In this guide, we will discuss how you can Enable Two-Factor Authentication on your WordPress Blog using the Google Authenticator Plugin and Mobile App. When it comes to the security of our website, we always need to be extra cautious. Anyone who knows your previous passwords or the pattern of your passwords can simply visit yoursite.com/wp-login.php and do random attempts to log in. This is where we require two-factor authentication as it adds an extra layer of security to your login page.
According to a Forbes Report from December 2016, there are currently more than 75 million WordPress sites in the world. This number is huge, isn’t it? And it will go on increasing. Just for my curiosity, I decided to research on how many WordPress sites actively use Two-factor authentication for security. When I looked into the total number of downloads in WordPress Plugin Repository, I found that there are less than 50,000 websites that are using Two-factor Authentication. So, if we do some calculations then the number of WordPress sites that are using any kind of Two-Factor authentication is less than 0.07%.
What is Two-factor Authentication?
Usually, the password is the only security code that we require while logging into any online platform. However, in the case of 2-factor authentication, you have to enter an extra code for your identity verification. This ‘extra code’ is usually sent as a One-Time-Password (OTP) of your Mobile Number/Email ID or it is generated using applications such as the Google Authenticator. No matter on what kind of website you’re signing up, it is always recommended to enable two-factor authentication to be more secure.
Why do we need 2-factor Authentication?
Unless you change your WordPress default logging address (yoursite.com/wp-login.php) through a plugin like Hide My WP, anyone can access the login page and attempt to guess your Password. Security plugins like WordFence can prevent multiple logging attempts but what if the person accessing your site already knows your password? Well, let’s admit the fact that most of us use the exact same password everywhere on the Internet. Even if just one of the websites where you have got an account gets hacked, none of your other accounts will be safe. This is where you need to make sure of two things:
- Use slightly different variations of your password on different websites.
- Enable Two-Authentication wherever it is available
In the case of our own WordPress Site, Installing and Enabling 2-factor authentication takes just a couple of minutes. So, there shouldn’t be any excuse not to use it right away!
What is Google Authenticator?
Google Authenticator is basically a software token that uses Time-based OTP Algorithm. It is used to enable two-factor authentication with the help of Google Authenticator Mobile App. Google Authenticator App is available for Blackberry, Android, and iOS. At the best part is, Google Authenticator App doesn’t require an Internet connection to work. In simple words, we can say that Google Authenticator generates a passcode which expires after a limited time and then regenerates. You can learn more about Google Authenticator from Wikipedia.
Enable Two-Factor Authentication on WordPress in 4 Easy Steps
To Enable the Two-Factor Authentication, all you need is i) Your WordPress Site ii) An Android/iOS Device. All it takes is 4 easy steps and a couple of minutes of your time.
Search for Google Authenticator Plugin By Henrik Schack and Install it. Alternatively, you can download it by visiting Google Authenticator.
From your WordPress DashBoard, visit Users->Your Profile. On this page, you’ll get the Plugin Settings. In the description, you can write the name of your website and make sure you copy and save the secret in a safe place. Now, press the Show/Hide QR Code Button. Again, download and save this QR Code in a safe place in case if you need it later on. Keep this window open as we proceed to the next step.
Download the Google Authenticator App on your Smartphone from Play Store or App Store. The Google Authenticator would look like this. On Android, the appearance would slightly differ. Now, press the ‘+‘ button and select ‘Scan a barcode‘. This is the same barcode from Step-2. Scan it a code will appear on your Google Authenticator App.
Under Google Authenticator Settings in Step 3, select the ‘Active‘ checkbox. Scroll down and Press the ‘Update Profile‘ Button. Congratulations, you just activated Two-factor Authentication on your WordPress Site!
To check if our setup worked successfully, open an incognito window on your Browser and visit the login page of your Website. The login page will now look as shown in the image below:
Now, simply type your username, password, and the Google Authenticator code (from the Google Authenticator App in your Smartphone). This is it! we have successfully tested the integration of Google Authenticator on our Blog.
What to do in case you lose the Google Authenticator App or your Smartphone?
If such situation ever arises, you can always scan the QR code that we saved earlier in Step number 2. If you do not have access to that code, then you’ll have to disable the Google Authenticator Plugin. This can be done either by logging into FTP via Cpanel or else by accessing it through SSH. All you have to do is navigate to WordPress plugin directory (/wp-content/plugins/google-authenticator) and rename the google-authenticator directory to anything else. This will deactivate the plugin and you’ll be able to log into your WordPress Dashboard without the Google Authenticator Code.
Hope you liked this guide to Enable Two-factor Authentication on WordPress. Don’t forget to subscribe driftwithwp.com for more such WordPress Security Guides and Step-by-step Tutorials.