Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

WordPress Security Tip: Add Google Authenticator 2-Step Verification

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to add Google Authenticator 2-step verification to your WordPress site?

Passwords alone aren’t enough to ward off hackers and unauthorized users. Luckily, using Google Authenticator 2-step verification can add an extra layer of security to your website.

In this article, we will show you how to add 2-step verification on your WordPress site using the Google Authenticator app.

wordpress-security-tip_-add-google-authenticator-2-step-verification-in-post

What Is the Google Authenticator App, and Why Do You Need It for Your WordPress Site?

The Google Authenticator app is a mobile application that adds a second layer of authentication every time you log in to a third-party app or website like WordPress.

Unfortunately, passwords can sometimes be cracked. If you are using the same password on numerous websites, then a security leak on one puts your other accounts in danger. Often, people are lazy, and they don’t change their passwords even after they get an email about a security compromise on a major site.

Well, the 2-step verification is the solution just for that. Even if the hacker knows your WordPress username and password, they will not be able to access your WordPress website unless they have a time-restrained random security code (provided by Google Authenticator).

Because your blog is directly connected to your mobile device, you will be the only person with access to retrieve the unique code for each login. The code expires in a short amount of time for security purposes.

The Google Authenticator app is just one example of a mobile application that provides two-factor authentication (2FA) for various online accounts and services.

It generates time-based one-time passwords (TOTPs) that serve as the second factor for authentication when logging into an account.

If you still aren’t convinced about the importance of WordPress security, then you should probably see how one of Wired.com author’s digital life was destroyed.

After reading that story, we jumped on board with the 2-step authentication for our Google accounts and most other services that offer this feature. If you are as security-conscious as we are and you value your blog, then you should follow this tip to improve your WordPress security.

Note: Google Authenticator only works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices. In other words, you will need your smartphone to log in to your website.

To further improve your security, we recommend looking at other methods as well. For example, software like 1Password can help you manage your passwords in one place and ensure they are strong enough to withstand potential hackers.

With that said, let’s jump into the tutorial on how to add Google Authenticator 2-step verification to your WordPress site.

How to Add Google Authenticator in WordPress

The first thing you need to do is install the Google Authenticator app on your phone. We are going to use the iOS terminology for the sake of this tutorial, but the process is similar for other devices as well.

Step 1: Install Google Authenticator App on Your Mobile Device

Visit the App Store, search for ‘Google Authenticator’, and then click on ‘Install’ for the application.

google authenticator app

Now, let’s get back to your WordPress dashboard.

Step 2: Install MiniOrange’s Google Authenticator Plugin

Go ahead and install and activate the MiniOrange’s Google Authenticator plugin. For more details, you can see our step-by-step guide on how to install a WordPress plugin.

MiniOranges Google Authenticator plugin

This is a free WordPress plugin that helps protect your site from unauthorized access. Every time you log in to WordPress, you’ll be asked to enter the one-time passcode from the Google Authenticator app to verify your identity.

Upon activating the plugin, you’ll be taken to a setup wizard. Just follow the process to set up your Google Authenticator two-factor authentication in WordPress.

Step 3: Complete the Setup Wizard

Start by clicking on the ‘Let’s get started!’ button.

Getting starting with two factor authentication

Next, you will be asked whether you want to set up 2FA after your first login or within the plugin dashboard. Either method is fine.

Click ‘Continue Setup.’

continue setup 2FA

The next step is to choose who you’d like the 2FA to apply to. You can either select all users for maximum security, or you can only have it apply to certain user roles.

Then hit ‘Continue Setup.’

2FA user roles

Lastly, you’ll be asked whether or not you’d like to directly enforce 2FA immediately or give users a grace period.

If you choose to give users a grace period, then you can select how long that would be in hours and days. Once that is complete, click on ‘All Done.’

2FA grace period

Now that you are done with the setup process, you can decide whether you want to set up 2FA for yourself now or later.

Go ahead and hit the ‘Configure 2FA for yourself’ button.

configure 2FA yourself

From here, you’ll be asked to enter the method of 2-factor authentication you’d like to add to your WordPress site.

For this tutorial, we will choose ‘Google/Microsoft/Authy Authenticator.’ Then, just hit the ‘Save & Continue’ button.

select authentication method

Next, you’ll be asked to scan the barcode on the screen. That means you’ll have to pull up the Google Authenticator app on your phone and scan the barcode displayed.

In your Google Authenticator app on your mobile device, hit the ‘+’ icon at the bottom and then select ‘Scan a QR code.’ Then, point your phone camera to your computer screen to scan the barcode.

scan qr code for google authenticator

From here, a one-time passcode (OTP) will appear on your mobile device.

Type that into step 2 on your computer. From there, you can click on ‘Save & Continue.’

configure google authenticator

Now, you should receive a message that says that you’ve successfully configured two-factor authentication.

