WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Plugins» WordPress Security Tip: Add Google Authenticator 2-step Verification

WordPress Security Tip: Add Google Authenticator 2-step Verification

Last updated on May 27th, 2017 by Editorial Staff
89 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
WordPress Security Tip: Add Google Authenticator 2-step Verification

If you aren’t security conscious, then you should probably see how one of Wired.com author’s digital life was destroyed. After reading that story, we have jumped on board with the 2-step authentication for our Google accounts and most other services that offers this feature. After doing a short search, we were able to find a way to easily enable 2-step authentication in WordPress using Google Authenticator. If you are as security conscious as us, and you value your blog, then you should follow this tip to improve your WordPress security.

Note: Google Authenticator only works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices. In other words you will need your smart phone to login to your website.

How Does it Work?

Normally passwords can be cracked. If you are using the same password on numerous websites, a security leak on one put your other accounts in danger. Often people are lazy, and they don’t change their passwords even after they get an email about security compromise on a major site.

Well, the 2-step verification is the solution just for that. Even if the hacker knows your WordPress username and password, they will not be able to access your site unless they have a time restrained random security code (provided by Google Authenticator).

Because your blog is directly connected with your mobile device, you will be the only person with access to retrieve the unique code for each login. The code expires in a short amount of time for security purposes.

Once we are done with this tutorial, there will be an additional field on your WordPress login page like this which will improve your WordPress security:

WordPress login screen with Google Authenticator enabled

How to Add Google Authenticator in WordPress

First thing you need to do is install Google Authenticator app on your phone. We are going to use the iOS terminology for the sake of this tutorial, but the process is similar for other devices as well. Visit the App store and search for “Google Authenticator”. Download and Install the application.

Now let’s get back to your WordPress dashboard. We will re-visit Google Authenticator app once we are done with the setup on the WordPress end.

Let’s install and activate the Google Authenticator plugin for WordPress. For more details, see our step by step guide on how to install a WordPress plugin.

In the WordPress menu, click on Users » Your Profile. You will see Google Authenticator Settings there.

Google Authenticator WordPress plugin settings

Active – If you check this box, then it means that your blog is now going to use Google Authenticator. (Check this box once you are done with the entire setup)

Relaxed Mode – Normally your Google authenticator code expires every minute. Using the relaxed mode will allow you to use one code for upto 4 minutes. We don’t recommend turning this on unless you type very slow. The code is only 6 characters long, so you should be able to do it in 1 minute.

Description and Secret Key – These options are pretty self explanatory. The description will act as your account name in the Google Authenticator app. The secret key is needed if you are not using the QR code. Note: When using iPhone, you can’t spaces in your description. If you do add spaces, then the QR code may not work and you will need to use the key to enter the information in our application manually.

Enable App Password – You need this only if you are using XML-RPC (remote publishing) on your blog. This means WordPress iOS app, or Windows Live Writer. Remember, that enabling that will decrease your overall login security, but if you really like using remote publishing, then keep on using it. Just enable this option and set an application password.

Now that we have the WordPress part configured, lets get back to our iPhone App Google Authenticator. Click on the Google Authenticator app icon and then click on the + icon to add a new account.

Google Authenticator add new account

You will be asked to either scan the QR code or enter the provided key. You can get both these from Google Authenticator settings on your website.

Scan Bar Code if your description doesn’t have any spaces. Click Show QR code button in WordPress to see the QR code.

As soon as you scan the bar code or enter the Secret key, your WordPress blog description will appear in Google Authenticator. It will show you a random string of 6 digits with a 1 minute counter next to it.

Google authenticator time based codes

Now when you login, you will see a two-step verification field that asks for Google Authenticator code.

WordPress login screen with Google Authenticator enabled

This works for multi-author blogs as well. Each author gets their own secret key, so they can set it on their device. What are you waiting for? Use 2 step verification on your blog to improve WordPress security.

Lastly, we recommend everyone to turn on 2-step verification on their Google accounts. You can also configure that with Google Authenticator as shown on this tutorial.

89 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

56 Comments

Leave a Reply
  1. David says:
    Sep 8, 2020 at 7:22 am

    I just tried this and it locked me out of my website. The codes weren’t working. How can I remove this authenticator and get my site back. Pls help

    Reply
    • WPBeginner Support says:
      Sep 10, 2020 at 9:56 am

      You can deactivate the plugin following our guide below:
      https://www.wpbeginner.com/beginners-guide/how-to-easily-deactivate-wordpress-plugins/

      Reply
  2. ANOOP VAISH says:
    Jan 13, 2018 at 12:21 am

    what have to do if mobile lost please discribe

    Reply
    • WPBeginner Support says:
      Jan 13, 2018 at 2:18 pm

      Hi Anoop,

      In that case you will have to deactivate WordPress plugins via FTP to login.

