Julien Liabeuf

WP Google Authenticator

November 17, 2013 | 2 Minute Read | 2 Comments

Are you concerned about security? Then this plugin might be for you.

WP Google Authenticator is a WordPress plugins which will add an extra layer of security to your site. If you've previously been hacked or if you just wanna make sure this never happens to you, then 2-factor authentication is a great starting point.

What is 2-Factor Authentication?

In addition to the classic username / password authentication method, you will be asked a one time password to log-in your site. This one time password will be generated by the Google Authenticator app. This app is available for iPhones, Android and Blackberry. You can download it here.

How Does the Plugin Work?

Read the tutorial on how to setup WP Google Authenticator here.

Once activated, the plugin will add:

  • An option page, under the "Settings" tab of the admin menu,
  • A few extra fields in the user profile page.

After a user activated the 2FA for his profile, a QR code will be generated through Google Charts API (using HTTPS). The user will then scann the QR with the app on his phone, and that's it!

By default, a one time password is valid for 30 seconds. After a one time password has been used, it is revoked and cannot be used again. This will avoid security breaches if an attacker intercepts the one time password.

If you're the admin of a multi-users site, then you get full control over your members. Here is the full list of features:

  • Adds 2-factor authentication to WordPress login page,
  • Can be eanbled for each user independantly,
  • Admin can force users to use 2FA (and limit the number of allowed logins without setting up 2FA),
  • If admin forces users to use 2FA, users who didn't set it up will be reminded with a warning in their dashboard,
  • Set any name you want to appear in the Google Authenticator app,
  • Allow clock discrepancy (mins +/-),
  • Users can generate a new secret key anytime,
  • Admin can revoke any user's key at anytime,
  • If a user is locked-out after logging-in too many times without using 2FA, admin can reset the counter,
  • Used one time passwords are hashed and stored in the DB to avoid multiple use (in case of interception by an attacker)

Where to Get the Plugin?

Changelog

v1.0.2

- Update version number
- Remove double confirmation message after saving options
- Update option label and disable TOTP if plugin is not set to Active

v1.0.1

- Only push the trunk

v1.0.0

- Initial release of the plugin

2 Comments

Hello, I like to use your plugin for safety, but with a new version of WordPress is broken. Will you upgrade it?

thank you very much

Hi George,

I am not aware of incompatibilities with the latest version of WordPress. I actually use the plugin on this site with WP 4.6.1. What is the problem you’re having?

Leave a Comment