Simply select ‘Advance Settings.’

advance settings

Step 4: Add Security Questions

In addition to adding Google Authenticator 2-factor authentication, you probably want to also add security questions as well.

If you can’t access your Google Authenticator app, then you can still log in to your WordPress website if you answer the security questions that you’ve set up for yourself.

You’ll need to head over to the Mini Orange 2-Factor » Two Factor page in your WordPress admin dashboard. Then, in the Setup 2FA For Me tab, find the Security Questions method and click on ‘Reconfigure.’

Keep in mind that you can also set up other types of two-factor authentication methods, such as email verification, OTP over SMS, OTP over email, OTP over Telegram, and even Duo Authenticator.

reconfigure security questions

Next, you’ll be able to select up to three security questions. You can select two of them from a dropdown menu, and the third will be a custom question that you can come up with on your own.

Then, type in the answer for each of them and hit the ‘Save’ button.

set security questions

Step 5: Test It for Yourself

Once everything is set up, you can test it out yourself.

Simply log out of your WordPress dashboard and try to log back in.

WordPress login page

You will now be taken to a page where you can either answer security questions or use the Google Authenticator to enter your one-time passcode.

Go ahead and select the ‘Google Authenticator’ option.

2 factor authentication method

On this screen, you will be asked to enter your OTP from your Google Authenticator app.

Type in the code and then click ‘Validate.’

validate otp

Now, you will land back into your WordPress admin dashboard, as usual.

Lastly, we recommend that everyone turn on 2-step verification on their Google accounts. You can also configure that with Google Authenticator, as shown in this tutorial.

We hope this article has helped you add Google Authenticator 2-Step verification to your WordPress website. You may also want to check out our article on the most common WordPress errors and how to fix them or our ultimate guide to boost WordPress speed and performance.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

58 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Hajjalah says

    This worked like magic indeed. At first it seemed to be a complicated process but I successfully set the Google authenticator on my website with a lot of ease.
    This has enabled to completely stop the constant threats from hackers who were always trying to illegally login to my WordPress admin dashboard. This is one of the best security features I have ever implemented. Thanks WPBeginner.

  3. David says

    I just tried this and it locked me out of my website. The codes weren’t working. How can I remove this authenticator and get my site back. Pls help

  4. yasir khan saqlaini says

    i am using this feature but i want to know how will i get google authenticator code while login wp dashbord.

  5. Danny D says

    I’m surprised that nobody has mentioned Clef. This is the best 2-factor authentication for WordPress (and a lot of other websites as well). No passwords involved after initial setup. They have iOS and Android apps as well as chrome extensions to help with the setup. Works like a charm for me.

  6. rohit says

    Message To Syed Balkhi,

    Well Fake GURUs Try to hack my website 100 Times a day Finally I have started using Google Authenticator and I change my Password every 10 days. I appreciate Your skills Thanks a lot.

  7. Kavitha Krishnan says

    Hi, I have uninstalled the Google app by mistake now i am unable to login to WP. i requested the account recovery also nothing worked. Is there any solution for my issue.

  8. Sriram says

    Hi,
    What if I have a custom login page? How can I integrate this plugin in my custom login page?

  9. Lorena Dennison says

    I have my wordpress blog set up to receive a SMS code to log in… well my cell phone is shut off and can’t get the SMS Code…. so how can I log in and take that SMS off my blog?

  10. Kamran Abdul Aziz says

    Aha, Google Authenticator & Authy they always works for me,
    However is there any option where we can force users to use 2 Step verification?

    Am not allowing my users to access the Backend, Their profile & everything is limited to front end only.

    I don’t want them to access their backend & Setup 2 step.

    Any solutions?

  11. Brenda says

    I installed the two-step google authenticator, both the app and the plugin. I updated the app and now all of the sudden I can’t generate a verification code, and therefore have not been able to login to my WordPress. I have no idea what “login using FTP” or who my webmaster is. I signed up for a free worpress account because I wanted to start a little blog and now it appears to me I have to be a computer wizard to do something so basic, which is login!! Can you please help? And explain it to me like I’m a third grader. I don’t have the tech savviness you all do.

    Thank you in advance

    • WPBeginner Support says

      You mentioned that you have a free WordPress account. Does your blog address has wordpress.com in it? If that’s the case, then this tutorial is not for you. You need to contact WordPress.com support for assistance.

      Admin

  12. Zulfa Permata Suri says

    I have set up two-step authentication for my wordpress blog. Suddenly I cant log-in it said the authentication code that i type is invalid and now I am locked out of my wordpress account.
    Help me please, I want to use my wordpress but I cant log-in T.T

  13. Cara Isaacs says

    Hey,

    I recently set up two-step authentication for my wordpress blog. Downloaded the google app and it all worked fine with log-in. Then changed the name of my blog and accidentally deleted the google authenticator app and now I am locked out of my wordpress account as it asks for the code yet I cannot generate a code because I can’t access my account to get the key.