      Reply
  3. yasir khan saqlaini says:
    Jul 21, 2017 at 2:17 pm

    i am using this feature but i want to know how will i get google authenticator code while login wp dashbord.

    Reply
    • WPBeginner Support says:
      Jul 22, 2017 at 6:36 pm

      Hello Yasir,

      You will get Google Authenticator code inside the app you installed on your phone.

      Reply
  4. Danny D says:
    Nov 4, 2015 at 1:56 pm

    I’m surprised that nobody has mentioned Clef. This is the best 2-factor authentication for WordPress (and a lot of other websites as well). No passwords involved after initial setup. They have iOS and Android apps as well as chrome extensions to help with the setup. Works like a charm for me.

    Reply
    • Sacha says:
      Jan 21, 2016 at 11:41 pm

      I agree – I absolutely love Clef. It makes things so easy and secure.

      Reply
  5. rohit says:
    Sep 1, 2015 at 9:56 am

    Message To Syed Balkhi,

    Well Fake GURUs Try to hack my website 100 Times a day Finally I have started using Google Authenticator and I change my Password every 10 days. I appreciate Your skills Thanks a lot.

    Reply
  6. Akhil K A says:
    Jul 21, 2015 at 7:42 am

    Hi.

    The plugin is compatible up to WP 3.8.8

    Can I install on the latest version?

    Thanks.

    Reply
    • WPBeginner Support says:
      Jul 21, 2015 at 12:49 pm

      Yes you can. Please see, Should you install plugins not tested with your WordPress version.

      Reply
  7. Erick Perez says:
    Feb 15, 2015 at 5:03 pm

    you guys don’t use this on your own website, how come?

    Reply
  8. handi priyono says:
    Jul 4, 2014 at 11:48 pm

    Hello dude,, thanks for help me by writting this useful post.
    this post very help me to prevent hacker to login to my web. thanks !!

    Reply
  9. WPBeginner Staff says:
    May 6, 2014 at 3:31 pm

    Please contact WordPress.com support.

    Reply
  10. WPBeginner Staff says:
    May 5, 2014 at 6:14 pm

    You can deactivate the plugin using an FTP client. See our guide on how to disable all plugins using FTP without wp-admin access.

    Reply
    • Kavitha Krishnan says:
      May 6, 2014 at 12:34 am

      I am using the WP.com hosting. So this option will not work for me.

      Reply
  11. Kavitha Krishnan says:
    May 5, 2014 at 9:36 am

    Hi, I have uninstalled the Google app by mistake now i am unable to login to WP. i requested the account recovery also nothing worked. Is there any solution for my issue.

    Reply
  12. Sriram says:
    Apr 30, 2014 at 1:47 am

    Hi,
    What if I have a custom login page? How can I integrate this plugin in my custom login page?

    Reply
  13. Lorena Dennison says:
    Mar 31, 2014 at 7:23 pm

    I have my wordpress blog set up to receive a SMS code to log in… well my cell phone is shut off and can’t get the SMS Code…. so how can I log in and take that SMS off my blog?

    Reply
    • WPBeginner Support says:
      Apr 1, 2014 at 4:44 pm

      You can’t unless you disable the plugin used to enable this two step authentication.

      Reply
  14. Kamran Abdul Aziz says:
    Feb 24, 2014 at 2:21 pm

    Aha, Google Authenticator & Authy they always works for me,
    However is there any option where we can force users to use 2 Step verification?

    Am not allowing my users to access the Backend, Their profile & everything is limited to front end only.

    I don’t want them to access their backend & Setup 2 step.

    Any solutions?

    Reply
  15. Brenda says:
    Sep 4, 2013 at 9:25 pm

    I installed the two-step google authenticator, both the app and the plugin. I updated the app and now all of the sudden I can’t generate a verification code, and therefore have not been able to login to my WordPress. I have no idea what “login using FTP” or who my webmaster is. I signed up for a free worpress account because I wanted to start a little blog and now it appears to me I have to be a computer wizard to do something so basic, which is login!! Can you please help? And explain it to me like I’m a third grader. I don’t have the tech savviness you all do.

    Thank you in advance

    Reply
    • WPBeginner Support says:
      Sep 10, 2013 at 6:58 pm

      You mentioned that you have a free WordPress account. Does your blog address has wordpress.com in it? If that’s the case, then this tutorial is not for you. You need to contact WordPress.com support for assistance.

