Does Two Factor Authentication have any unpatched vulnerabilities?

No. All known vulnerabilities in Two Factor Authentication have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Two Factor Authentication compatible with WordPress 6.9.4?

According to WordPress.org data, Two Factor Authentication 1.16.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Two Factor Authentication compatible with PHP 5.6+?

Two Factor Authentication requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Two Factor Authentication updated?

Two Factor Authentication was last updated on Dec 9, 2025. Frequent updates are generally a positive security signal.

What is Two Factor Authentication's security score?

Two Factor Authentication has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Two Factor Authentication Security & Risk Analysis

wordpress.org/plugins/two-factor-authentication

Secure WordPress login with Two Factor Authentication - supports WP, Woo + other login forms, HOTP, TOTP (Google Authenticator, Authy, etc.)

20K active installs v1.16.0 PHP 5.6+ WP 3.4+ Updated Dec 9, 2025

2fagoogle-authenticatortfatwo-factortwo-factor-auth

A · Safe

CVEs total2

Unpatched0

Last CVEDec 18, 2018

Plugin page Download

Safety Verdict

Is Two Factor Authentication Safe to Use in 2026?

Generally Safe

Score 99/100

Two Factor Authentication has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 18, 2018Updated 3mo ago

Risk Assessment

The 'two-factor-authentication' plugin v1.16.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of its SQL queries using prepared statements, a significant number of nonce and capability checks, and no external HTTP requests. However, several critical concerns are present. The static analysis reveals two dangerous functions, notably 'unserialize', which can be a gateway for remote code execution if not handled with extreme care, and a substantial portion (53%) of outputs are not properly escaped, increasing the risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the plugin has a notable attack surface with two out of four AJAX handlers lacking authentication checks, and a high number of taint flows (6 out of 8) with unsanitized paths, including five of high severity. The plugin's vulnerability history, with two known CVEs including a high-severity one, and a recent vulnerability in 2018, suggests a pattern of security weaknesses that require attention. While the absence of unpatched CVEs and the use of prepared statements are strengths, the presence of 'unserialize', unescaped outputs, unprotected AJAX endpoints, and high-severity taint flows create significant risks.

Key Concerns

Unprotected AJAX handlers
High severity unsanitized taint flows
Use of dangerous 'unserialize' function
Significant portion of outputs not properly escaped
High number of unsanitized taint flows
History of high severity vulnerability

Vulnerabilities

Two Factor Authentication Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

1 CVE in 2018

2018

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2018-20231high · 8.8Cross-Site Request Forgery (CSRF)

Two Factor Authentication <= 1.3.12 - Cross-Site Request Forgery

Dec 18, 2018 Patched in 1.3.13 (1862d)

CVE-2015-9355medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Two Factor Authentication < 1.1.10 - Cross-Site Scripting

Apr 20, 2015 Patched in 1.1.10 (3200d)

Code Analysis

Analyzed Mar 16, 2026

Two Factor Authentication Code Analysis

Dangerous Functions

Raw SQL Queries

18 prepared

Unescaped Output

59 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$result = unserialize($serialized_data);simba-tfa\simba-tfa.php:1728

unserialize$result = unserialize($serialized_data, array('allowed_classes' => $allowed_classes, 'max_depth' => simba-tfa\simba-tfa.php:1730

SQL Query Safety

100% prepared18 total queries

Output Escaping

53% escaped112 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths

reset_private_key_and_emergency_codes (simba-tfa\providers\totp\loader.php:304)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Two Factor Authentication Attack Surface

Entry Points6

Unprotected2

AJAX Handlers 4

authwp_ajax_tfa_frontendsimba-tfa\includes\tfa_frontend.php:16

noprivwp_ajax_simbatfa-init-otpsimba-tfa\simba-tfa.php:114

authwp_ajax_simbatfa-init-otpsimba-tfa\simba-tfa.php:115

authwp_ajax_simbatfa_shared_ajaxsimba-tfa\simba-tfa.php:117

Shortcodes 2

[twofactor_user_settings] simba-tfa\includes\tfa_frontend.php:17

[twofactor_user_settings] simba-tfa\simba-tfa.php:856

WordPress Hooks 32

actionaffwp_process_login_formsimba-tfa\includes\login-form-integrations.php:37

filtertml_displaysimba-tfa\includes\login-form-integrations.php:40

filterwppb_login_form_bottomsimba-tfa\includes\login-form-integrations.php:41

actioninitsimba-tfa\includes\login-form-integrations.php:46

actionlogin_enqueue_scriptssimba-tfa\includes\login-form-integrations.php:48

filterdo_shortcode_tagsimba-tfa\includes\login-form-integrations.php:51

filtersimba_tfa_login_enqueue_localizesimba-tfa\includes\login-form-integrations.php:53

