If you aren’t security conscious, then you should probably see how one of Wired.com author’s digital life was destroyed. After reading that story, we have jumped on board with the 2-step authentication for our Google accounts and most other services that offers this feature. After doing a short search, we were able to find a way to easily enable 2-step authentication in WordPress using Google Authenticator. If you are as security conscious as us, and you value your blog, then you should follow this tip to improve your WordPress security.
Note: Google Authenticator only works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices. In other words you MUST have a smart phone, iPod Touch, or a tablet with the respective operating systems.
How Does it Work?
Normally passwords can be cracked. If you are using the same password on numerous websites, a security leak on one put your other accounts in danger. Often people are lazy, and they don’t change their passwords even after they get an email about security compromise on a major site. Well, the 2-step verification is the solution just for that. Even if the hacker knows your WordPress username and password, they will not be able to access your site unless they have a time restrained random security code (provided by Google Authenticator). Because your blog is directly connected with your mobile device, you are the only person who should have access to retrieve the unique code for each login. The unique code expires in a short amount of time for security purposes. Once we are done with this tutorial, there will be an additional field on your WordPress login page like this which will improve your WordPress security:
How to Add Google Authenticator in WordPress
First thing you need to do is install Google Authenticator in your device. We are going to use the iOS terminology for the sake of this tutorial, but the process is similar for other devices as well. Visit the App store and search for “Google Authenticator”. Download and Install the application. Now let’s get back to your WordPress dashboard. We will re-visit Google Authenticator app once we are done with the setup on the WordPress end.
Lets install and activate the Google Authenticator plugin for WordPress.
In the WordPress menu, click on Users » Your Profile. You will see Google Authenticator Settings there.
Active – If you check this box, then it means that your blog is now going to use Google Authenticator. (Check this box once you are done with the entire setup)
Relaxed Mode – Normally your google authenticator code expires every minute. Using the relaxed mode will allow you to use one code for upto 4 minutes. We don’t recommend turning this on unless you type very slow. The code is only 6 characters long, so you should be able to do it in 1 minute.
Description and Secret Key – These options are pretty self explanatory. The description will act as your account name in the Google Authenticator app. The secret key is needed if you are not using the QR code. Note: When using iPhone, you can’t spaces in your description. Because in the above screenshot we have a space in our description “WPBeginner Blog”, we will have to use the key to enter the information in our application manually. The QR code will not work. If you want to just scan the QR code, then you have to make your description without spaces like this “WPBeginnerBlog”.
Enable App Password – You need this only if you are using XML-RPC (remote publishing) on your blog. This means WordPress iOS app, or Windows Live Writer. Remember, that enabling that will decrease your overall login security, but if you really like using remote publishing, then keep on using it. Just enable this option and set an application password.
Now that we have the WordPress part configured, lets get back to our iPhone App Google Authenticator. Click on the Google Authenticator app icon and then click on the + icon to add a new account. You will see a page like this:
1. We recommend that you use time-based one-time passcodes. Time-based codes provide better protection against phishing and keyloggers because each code is only valid for a short amount of time. If you use counter-based codes, you will need to press the refresh button next to the code in the Google Authenticator App each time you use it to advance it to the next code.
2. Scan Bar Code if your description doesn’t have any spaces. Click Show QR code button in WordPress to see the QR code.
2a. For those who have spaces in their descriptions, type your description as your account name.
2b. Type the secret key that you have in your WordPress admin panel.
3. Click Done.
Now when you login, you will see a two-step verification field that asks for Google Authenticator code.
This works for multi-author blogs as well. Each author gets their own secret key, so they can set it on their device. What are you waiting for? Use 2 step verification on your blog to improve WordPress security.
Lastly, we recommend everyone to turn on 2-step verification on their Google accounts. You can also configure that with Google Authenticator as shown on this tutorial.
Hey,
I recently set up two-step authentication for my wordpress blog. Downloaded the google app and it all worked fine with log-in. Then changed the name of my blog and accidentally deleted the google authenticator app and now I am locked out of my wordpress account as it asks for the code yet I cannot generate a code because I can’t access my account to get the key.
I hope you can help.. PLEASE!
Use FTP to delete the plugin.
Thanks for your reply. I just downloaded the ftp software except it can’t seem to connect to the server. Looks like I will be starting a new blog…
Hey Cara. Starting a new blog is not a good solution. Please get in touch with your hosting provider or send us an email. We can help you restore this and get it sorted out.
Well I did some research and found that the hosting time may be different than the phone time and may cause issues with the codes.
I was able to log in to my Cpanel and delete the plugin. I still want to use it though so I added it back in and used the relaxed mode this time. Seems to be working now.
Thanks for this post, very helpful.
Uh Oh. I locked myself out of my site.
Here’s what I did:
Added the plugin to my blog
Activated it, but didn’t check the “Active” box
Added authenticator to my android
Scanned the QR code
Checked “Active” box
Signed out
My phone gives me a new code every minute, but none of them work. What now?
I did this too…. I logged into my host via FTP and deleted the Google Authenticator plugin.
Then I went through the process again and the plugin/app combo worked like a charm!
Hope you’re able to get back into your site (if you haven’t already).
I installed the plugin, followed the simple steps and have now been locked out of my site. I also have the failed attempt log in plugin which has blocked me for 3 failed attempts so now have to wait. I did put in the correct details and authentication code, I tripled checked the installation and settings, all are correct. So why can’t I log back in?
Run this plugin in the relaxed mode.
It does concern me that when you install the plugin, you have to activate it user by user. That doesn’t make sense to me. Wouldn’t an administrator want to have it work for all users, otherwise there are holes in the net?
I have been trying this one, which is really great — http://wordpress.org/extend/plugins/duo-wordpress/ — there’s a free option, and it works similarly. It is very slick, with a smart phone.
The reason why Google Authenticator requires each user to enable it themselves is because they have to connect their device with it. Google Authenticator is a great solution if you don’t like paying for a service. We are using it on our site. All we did was send an email to all users and ask them to turn it on.
Yes it requires a little bit of extra work, but it is surely worth it for a small company like ours. If you have hundreds of people in your team, then it would be worth to automate it with a service like the one you linked.
This works great with Limit Login Attempts plug in. Great security feature if your blog does not have SSL capabilities.
i love your site
very helpful
what if Google authenticator app got uninstalled by mistake !!!!
after that how can i login in my wordpress site ?
Delete the plugin. Then re-do the process.
Good article, good plugin and good subject
Love Authenticator app.
Kind regards,
Gerard.
Buy Syed bro it is not linked to google account ? then why you used google athenticator word , i think it is kind of 2 step verification system only,
If you read the post carefully, you will see that the app this plugin uses is called Google Authenticator. Without using that application this would not work. If you actually follow the tutorial and download the application, then you will see that application is made by Google Inc.
I was able to successfully set up the Google Authenticator app for myself as an admin on my site, but was not able to set it up successfully for an editor on the same site. On the other user’s profile settings under Google Authenticator, the only options are to hide the Authenticator settings or make the user active with Google Authenticator. There aren’t the same options to type in a site description or view a secret code. After installing the app successfully to the other user’s phone, she was not able to sign in to the site and I’m wondering if this is due to the profile settings. Any advice?
Interesting. It is probably best to contact the plugin author and see what the issue could be.
Putting our login authentication in hands of a 3rd party plugin?
Not more than 5k Downloads! What about its authenticity? Are you using it yourself #justcurious.
I am happy with .htpaswrd file.
Should we trust this code?
Except this a nice plugin for sure.
The plugin has low downloads because not many people have jumped on board with this 2-step verification method. If you are happy with .htpaswd, then good for you. Yes, we are using it on our site along with all the other security measures.
Buzz! After my great efforts on securing WordPress blog from spammers and hackers, I myself today found a great plugin to stop hackers!
Thanks for the plugin!
Hi,
I have completed the setup and it works great. But do I have possibility to choose how to the verification code.
I did the same setup for my Google account, but it send via SMS in stead. And I do prefer this mode as well if it is possible.
But I don’t see any setting to chose send via SMS. Hope you can give me an idea if it is possible or not.
Thanks
No the SMS option is not available. Mainly because for that you need a sending service which blogs are not equipped with. There is another plugin called “2-step verification” that has the option to email the code. But no SMS.
Plugin looking simple and POWERFUL.!!
This Will Be Useful For Stopping Brute Force
Thanks Syed
WordPress security has always been a big issue in general, so the more educated people are regarding WordPress security the better. This is especially important as people see WordPress as a quick way to get a website up and running. Then one day without warning BANG their website is down by some hacker.
Busy checking out the Google authentication plugin for WordPress, looks good. I have ask though with all the security plugin’s installed on ones blog plus other plugins it tends to slow down the website. Sometimes its better to code what a plugin can do straight into your blog, rather than keep adding another plugin.
This plugin works in the backend, so it will not have an impact on your site’s load time on the front-end.
Good plugin. Thanks your share