How to Enable 2-Step Authentication for WordPress
The Google Authenticator WordPress security plugin is a very easy to configure WordPress security plugin that allows you to enable 2 step verification (two-factor authentication) on your WordPress blog or website to improve WordPress security. In this WordPress plugin review and security tutorial we will show you how enable and configure the Google Authenticator plugin to strengthen the login of your WordPress blog or website.
The Google Authenticator application only works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices. Therefore you must have a smart phone or any other type of device (such as tablet) with the respective operating systems to use the Google Authenticator plugin on WordPress.
To login to the WordPress admin pages (dashboard) you need to specify a username and a password, which are values that do not typically change. Even though it is recommended that a password should be changed every couple of weeks, very few people do so. Even worse, many people use the same password on different websites. If there is a security breach on one of the accounts, all other websites are in danger.
Once you install and configure the Google Authenticator plugin, you would need the following to login:
- Google Authenticator Code (generated by an application on your smart phone / device)
Therefore even if a malicious hacker guesses your username and password, he cannot login to the WordPress dashboard because he does not have a Google Authenticator code, which can only be generated by your smart phone. Once you are ready with this tutorial, your WordPress login will include an extra input filed as seen in the above screenshot. This will improve the security of your WordPress by strengthening the login form.
Install Google Authenticator Application
First you need to install the Google Authenticator on your smart phone, tablet or any other supported device such as tablet. If you are familiar with adding apps on your device, proceed and install the app like any other app. If you need assistance, refer to Google’s own guide Install Google Authenticator.
Now we explain how to configure the Google Authenticator WordPress plugin. We will see how to use the Google Authenticator application later on in this tutorial.
Configuring Google Authenticator WordPress Plugin
Once you install and activate the Google Authenticator WordPress plugin, access your WordPress user profile and configure the Google authenticator for a more secure WordPress login. Below is a screenshot of the Google Authenticator settings which should be in your WordPress user profile.
Google Authenticator Plugin Settings
Active: Toggle this option to enable Google Authenticator for your login on WordPress. Activate this option once you are done with the entire setup.
Relaxed Mode: The one time Google authenticator code generated by your smart phone application that is used to login expires every 30 seconds or so. By enabling this option you will be allowed to use the same code for up to 4 minutes. It is not recommended to enable this option unless you type very slowly.
Description: Specify a user friendly description as your account name on the Google Authenticator application. Note: You cannot use spaces in the description if you are using iOS (iPhone, iPad etc).
Adding an Account to Google Authenticator Application
Secret: The secret key is needed if you will manually add the newly configured WordPress account to Google Authenticator app, i.e. without using the QR code. To enter the secret key in the Google Authenticator app and add the account, run the Google Authenticator application on your device, and select Add Account > Enter Key Provided.
Show / Hide QR Code: Alternatively, to add the account to your google authenticator application click the Show / Hide QR Code and scan the code. The account will be added automatically once you click the scanned QR code.
Allowing Remote Publishing to Bypass Google 2 Step Verification
Enable App Password: You only need to enable this option is you are using remote publishing on your WordPress blog or website with applications such as Windows Live Writer. Therefore enable this option and specify a password for such application to be able to “bypass” the Google Authenticator Code.
WPWhiteSecurity.com Tip: It is not recommended to enable the option Enable App Password since it decreases the overall login security of your WordPress blog or website.
Enabling Google Authenticator on Multi User Blog
As a multi user WordPress blog administrator you cannot configure Google Authenticator for the other users on your blog, because each user has to have his or her own unique settings. But you can enforce (or hide the settings) for a WordPress user by navigating to the WordPress user profile and enable the desired options in the profile, as seen in the below screenshot.
Logging in to WordPress with Google Authenticator Enabled
To login to your WordPress with 2 step verification enabled, as per usual navigate to the /wp-admin/ directory follow the below procedure:
- Enter a username and password
- Launch the Google Authenticator application on your device
- Type in the 6 digit code generated by your app into the Google Authenticator Code
Download the Google Authenticator Code from the WordPress Plugin Directory to improve your WordPress Security.