This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Two-factor authentication (formerly IP Vault)


IP Vault lets you protect your WordPress backend – and any other part of your website – from non verified users.

IP Vault Firewall also preserves your server ressources and bandwidth by blocking hacking attempts before they reach your site.

How does it work ?

Requests to protected files and folders are redirected to the Authentication Page. IP Vault unlocks user’s IP addresses using a key
that is emailed for authentication. Once users verify their account, they can access all restricted areas. Users are automatically verified on registration.

What is protected ?

Out-of-the box, IP Vault restricts access to .php and .phtml files, as well as wp-admin folder, which are frequently exploited by bad bots and hackers.
You can choose which part of your site to protect. Need to make the whole website private ? No problem, just restrict access to /.

The story behind this plugin

In the past 20 years, I have been monitoring a few dozen client sites to prevent malicious access. I have also helped a great number of people to clean their website from malware.
I noticed that even marginal WordPress sites or non-wordpress PHP based sites are constantly exposed to hacking attempts.

Almost all exploits I have seen work by either calling a vulnerable PHP script already on the server, by adding such a script or by injecting their own code into an existing script.

I have tried and tested quite a few security plugins. They can be quite complex to set up and to maintain. Some security plugins try to block access to vulnerable files by comparing requests to a blacklist.
These tend to become quite large and need frequent updates to be efficient. Others use geo-blocking services to block requests from certain countries. However in my experience, hacking attempts can come from just about any location.

I thought there must be a better way using whitelists for verified users instead. And that’s how the idea for IP Vault was born.

To Dos

  • add option to get auth code by SMS (requires users to register phone number)

I love this plugin. How can I contribute ?

  • Rate plugin and leave feedback on
  • Help resolve questions in support forums
  • Help with translations
  • Donate


This plugin uses the following 3rd Party services :


  • Authentication Page
  • Dashboard Widget
  • Which files and folders should be protected ?
  • IP Address Whitelist
  • Blocked connection logs & stats


There are no reviews for this plugin.

Contributors & Developers

“Two-factor authentication (formerly IP Vault)” is open source software. The following people have contributed to this plugin.




  • optimization : added a 404 header to disallowed requests, in order to discourage bots from returning
  • optimization : mapping (frequently changing) IPv6 addresses to IPv4 using third party service ipify
  • fixed potential XSS vulnerabilities


  • optimization : complete rewrite of authentication method : replaced secret URL by a 4-digit pin code
  • various small fixes


  • optimization : set transient for api calls (cache results for 1 week)
  • experimental feature : use ASN for authentication (useful if your public IP changes often)

  • optimisation : limit requests to ip-api to unknown IP addresses (IPs not yet logged)
  • optimisation : settings link added to plugin screen
  • optimisation : allow custom comments for whitelisted IPs
  • fixed minor bug : title on stats screen displays correct date
  • fixed minor bug : removing IP addresses with backslashes from whitelist


  • fixed minor bug : missing envelope.svg
  • tested up to WP version 5.7.2


  • redesigned bar chart and added daily tables in statistics
  • authentication mail back to plain text to optimise deliverability
  • various small fixes


  • added a soft rewrite mode, as .htaccess mode can be tricky on some installs
  • cosmetic changes to authentication mails, now using html
  • improved logging and statistics, database cleaned through daily cron job


  • Reengineered auth page (no longer depending on frontend page)
  • New logo and redesigned auth page
  • Improved style and optimised ressource usage
  • a lot of small changes


Fixed issue where settings were not properly removed on uninstall


First release.