There are several reasons why the 2FA email code may not arrive. Work through these checks in order.
Check the email address
Verify that the correct email address is set in the user’s WordPress profile. Go to Users > Profile and confirm the email. In WP Ghost’s 2FA settings, click Reset Email to resend the verification to the correct address.
No SMTP plugin configured
WordPress uses PHP’s wp_mail() function by default, which many hosting providers block or limit. Install an SMTP plugin (such as Easy WP SMTP, WP Mail SMTP, or FluentSMTP) and configure it with your email provider’s SMTP credentials. Test email delivery after setup by sending a test email from the plugin’s settings page.
Emails landing in spam or junk
Check the spam/junk folder in the user’s email inbox. Without a properly configured SMTP plugin and matching SPF/DKIM records, emails from WordPress are often flagged as spam. Configuring SMTP with authentication typically resolves this.
Email delivery delay
Shared hosting email servers can delay delivery by several minutes. If the 2FA code arrives after expiration (default: 15 minutes), the code won’t work. Use a dedicated SMTP service (SendGrid, Mailgun, Amazon SES, or your email provider’s SMTP) for faster, more reliable delivery.
Token expired before arrival
If emails consistently arrive late, extend the token TTL using the hmwp_token_ttl filter in your child theme’s functions.php:
add_filter('hmwp_token_ttl', function($ttl, $user_id) {
return 30 * MINUTE_IN_SECONDS; // Extend to 30 minutes
}, 10, 2);If you’ve lost access to the admin dashboard due to 2FA email issues, see the emergency disable guide to regain access.