Use Two Factor Auth in WordPress with Magical Wave of Keyy



Meet Keyy - The two-factor authentication plugin for WordPress which works flawlessly like Clef. This plugin has been created by David Anderson and Team Updraft.


It’s time to forget about …

  • Brute-forcing
  • Weak credentials
  • Key-logging
  • Password re-use
  • Shoulder-surfing
  • Connection sniffing

Getting Started with Keyy

  1. Install the Keyy application on your Android / iOS device.

  2. Next, Install and activate the Keyy Plugin into your WordPress

  3. Go to Plugin Settings > Scan QR code to pair with your Device.

  4. Similarly, for login to WordPress, just scan the magical wave.

I hope this helps and you liked this tutorial. Have any question, please feel free to ask below.


Thanks & Regards,

How do you protect your password?
Wordpress Security
How do you protect your password?
Which security plugins are you guys using?

What do you think, we should definitely use this plugin or it is optional?


I truly liked this plugin, it’s so easy to use. No optional.


Can I login only from my smartphone while using this plugin?


Yes, of course. Just you need to open site link using its App.


I have installed Keyy on my Wordpress, after recommendation by Gulshan :slight_smile:

It is better than Google 2FA I think.


Should I remove ‘’ Limit Login Attempts ‘’ plugin after installation Keyy plugin?

Last update of the Limit Login Attempts plugin was published 6 year ago by author.


If the app is uninstalled from my phone , I will not be able to login again ? So, should I keep one screenshot of the qr code ?


Of course, yes. We should not use such plugin that has not been updated since years.


After installation Keyy plugin, The plugin gives you an url to login without keyy.


If you login by using secret url without Keyy plugin, Url will be changed each time automatically.

pinned #13


I’m under brute force attack. It shows in WP activity feed that someone is trying to log in with my username in every 2-5 minutes and failing every time. It also tried to log in with one temp ID that I created as an author. So I removed that id too. But the most spooky thing is that it shows localhost [] as the IP address of the attacker.
I have disabled all access to my APPs, and Server.
Which 2 FA plugin to install?

Google Authenticator by miniOrange or
Keyy 2FA by updraftplus?


Here’s the fix

You can hide original username. Please search forum, written about it.


I have already done that. Thanks.


Ok, is it working or still happening?


I have installed Keyy plugin. So it has stopped. but still in jetpack it shows local IP while in comments it shows real IP. The problem is with jetpack only.


You are using Cloudways + Varnish, this commonly happens in this case. In above link, I have shared solution. It should work perfectly if implemented correctly.


I’ll move from CW to DO next month. Appreciate your help… thank you :smiley: