2-Step Verification for WordPress Using Google Authenticator

Online security is a big issue. Thousands of websites, brands, and online accounts are attacked by hackers every day. With the use of WordPress being so widespread, it’s not immune to these attacks. Thousands of WordPress powered websites have been targeted successfully in the past.

The infamous default ‘admin’ username and a weak password are both big issues, since they’re easier to brute force. It’s highly recommended that you never use ‘admin’ as your primary username, and always use a strong password, rather than a common, easy to remember password.

Google’s 2-Step Verification

Normally, you need a username and password to log in to your WordPress dashboard. If you use a strong password, that’s a step in the right direction, but did you know that you can make your WordPress login even more secure with Google’s 2-Step Verification (also known as two-factor authentication)?

There are numerous two-factor authentication plugins. In this article, I’m only focusing on Google Authenticator, which is already widely supported by many providers for two-factor authentication.

With Google’s 2-Step Verification enabled, you’ll be prompted to enter a six-digit number after you provide your username and password. If you don’t provide this six-digit number, you won’t be able to log in, even if you have the correct username and password.

Google’s 2-Step Verification can make your WordPress website more secure and more hardened against brute force attacks; even if your username password becomes compromised, logging in to your website will not be possible without the six-digit code.

Google Authenticator WordPress Plugins

At the time of writing, there are two free plugins available to enable Google’s 2-Step Verification in WordPress. The first plugin is Google Authenticator by Henrik Schack, which has over 10,000 active installs. According to the Plugin Directory, this plugin is compatible up to version 3.8.3 of WordPress, however I’ve been using it with the latest version of WordPress (which is version 4.1) without any issues.

The second free plugin is Google Authenticator for WordPress by Julien Liabeuf, which has over 2,000 active installs. This plugin is compatible up to version 4.1.1 of WordPress.

How to Install Google Authenticator on Your WordPress Website

For the purposes of this example, I am using Google Authenticator by Henrik Schack.

To begin, download and install the Google Authenticator plugin. After activating it, go to ‘Users > Your Profile’. Now select the ‘Active’ check box to activate Google’s 2-Step Verification in WordPress.

Next, you will need to modify the description, so that you will recognize the website entry on the Google Authenticator mobile app and show the QR code. In my case, I have added the name of my blog.

How to Install Google Authenticator on Your Mobile Device

If you don’t have the Google Authenticator app on your mobile device, you’ll need to download and install this app. You can read step-by-step instructions on how to install Google Authenticator on an Android device, Blackberry, or iPhone at the 2 step verification support page.

To start using the app, click the upper right pencil icon. Then, click the plus icon at the bottom to add a website. Choose to scan the barcode and point your camera at the QR code.

If there’s a problem scanning the QR code, try using the secret key. Select ‘Manually Add Account’ and enter the secret key shown on your computer screen into the box under the ‘Enter’ key. Make sure you’ve chosen to make the key time based and press ‘Save’.

Now log out of your WordPress site and visit the login page. You should now see the additional field for Google Authenticator on your login screen.

Enter your username, password and six-digit code. Launch your Google Authenticator mobile app to get the six-digit code to log in. Remember, the code is time sensitive and expires within a few seconds. If you need more time, then activate the ‘Relaxed’ mode in the Google Authenticator settings.

What If the Google Authenticator Codes Aren’t Working (Android)?

If you’re entering the correct password, username and code provided by Google Authenticator, but still can’t log in to your WordPress website, then you should try the time correction feature. The codes that the Google Authenticator app generates are dependent on the correct time on your device.

To do this, in the Google Authenticator App, go into ‘Settings > Time Correction’, and select ‘Codes > Sync Now’.

After tapping on ‘Sync Now’, you’ll see a confirmation message that indicates that the time has been synced. You should now be able to use your verification codes to sign in.

The sync will only affect the internal time of your Google Authenticator app and will not change your devices Date and Time settings.

You can read more about common issues with 2-Step Verification on the Common issues with 2-Step Verification support page.

Also, make sure the time is correct on your mobile device and desktop. When there was a time difference between my Android phone and my PC, I wasn’t able to log in to my WordPress website.

To Use or Not to Use Google Authenticator

I have been using 2-Step Verification for my Gmail account for a long time and it has always worked well. I have been using Google Authenticator for WordPress for just a few weeks, and it’s working just as well.

Yes, sometimes you might get an error and you won’t be able to log in to your website, but in my experience it is usually because the time on the Google Authenticator app is not synced correctly.

When synced correctly, Google Authenticator for WordPress will make your WordPress website more secure and safe. I highly recommend using a mechanism like this and strongly urge you to never compromise on the security of your website.

Are you already using Google Authenticator for WordPress? If so, what has your experience been like? What other plugins or services are you using for WordPress security? Please share your comments below.

Frequently Asked Questions (FAQs) about 2-Step Verification in WordPress Using Google Authenticator

How secure is the 2-step verification process in WordPress using Google Authenticator?

The 2-step verification process in WordPress using Google Authenticator is highly secure. It adds an extra layer of security to your WordPress account by requiring not only your password but also a unique code generated by the Google Authenticator app on your smartphone. This means that even if someone knows your password, they won’t be able to access your account without the unique code. The code changes every 30 seconds, making it almost impossible for anyone to guess it.

Can I use Google Authenticator for multiple WordPress sites?

Yes, you can use Google Authenticator for multiple WordPress sites. You just need to set up 2-step verification for each site individually. Each site will have its own unique barcode or key that you will need to scan or enter into the Google Authenticator app. Once set up, the app will generate unique codes for each site.

What happens if I lose my phone or can’t access the Google Authenticator app?

If you lose your phone or can’t access the Google Authenticator app, you can still access your WordPress account by using backup codes. When you set up 2-step verification, you are given the option to generate and download backup codes. These codes can be used to access your account if you can’t use the Google Authenticator app. It’s important to keep these backup codes in a safe place.

Can I use 2-step verification if I don’t have a smartphone?

While Google Authenticator is designed to work with smartphones, you can still use 2-step verification if you don’t have a smartphone. There are desktop applications available that work similarly to the Google Authenticator app. These applications generate unique codes that you can use for 2-step verification.

How do I disable 2-step verification in WordPress?

To disable 2-step verification in WordPress, you need to go to your user profile in the WordPress dashboard. Under the Google Authenticator Settings section, uncheck the “Active” checkbox and save your changes. This will disable 2-step verification for your account.

Is Google Authenticator free to use?

Yes, Google Authenticator is a free app available for download on Android and iOS devices. There are no charges for using the app or its services.

Can I use Google Authenticator with other services?

Yes, Google Authenticator can be used with many other services that support 2-step verification, including Gmail, Dropbox, and Amazon. You just need to set up 2-step verification for each service individually.

How often do I need to enter the 2-step verification code?

The frequency at which you need to enter the 2-step verification code depends on your settings. By default, you will be asked to enter the code every time you log in. However, you can choose to trust a device for 30 days, which means you won’t need to enter the code on that device for 30 days.

Can I use 2-step verification if I don’t have internet access on my phone?

Yes, you can use 2-step verification even if you don’t have internet access on your phone. The Google Authenticator app generates codes offline, so you don’t need an internet connection to use it.

What should I do if the 2-step verification code isn’t working?

If the 2-step verification code isn’t working, make sure you’ve entered the code correctly. Remember that the code changes every 30 seconds, so it may have changed since you first looked at it. If you’re still having trouble, check the time settings on your phone. The Google Authenticator app uses the time to generate codes, so if your phone’s time is out of sync, the codes may not work.