Security & 2FA

WordPress's security reputation comes down to one thing: it's been the single largest target on the open internet for 20 years, running on millions of servers with a plugin ecosystem of wildly varying quality. The response is usually a security plugin (Wordfence, iThemes Security), a 2FA plugin (WP 2FA), and a login-protection plugin (Limit Login Attempts). Contensio folds the essentials into the core, leaning on Laravel's Fortify — a battle-tested auth package maintained by the Laravel core team.

What's built in

Two-factor, the right way

2FA is enabled per-user, from the user's own profile — admins can require 2FA for specific roles but can't enroll a user's device for them. When enrolling:

• Scan a QR code with any TOTP app (Google Authenticator, Authy, 1Password, Bitwarden).
• Confirm with a code. 2FA is now active on next login.
• Save 8 single-use recovery codes in a password manager — for the day the authenticator app is lost.
• Regenerate codes (invalidates old ones) or disable 2FA from profile settings.

Social sign-in (Google, GitHub, Facebook, Microsoft — via the Social Connect plugin) still challenges users for 2FA after OAuth. 2FA is not a bypass surface.

Session + credential hygiene

• httpOnly, secure, SameSite session cookies — default.
• Passwords stored using bcrypt, auto-upgrading algorithm on login.
• Session regeneration on login to prevent fixation.
• Email change requires re-confirmation at the new address.

Compared to WordPress