      Reply
  16. Zulfa Permata Suri says:
    Jun 6, 2013 at 1:58 am

    I have set up two-step authentication for my wordpress blog. Suddenly I cant log-in it said the authentication code that i type is invalid and now I am locked out of my wordpress account.
    Help me please, I want to use my wordpress but I cant log-in T.T

    Reply
    • Editorial Staff says:
      Jun 16, 2013 at 3:16 pm

      Login to WordPress using FTP and delete the plugin.

      Reply
      • Alyson says:
        Sep 1, 2013 at 11:45 pm

        Hi – I lost my phone with my google authenticator on it and now I can’t get into my site. I don’t know how to log in using ftp ..

        HELP?

        Thanks!

        Reply
        • Editorial Staff says:
          Sep 3, 2013 at 3:17 pm

          Contact your webhosting provider. They’re the only one who have your FTP access and can help delete the plugin.

  17. Cara Isaacs says:
    May 6, 2013 at 11:56 am

    Hey,

    I recently set up two-step authentication for my wordpress blog. Downloaded the google app and it all worked fine with log-in. Then changed the name of my blog and accidentally deleted the google authenticator app and now I am locked out of my wordpress account as it asks for the code yet I cannot generate a code because I can’t access my account to get the key.

    I hope you can help.. PLEASE!

    Reply
    • Editorial Staff says:
      May 9, 2013 at 11:26 am

      Use FTP to delete the plugin.

      Reply
      • Cara says:
        May 10, 2013 at 3:47 am

        Thanks for your reply. I just downloaded the ftp software except it can’t seem to connect to the server. Looks like I will be starting a new blog…

        Reply
        • Editorial Staff says:
          May 12, 2013 at 8:09 am

          Hey Cara. Starting a new blog is not a good solution. Please get in touch with your hosting provider or send us an email. We can help you restore this and get it sorted out.

  18. Everett Patterson says:
    Apr 16, 2013 at 8:15 pm

    Well I did some research and found that the hosting time may be different than the phone time and may cause issues with the codes.

    I was able to log in to my Cpanel and delete the plugin. I still want to use it though so I added it back in and used the relaxed mode this time. Seems to be working now.

    Thanks for this post, very helpful.

    Reply
  19. Everett Patterson says:
    Apr 16, 2013 at 7:43 pm

    Uh Oh. I locked myself out of my site.

    Here’s what I did:

    Added the plugin to my blog
    Activated it, but didn’t check the “Active” box
    Added authenticator to my android
    Scanned the QR code
    Checked “Active” box
    Signed out

    My phone gives me a new code every minute, but none of them work. What now?

    Reply
    • Austin says:
      Apr 25, 2013 at 2:58 am

      I did this too…. I logged into my host via FTP and deleted the Google Authenticator plugin.

      Then I went through the process again and the plugin/app combo worked like a charm!

      Hope you’re able to get back into your site (if you haven’t already).

      Reply
  20. Maria Muir says:
    Apr 15, 2013 at 10:21 am

    I installed the plugin, followed the simple steps and have now been locked out of my site. I also have the failed attempt log in plugin which has blocked me for 3 failed attempts so now have to wait. I did put in the correct details and authentication code, I tripled checked the installation and settings, all are correct. So why can’t I log back in?

    Reply
    • Editorial Staff says:
      Apr 18, 2013 at 8:38 am

      Run this plugin in the relaxed mode.

      Reply
  21. Chris Burbridge says:
    Apr 15, 2013 at 12:04 am

    It does concern me that when you install the plugin, you have to activate it user by user. That doesn’t make sense to me. Wouldn’t an administrator want to have it work for all users, otherwise there are holes in the net?

    I have been trying this one, which is really great — http://wordpress.org/extend/plugins/duo-wordpress/ — there’s a free option, and it works similarly. It is very slick, with a smart phone.

    Reply
    • Editorial Staff says:
      Apr 15, 2013 at 12:10 pm

      The reason why Google Authenticator requires each user to enable it themselves is because they have to connect their device with it. Google Authenticator is a great solution if you don’t like paying for a service. We are using it on our site. All we did was send an email to all users and ask them to turn it on.

      Yes it requires a little bit of extra work, but it is surely worth it for a small company like ours. If you have hundreds of people in your team, then it would be worth to automate it with a service like the one you linked.

      Reply
  22. Michael says:
    Feb 18, 2013 at 10:41 pm

    This works great with Limit Login Attempts plug in. Great security feature if your blog does not have SSL capabilities.

    Reply
  23. yatin says:
    Dec 17, 2012 at 1:13 pm

    i love your site :) very helpful

    what if Google authenticator app got uninstalled by mistake !!!!

    after that how can i login in my wordpress site ?

