How TOTP works
WP Manager Pro follows RFC 6238 (TOTP):- Algorithm: SHA1 HMAC
- Digits: 6
- Period: 30 seconds
- Secret: 160-bit random value, base32-encoded
Setting up 2FA
Install an authenticator app
Install Google Authenticator, Authy, or any TOTP-compatible app on your phone before proceeding. Any app that supports RFC 6238 works.
Click Set Up Two-Factor Auth
On the Two-Factor tab, click Set Up Two-Factor Auth. WP Manager Pro generates a fresh secret and displays a QR code.
Scan the QR code
Open your authenticator app and scan the QR code. The app adds a new entry labelled with your site name and email address.If your app does not support QR scanning, click the copy icon next to the base32-encoded secret and enter it manually in your app.
Enter the 6-digit code
Your app immediately starts generating 6-digit codes that rotate every 30 seconds. Enter the current code into the verification field.
Click Verify & Enable
Click Verify & Enable. WP Manager Pro validates the code and, if correct, activates 2FA for your account.
Backup codes
Backup codes let you log in if you lose access to your authenticator app.- Eight codes are generated when you first verify your TOTP setup.
- Each code is a single-use token — once used, it cannot be used again.
- Codes are stored as MD5 hashes in the WordPress database; the plain-text values are shown only once, immediately after setup.
- After using a backup code to log in, set up 2FA again to generate a fresh set of codes.
Disabling 2FA
If 2FA is already active, click Disable 2FA on the Two-Factor tab. This deletes the stored secret, enabled flag, and backup codes for your account. The next login will not require a second factor.Supported authenticator apps
- Google Authenticator (iOS / Android)
- Authy (iOS / Android / desktop)
- Any app that implements RFC 6238 TOTP (1Password, Bitwarden, Microsoft Authenticator, etc.)
2FA is configured per user. Each admin account manages its own 2FA setup independently.