Does Two Factor have any unpatched vulnerabilities?

No. All known vulnerabilities in Two Factor have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Two Factor compatible with WordPress 6.9.4?

According to WordPress.org data, Two Factor 0.15.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Two Factor compatible with PHP 7.2+?

Two Factor requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Two Factor updated?

Two Factor was last updated on Feb 17, 2026. Frequent updates are generally a positive security signal.

What is Two Factor's security score?

Two Factor has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Two Factor Security & Risk Analysis

wordpress.org/plugins/two-factor

Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.

100K active installs v0.15.0 PHP 7.2+ WP 6.8+ Updated Feb 17, 2026

2faauthenticationmfasecuritytotp

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Two Factor Safe to Use in 2026?

Generally Safe

Score 100/100

Two Factor has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The "two-factor" plugin version 0.15.0 exhibits a generally strong security posture based on this static analysis. It demonstrates good practices by utilizing prepared statements for all SQL queries and a high percentage of proper output escaping. Crucially, all identified entry points, including the single AJAX handler, appear to have authentication checks in place, significantly limiting the attack surface for unauthenticated users. The absence of any recorded vulnerabilities (CVEs) in its history further suggests a well-maintained and secure codebase.

Vulnerabilities

None known

Two Factor Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Two Factor Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

112 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared3 total queries

Output Escaping

88% escaped127 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<class-two-factor-core> (class-two-factor-core.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Two Factor Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_inline-save-keyproviders\class-two-factor-fido-u2f-admin.php:39

WordPress Hooks 42

filtertwo_factor_remembermeclass-two-factor-compat.php:31

actioninitclass-two-factor-core.php:97

filterwp_login_errorsclass-two-factor-core.php:99

actionafter_password_resetclass-two-factor-core.php:100

actionlogin_form_validate_2faclass-two-factor-core.php:101

actionlogin_form_revalidate_2faclass-two-factor-core.php:102

actionshow_user_profileclass-two-factor-core.php:104

actionedit_user_profileclass-two-factor-core.php:105

actionpersonal_options_updateclass-two-factor-core.php:106

actionedit_user_profile_updateclass-two-factor-core.php:107

filtermanage_users_columnsclass-two-factor-core.php:108

filterwpmu_users_columnsclass-two-factor-core.php:109

filtermanage_users_custom_columnclass-two-factor-core.php:110

filterauthenticateclass-two-factor-core.php:113

actionwp_loginclass-two-factor-core.php:116

actionset_auth_cookieclass-two-factor-core.php:124

actionset_logged_in_cookieclass-two-factor-core.php:125

filterattach_session_informationclass-two-factor-core.php:127

actionadmin_initclass-two-factor-core.php:129

filtertwo_factor_providersclass-two-factor-core.php:130

filtersend_auth_cookiesclass-two-factor-core.php:808

filterlogin_display_language_dropdownclass-two-factor-core.php:1009

filterattach_session_informationclass-two-factor-core.php:1528

actionafter_password_resetclass-two-factor-core.php:1786

filterwp_robotsincludes\function.login-header.php:26

actionlogin_headincludes\function.login-header.php:27

actionlogin_headincludes\function.login-header.php:29

actionlogin_footerincludes\function.login-header.php:47

actionrest_api_initproviders\class-two-factor-backup-codes.php:39

actionadmin_noticesproviders\class-two-factor-backup-codes.php:41

actionadmin_enqueue_scriptsproviders\class-two-factor-fido-u2f-admin.php:33

actionshow_user_security_settingsproviders\class-two-factor-fido-u2f-admin.php:34

actionpersonal_options_updateproviders\class-two-factor-fido-u2f-admin.php:35

actionedit_user_profile_updateproviders\class-two-factor-fido-u2f-admin.php:36

actionload-profile.phpproviders\class-two-factor-fido-u2f-admin.php:37

actionload-user-edit.phpproviders\class-two-factor-fido-u2f-admin.php:38

actionadmin_enqueue_scriptsproviders\class-two-factor-fido-u2f.php:62

actionwp_enqueue_scriptsproviders\class-two-factor-fido-u2f.php:63

actionlogin_enqueue_scriptsproviders\class-two-factor-fido-u2f.php:64

actionrest_api_initproviders\class-two-factor-totp.php:46

actionadmin_enqueue_scriptsproviders\class-two-factor-totp.php:47

actionwp_enqueue_scriptsproviders\class-two-factor-totp.php:48

Maintenance & Trust

Two Factor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 17, 2026

PHP min version7.2

Downloads1.5M

Community Trust

Rating96/100

Number of ratings199

Active installs100K

Alternatives

Two Factor Alternatives

Rublon Multi-Factor Authentication (MFA)

rublon

100

Instant account security with effortless multi-factor authentication via Mobile Push, Mobile Passcode (TOTP), WebAuthn/U2F Security Keys, and more.

500 No CVEs

Flavor 2FA

flavor-2fa

100

Lightweight two-factor authentication that just works. Protect your WordPress site with authenticator apps or email codes in under 2 minutes.

0 No CVEs

SecureAuth Authenticator 2FA

secureauth-authenticator-2fa

100

Adds TOTP-based two-factor authentication (2FA) via SecureAuth Authenticator to your WordPress login page.

0 No CVEs

Wordfence Login Security

wordfence-login-security

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs

miniOrange 2FA – Two-Factor Authentication for WordPress (SMS, Email & Google Authenticator)

miniorange-2-factor-authentication

miniOrange WP 2FA plugin adds an extra layer of security to your WordPress website by protecting user logins from unauthorized access, brute-force att …

10K 10 CVEs

Developer Profile

Two Factor Developer Profile

WordPress.org

34 plugins · 14.9M total installs

trust score

Avg Security Score

97/100

Avg Patch Time

1718 days

View full developer profile

Detection Fingerprints

How We Detect Two Factor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/two-factor/build/index.css/wp-content/plugins/two-factor/build/index.js

Script Paths

/wp-content/plugins/two-factor/build/index.js

Version Parameters

two-factor/build/index.css?ver=two-factor/build/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

two-factor-user-settings

Data Attributes

data-two-factor-nonce

JS Globals

two_factor_settings

REST Endpoints

/wp-json/two-factor/1.0/settings

FAQ