filteredd_errorssimba-tfa\includes\login-form-integrations.php:55

actionplugins_loadedsimba-tfa\providers\totp\loader.php:104

actionadmin_initsimba-tfa\providers\totp\loader.php:106

actioninitsimba-tfa\providers\totp\loader.php:109

actionadmin_noticessimba-tfa\providers\totp\loader.php:113

actionmanage_users_columnssimba-tfa\simba-tfa.php:126

actionwpmu_users_columnssimba-tfa\simba-tfa.php:127

actionmanage_users_custom_columnsimba-tfa\simba-tfa.php:128

actionadmin_print_styles-users.phpsimba-tfa\simba-tfa.php:131

actionadmin_menusimba-tfa\simba-tfa.php:133

actionadmin_initsimba-tfa\simba-tfa.php:135

actioninitsimba-tfa\simba-tfa.php:136

filterapplication_password_did_authenticatesimba-tfa\simba-tfa.php:140

filterauthenticatesimba-tfa\simba-tfa.php:142

actionshow_user_profilesimba-tfa\simba-tfa.php:145

actionenqueue_block_assetssimba-tfa\simba-tfa.php:147

filterpre_update_optionsimba-tfa\simba-tfa.php:149

actionplugins_loadedtwo-factor-login.php:66

actioninittwo-factor-login.php:68

actionall_admin_noticestwo-factor-login.php:71

actionall_admin_noticestwo-factor-login.php:76

actionall_admin_noticestwo-factor-login.php:82

actionadmin_menutwo-factor-login.php:88

actionadmin_menutwo-factor-login.php:89

actionnetwork_admin_menutwo-factor-login.php:90

Maintenance & Trust

Two Factor Authentication Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 9, 2025

PHP min version5.6

Downloads879K

Community Trust

Rating88/100

Number of ratings77

Active installs20K

Alternatives

Two Factor Authentication Alternatives

Absolute 2fa For Woocommerce

absolute-2fa-for-woocommerce

A Two Factor Authentication addon that will add 2fa settings page under WooCommerce's My Account Page.

10 No CVEs

WP 2FA – Two-factor authentication for WordPress

wp-2fa

Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.

100K 9 CVEs

Cloudusk 2FA – Two Factor Authentication

cloudusk-2fa-two-factor-authentication

100

A free and lightweight two-factor authentication (2FA) plugin for WordPress using TOTP and authenticator apps.

0 No CVEs

Wordfence Login Security

wordfence-login-security

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K No CVEs

Two Factor (2FA) Authentication via Email

two-factor-2fa-via-email

Enable one-click login with this WordPress Two-Factor Authentication (2FA) plugin, utilizing email for added security.

9K 1 CVE

Developer Profile

Two Factor Authentication Developer Profile

David Anderson / Team Updraft

16 plugins · 6.4M total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1197 days

View full developer profile

Detection Fingerprints

How We Detect Two Factor Authentication

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/two-factor-authentication/admin/css/admin-pages.css/wp-content/plugins/two-factor-authentication/admin/css/tfa-admin.css/wp-content/plugins/two-factor-authentication/admin/js/admin-pages.js/wp-content/plugins/two-factor-authentication/admin/js/tfa-admin.js

Script Paths

/wp-content/plugins/two-factor-authentication/admin/js/admin-pages.js/wp-content/plugins/two-factor-authentication/admin/js/tfa-admin.js

Version Parameters

two-factor-authentication/admin/css/admin-pages.css?ver=two-factor-authentication/admin/css/tfa-admin.css?ver=two-factor-authentication/admin/js/admin-pages.js?ver=two-factor-authentication/admin/js/tfa-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

simba-tfa-admin-page-wrap

HTML Comments

Data Attributes

data-tfa-user-iddata-tfa-user-can-manage

FAQ