    Reply
    • Editorial Staff says:
      Dec 18, 2012 at 7:54 am

      Delete the plugin. Then re-do the process.

      Reply
  24. Gerard says:
    Nov 15, 2012 at 2:58 pm

    Good article, good plugin and good subject :)

    Love Authenticator app.

    Kind regards,

    Gerard.

    Reply
  25. Umer Rock says:
    Sep 7, 2012 at 3:39 am

    Buy Syed bro it is not linked to google account ? then why you used google athenticator word , i think it is kind of 2 step verification system only,

    Reply
    • Editorial Staff says:
      Sep 7, 2012 at 9:26 am

      If you read the post carefully, you will see that the app this plugin uses is called Google Authenticator. Without using that application this would not work. If you actually follow the tutorial and download the application, then you will see that application is made by Google Inc.

      Reply
  26. Hadley says:
    Aug 31, 2012 at 4:19 pm

    I was able to successfully set up the Google Authenticator app for myself as an admin on my site, but was not able to set it up successfully for an editor on the same site. On the other user’s profile settings under Google Authenticator, the only options are to hide the Authenticator settings or make the user active with Google Authenticator. There aren’t the same options to type in a site description or view a secret code. After installing the app successfully to the other user’s phone, she was not able to sign in to the site and I’m wondering if this is due to the profile settings. Any advice?

    Reply
    • Editorial Staff says:
      Sep 4, 2012 at 9:15 am

      Interesting. It is probably best to contact the plugin author and see what the issue could be.

      Reply
  27. Ahmad Awais says:
    Aug 15, 2012 at 4:40 pm

    Putting our login authentication in hands of a 3rd party plugin?
    Not more than 5k Downloads! What about its authenticity? Are you using it yourself #justcurious.
    I am happy with .htpaswrd file.

    Should we trust this code?

    Except this a nice plugin for sure.

    Reply
    • Editorial Staff says:
      Aug 16, 2012 at 12:58 pm

      The plugin has low downloads because not many people have jumped on board with this 2-step verification method. If you are happy with .htpaswd, then good for you. Yes, we are using it on our site along with all the other security measures.

      Reply
  28. Dilawer Pirzada says:
    Aug 15, 2012 at 2:37 pm

    Buzz! After my great efforts on securing WordPress blog from spammers and hackers, I myself today found a great plugin to stop hackers!

    Thanks for the plugin!

    Reply
  29. Santel Phin says:
    Aug 15, 2012 at 4:38 am

    Hi,

    I have completed the setup and it works great. But do I have possibility to choose how to the verification code.

    I did the same setup for my Google account, but it send via SMS in stead. And I do prefer this mode as well if it is possible.

    But I don’t see any setting to chose send via SMS. Hope you can give me an idea if it is possible or not.

    Thanks

    Reply
    • Editorial Staff says:
      Aug 15, 2012 at 9:03 am

      No the SMS option is not available. Mainly because for that you need a sending service which blogs are not equipped with. There is another plugin called “2-step verification” that has the option to email the code. But no SMS.

      Reply
  30. Navneet Singh says:
    Aug 14, 2012 at 11:34 am

    Plugin looking simple and POWERFUL.!!

    Reply
  31. Saad says:
    Aug 14, 2012 at 11:17 am

    This Will Be Useful For Stopping Brute Force :)

    Reply
  32. Geoffrey Gordon says:
    Aug 14, 2012 at 10:58 am

    Thanks Syed

    WordPress security has always been a big issue in general, so the more educated people are regarding WordPress security the better. This is especially important as people see WordPress as a quick way to get a website up and running. Then one day without warning BANG their website is down by some hacker.

    Busy checking out the Google authentication plugin for WordPress, looks good. I have ask though with all the security plugin’s installed on ones blog plus other plugins it tends to slow down the website. Sometimes its better to code what a plugin can do straight into your blog, rather than keep adding another plugin.

    Reply
    • Editorial Staff says:
      Aug 14, 2012 at 11:37 am

      This plugin works in the backend, so it will not have an impact on your site’s load time on the front-end.

      Reply
      • Landfoci says:
        Aug 14, 2012 at 8:12 pm

        Good plugin. Thanks your share

        Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
TrustPulse
TrustPulse
Instantly get 15% more conversions with social proof. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
StackPath's logo
StackPath (MaxCDN) Coupon
Get StackPath CDN for just $10/month! It's the same service we use to make our site super fast.
WP Security Audit Log
WP Security Audit Log Coupon
Get 15% OFF on WP Security Audit Log WordPress activity log plugin.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.