2-Step Verification for WordPress Using Google AuthenticatorBy Tahir Taous
Online security is a big issue. Thousands of websites, brands, and online accounts are attacked by hackers every day. With the use of WordPress being so widespread, it’s not immune to these attacks. Thousands of WordPress powered websites have been targeted successfully in the past.
The infamous default ‘admin’ username and a weak password are both big issues, since they’re easier to brute force. It’s highly recommended that you never use ‘admin’ as your primary username, and always use a strong password, rather than a common, easy to remember password.
Google’s 2-Step Verification
Normally, you need a username and password to log in to your WordPress dashboard. If you use a strong password, that’s a step in the right direction, but did you know that you can make your WordPress login even more secure with Google’s 2-Step Verification (also known as two-factor authentication)?
There are numerous two-factor authentication plugins. In this article, I’m only focusing on Google Authenticator, which is already widely supported by many providers for two-factor authentication.
With Google’s 2-Step Verification enabled, you’ll be prompted to enter a six-digit number after you provide your username and password. If you don’t provide this six-digit number, you won’t be able to log in, even if you have the correct username and password.
Google’s 2-Step Verification can make your WordPress website more secure and more hardened against brute force attacks; even if your username password becomes compromised, logging in to your website will not be possible without the six-digit code.
Google Authenticator WordPress Plugins
At the time of writing, there are two free plugins available to enable Google’s 2-Step Verification in WordPress. The first plugin is Google Authenticator by Henrik Schack, which has over 10,000 active installs. According to the Plugin Directory, this plugin is compatible up to version 3.8.3 of WordPress, however I’ve been using it with the latest version of WordPress (which is version 4.1) without any issues.
How to Install Google Authenticator on Your WordPress Website
For the purposes of this example, I am using Google Authenticator by Henrik Schack.
To begin, download and install the Google Authenticator plugin. After activating it, go to ‘Users > Your Profile’. Now select the ‘Active’ check box to activate Google’s 2-Step Verification in WordPress.
Next, you will need to modify the description, so that you will recognize the website entry on the Google Authenticator mobile app and show the QR code. In my case, I have added the name of my blog.
How to Install Google Authenticator on Your Mobile Device
If you don’t have the Google Authenticator app on your mobile device, you’ll need to download and install this app. You can read step-by-step instructions on how to install Google Authenticator on an Android device, Blackberry, or iPhone at the 2 step verification support page.
To start using the app, click the upper right pencil icon. Then, click the plus icon at the bottom to add a website. Choose to scan the barcode and point your camera at the QR code.
If there’s a problem scanning the QR code, try using the secret key. Select ‘Manually Add Account’ and enter the secret key shown on your computer screen into the box under the ‘Enter’ key. Make sure you’ve chosen to make the key time based and press ‘Save’.
Now log out of your WordPress site and visit the login page. You should now see the additional field for Google Authenticator on your login screen.
Enter your username, password and six-digit code. Launch your Google Authenticator mobile app to get the six-digit code to log in. Remember, the code is time sensitive and expires within a few seconds. If you need more time, then activate the ‘Relaxed’ mode in the Google Authenticator settings.
What If the Google Authenticator Codes Aren’t Working (Android)?
If you’re entering the correct password, username and code provided by Google Authenticator, but still can’t log in to your WordPress website, then you should try the time correction feature. The codes that the Google Authenticator app generates are dependent on the correct time on your device.
To do this, in the Google Authenticator App, go into ‘Settings > Time Correction’, and select ‘Codes > Sync Now’.
After tapping on ‘Sync Now’, you’ll see a confirmation message that indicates that the time has been synced. You should now be able to use your verification codes to sign in.
The sync will only affect the internal time of your Google Authenticator app and will not change your devices Date and Time settings.
You can read more about common issues with 2-Step Verification on the Common issues with 2-Step Verification support page.
Also, make sure the time is correct on your mobile device and desktop. When there was a time difference between my Android phone and my PC, I wasn’t able to log in to my WordPress website.
To Use or Not to Use Google Authenticator
I have been using 2-Step Verification for my Gmail account for a long time and it has always worked well. I have been using Google Authenticator for WordPress for just a few weeks, and it’s working just as well.
Yes, sometimes you might get an error and you won’t be able to log in to your website, but in my experience it is usually because the time on the Google Authenticator app is not synced correctly.
When synced correctly, Google Authenticator for WordPress will make your WordPress website more secure and safe. I highly recommend using a mechanism like this and strongly urge you to never compromise on the security of your website.
Are you already using Google Authenticator for WordPress? If so, what has your experience been like? What other plugins or services are you using for WordPress security? Please share your comments below.