Beginning June 16, 2026, Workhorse will begin transitioning select managed WordPress sites to a new two-factor authentication provider.
Many WordPress CMS users already have two-factor authentication enabled today. This update does not remove that requirement. Instead, it changes the plugin used to enforce and manage 2FA on affected sites.
As part of this transition, CMS users on affected sites will be prompted to set up 2FA again the next time they log in after the change. If you currently use Google Authenticator, Microsoft Authenticator, Authy, 1Password, or another authenticator app, your existing code for that site will no longer work after the transition. You will need to connect your authenticator app again using the new setup prompt.
This change only affects users who log in to the WordPress CMS/admin area. If your website includes ecommerce, memberships, gated content, customer accounts, or similar front-end user login features, those customer/member users will not be affected by this change.
What affected CMS users will need to do
On or after June 16, users on affected sites may be prompted to complete 2FA setup the next time they log in to the WordPress dashboard.
Setup will involve:
- Open authenticator app
- Scan QR code presented when logging in
- Enter the verification code generated by app
- Click “Validate & Save”
The setup process should only take a few minutes.
What if I get locked out?
We understand that access to your website can be business-critical.
If you have trouble logging in after this change, Workhorse will prioritize requests related to 2FA lockouts so we can help restore access and minimize disruption.
Please contact your account manager or submit a support ticket through our request form if this happens or if you have any questions.
Our goal
This change is being made to keep WordPress CMS access secure, supported, and aligned with current security best practices.
We appreciate your cooperation as we make this transition. Reconnecting your 2FA app may take a few minutes, but it helps protect your website and your business from unauthorized access.
Why this is changing
The standalone Wordfence Login Security plugin, which has been used to provide 2FA on many sites, is being discontinued on or around July 1, 2026.
To keep site access secure and supported, Workhorse is proactively moving affected managed WordPress sites to another solution before that discontinuation date.
In addition, our new solutions supports passkeys, which are a phishing resistant, passwordless method to login. Many organizations are moving to passkeys and away from passwords. We anticipate a future where all Workhorse WordPress sites require passkeys. However, the role out of passkeys must be done carefully to prevent user frustration, lockouts, and business disruptions.
This can be enabled at your request.
Why 2FA remains important
Passwords alone are no longer enough to protect website access.
Attackers increasingly rely on stolen passwords, phishing, credential stuffing, reused passwords, and automated login attempts. If a password is exposed in a breach or guessed by an attacker, 2FA adds an extra layer of protection by requiring a second step before access is granted.
This is especially important for WordPress CMS users because admin or editor access can allow someone to make content changes, create new users, install malicious plugins, redirect visitors, inject spam, or disrupt business operations.
Requiring 2FA is one of the most effective ways to reduce the risk of unauthorized access.