    I hope you can help.. PLEASE!

  14. Everett Patterson says

    Well I did some research and found that the hosting time may be different than the phone time and may cause issues with the codes.

    I was able to log in to my Cpanel and delete the plugin. I still want to use it though so I added it back in and used the relaxed mode this time. Seems to be working now.

    Thanks for this post, very helpful.

  15. Everett Patterson says

    Uh Oh. I locked myself out of my site.

    Here’s what I did:

    Added the plugin to my blog
    Activated it, but didn’t check the “Active” box
    Added authenticator to my android
    Scanned the QR code
    Checked “Active” box
    Signed out

    My phone gives me a new code every minute, but none of them work. What now?

    • Austin says

      I did this too…. I logged into my host via FTP and deleted the Google Authenticator plugin.

      Then I went through the process again and the plugin/app combo worked like a charm!

      Hope you’re able to get back into your site (if you haven’t already).

  16. Maria Muir says

    I installed the plugin, followed the simple steps and have now been locked out of my site. I also have the failed attempt log in plugin which has blocked me for 3 failed attempts so now have to wait. I did put in the correct details and authentication code, I tripled checked the installation and settings, all are correct. So why can’t I log back in?

  17. Chris Burbridge says

    It does concern me that when you install the plugin, you have to activate it user by user. That doesn’t make sense to me. Wouldn’t an administrator want to have it work for all users, otherwise there are holes in the net?

    I have been trying this one, which is really great — http://wordpress.org/extend/plugins/duo-wordpress/ — there’s a free option, and it works similarly. It is very slick, with a smart phone.

    • Editorial Staff says

      The reason why Google Authenticator requires each user to enable it themselves is because they have to connect their device with it. Google Authenticator is a great solution if you don’t like paying for a service. We are using it on our site. All we did was send an email to all users and ask them to turn it on.

      Yes it requires a little bit of extra work, but it is surely worth it for a small company like ours. If you have hundreds of people in your team, then it would be worth to automate it with a service like the one you linked.

      Admin

  18. Michael says

    This works great with Limit Login Attempts plug in. Great security feature if your blog does not have SSL capabilities.

  19. yatin says

    i love your site :) very helpful

    what if Google authenticator app got uninstalled by mistake !!!!

    after that how can i login in my wordpress site ?

  20. Umer Rock says

    Buy Syed bro it is not linked to google account ? then why you used google athenticator word , i think it is kind of 2 step verification system only,

    • Editorial Staff says

      If you read the post carefully, you will see that the app this plugin uses is called Google Authenticator. Without using that application this would not work. If you actually follow the tutorial and download the application, then you will see that application is made by Google Inc.

      Admin

  21. Hadley says

    I was able to successfully set up the Google Authenticator app for myself as an admin on my site, but was not able to set it up successfully for an editor on the same site. On the other user’s profile settings under Google Authenticator, the only options are to hide the Authenticator settings or make the user active with Google Authenticator. There aren’t the same options to type in a site description or view a secret code. After installing the app successfully to the other user’s phone, she was not able to sign in to the site and I’m wondering if this is due to the profile settings. Any advice?

  22. Ahmad Awais says

    Putting our login authentication in hands of a 3rd party plugin?
    Not more than 5k Downloads! What about its authenticity? Are you using it yourself #justcurious.
    I am happy with .htpaswrd file.

    Should we trust this code?

    Except this a nice plugin for sure.

    • Editorial Staff says

      The plugin has low downloads because not many people have jumped on board with this 2-step verification method. If you are happy with .htpaswd, then good for you. Yes, we are using it on our site along with all the other security measures.

      Admin

  23. Dilawer Pirzada says

    Buzz! After my great efforts on securing WordPress blog from spammers and hackers, I myself today found a great plugin to stop hackers!

    Thanks for the plugin!

  24. Santel Phin says

    Hi,

    I have completed the setup and it works great. But do I have possibility to choose how to the verification code.

    I did the same setup for my Google account, but it send via SMS in stead. And I do prefer this mode as well if it is possible.

    But I don’t see any setting to chose send via SMS. Hope you can give me an idea if it is possible or not.

    Thanks

    • Editorial Staff says

      No the SMS option is not available. Mainly because for that you need a sending service which blogs are not equipped with. There is another plugin called “2-step verification” that has the option to email the code. But no SMS.

      Admin

  25. Geoffrey Gordon says

    Thanks Syed

    WordPress security has always been a big issue in general, so the more educated people are regarding WordPress security the better. This is especially important as people see WordPress as a quick way to get a website up and running. Then one day without warning BANG their website is down by some hacker.

    Busy checking out the Google authentication plugin for WordPress, looks good. I have ask though with all the security plugin’s installed on ones blog plus other plugins it tends to slow down the website. Sometimes its better to code what a plugin can do straight into your blog, rather than keep adding another plugin.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.