Using Google Two-Factor Authentication With WordPress

Final product image
What You'll Be Creating

Brute force login attacks targeting WordPress sites are quite common, such as in April 2013 when more than 90,000 sites were targeted. There are a handful of good ways to protect yourself against these attacks:

However, I prefer to use a two-factor authentication method that requires a code from my phone to complete the login process. Google's Authenticator has been gaining ground as a mobile app for providing secure codes. In fact, you may already have the Google Authenticator app on your phone, as a number of web services are now integrating with it, including cloud file store provider Dropbox, cloud hosting provider Digital Ocean, and name service provider Gandi.net

And, fortunately, there is a simple WordPress plugin by Henrik Schack that integrates with Google 2fa; it's also called Google Authenticator. Installing and using this plugin is quite easy—and the security benefit is significant.

Google Authenticator WordPress Plugin by Henrik Schacks

This tutorial will walk you through setting up the Google Authenticator WordPress plugin for your own sites.

Installing the Google Authenticator Plugin

From your WordPress Dashboard, go to install a new plugin and search for Google Authenticator, and click Install Now:

Install the Google Authenticator Plugin

Then, click Activate Plugin:

Activate the plugin

From the dashboard, click Users > Your Profile and scroll down to the Google Authenticator settings:

Google Authenticator Plugin Settings

Click on the checkbox for Active. Modify the description so that you will recognize the site on your Google Authenticator mobile app and show the QR code.

Note that the plugin works for multiple users—and each user has the choice of enabling it for themselves.

Adding Your Site to the Mobile Authenticator App

From your mobile Google Authenticator App, click the upper right pen (for editing). Click the plus sign at the bottom for adding a site. Choose to scan the barcode and point your camera at the QR code. The process is quite fast.

Add Your WordPress Site to Mobile Google Authenticator App

Log out of your WordPress site and you should see the additional field for Google Authenticator on your login screen!

WordPress Login with Google Authenticator Two Factor Authentication

To log in, enter your username and password as usual, but visit your Google Authenticator mobile app to get the additional code for logging in. The codes are time-critical and expire every few minutes.

Retrieve your mobile authenticator code to login

Congratulations, you've successfully implemented two-factor authentication on your WordPress site.

Troubleshooting

In writing this tutorial, I was accidentally logged out of my site before I had registered my site with the mobile app. I couldn't log back in—but luckily, there is a simple solution listed on the plugin support page. 

I just had to log in via SSH to my server and change the name of the plugin folder temporarily. Then, I logged back into WordPress, reset the plugin folder name, added my site on my mobile app, and I was good to go. 

Another way to do this is through the database using a tool such as PHPMyAdmin and these queries. If you're not self-hosting, you may need to request help from your hosting company.

In Closing

I hope you've found this useful; now go secure your WordPress sites.

Please post any comments, corrections or additional ideas below. You can browse my other Tuts+ tutorials on my author page or follow me on Twitter @reifman.

Tags:

Comments

Related Articles