled, it will automatically disable “Enforce for All Roles.” Both options can also remain disabled simultaneously, in which case 2FA becomes optional for all users on the site.

When 2FA Policies Are Active

When User IS Covered by Policy

  • User logs in with username and password
  • System triggers 2FA verification step
  • User completes:
    • Email OTP OR
    • Authenticator App (TOTP)
  • If 2FA is not configured:
    • User is prompted to set up 2FA
    • If Grace Period is active, setup can be delayed
    • If enforced strictly, access is blocked until setup is complete.
set_up_2FA_autho

Note: If both authentication policy controls are disabled, 2FA becomes optional for all users. Changes apply on the next login attempt and affect wp-login.php only. For smoother onboarding, use it with the Grace Period (Advanced Settings).

Need Help?

If you face any issues or have questions, feel free to contact our support team. We’re here to help you get the most out of AIO Login.

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this Doc

2FA Policies for WordPress Security

Or copy link

CONTENTS

Powered By EazyDocs

Scroll to Top