You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Two Factor plugin currently works on a voluntary, per-user basis — each user must opt in to configure a second factor themselves. There is no built-in way for a site administrator to require that users in certain roles have 2FA configured before they can access the site.
This gap is consistently the most-requested missing feature in the plugin, surfacing repeatedly across both GitHub and the support forum:
PR Optionally Force 2fa #239 ("Optionally Force 2FA"), open since 2018, demonstrates sustained community interest — it has 19 👍 reactions and active discussion as recently as March 2026
WordPress.org itself has enforced 2FA for privileged accounts on make.wordpress.org and plugin/theme committers, signalling this is the direction the ecosystem is heading
Third-party plugins have made role-based enforcement a headline feature, confirming real demand that the official plugin doesn't currently serve
In the meantime, developers have been working around the gap using the two_factor_enabled_providers_for_user filter see #307 (comment)
Proposed solution
Add a settings UI (within the existing plugin settings page) that allows administrators to select which user roles require 2FA.
Out of scope for this issue
The new onboarding wizard (tracked in #813) is a separate concern. This issue focuses only on the settings option and the enforcement logic. Any integration with the wizard UI can be handled as a follow-up.
Problem
The Two Factor plugin currently works on a voluntary, per-user basis — each user must opt in to configure a second factor themselves. There is no built-in way for a site administrator to require that users in certain roles have 2FA configured before they can access the site.
This gap is consistently the most-requested missing feature in the plugin, surfacing repeatedly across both GitHub and the support forum:
In the meantime, developers have been working around the gap using the
two_factor_enabled_providers_for_userfilter see #307 (comment)Proposed solution
Add a settings UI (within the existing plugin settings page) that allows administrators to select which user roles require 2FA.
Out of scope for this issue
The new onboarding wizard (tracked in #813) is a separate concern. This issue focuses only on the settings option and the enforcement logic. Any integration with the wizard UI can be handled as a follow-up.
Prior art
wpcom_vip_is_two_factor_forcedandvip_wsc_forced_mfa_users_additional_capabilities