Add 2-Factor Authentication to WordPress
This article is both a security tip and a tutorial to my WP Google Authenticator plugin.
2-factor authentication is a simple and efficient way to enforce security for your WordPress site. This will ensure you only can login to the WordPress dashboard with your credentials.
What is 2-factor authentication and why use it?
It is also referred to as 2-step verification. The standard way to log in your WordPress dashboard is to use a classic username / password couple. The problem with this is that security is low. A lot of people are debating about this system, arguing that it should not be used anymore.
There are two main possible ways for an attacker to get into your WordPress dashboard without too much difficulty:
- Your login / password were stolen,
- Your login / password are too weak and the attacker can brute force your login
2-factor authentication enforces security by requesting a one time password in addition to the username / password couple. This one time password is based on the current time, that's what makes it unique. You will generally receive this password by e-mail, SMS or via a dedicated app.
In our case, we will use a dedicated app: Google Authenticator.
EDIT: You can also use Authy which is a pretty good app. Its main advantage being that you can sync your profiles between different devices (computer, phone, tablet...).
This app, developed by Google, obviously, is available on iPhone, Android and Blackberry. Of course, this mean you will need to have your phone with you every time you need to login to your site.
WP Google Authenticator: Tutorial
Download & Install
First of all, obviously, download and install the plugin. You can find it on the WordPress Extend: WP Google Authenticator, or search for "WP Google Authenticator" directly in your WordPress dashboard.
Setup the Plugin
Once installed and activated, the plugin will add a new sub-menu to the "Settings" item.
Here you have just a few options. Enough to make your site more secure, and few enough to get it working in 2 minutes.
Let's see all these options quickly:
- Activate the Plugin: pretty clear right? You can have the plugin installed but not active if you don't check this box,
- Force Use: if you run a multi-user site, you might want your users to enable 2FA and not being the only one dealing with security. Enable this and all users will be asked to enable the feature,
- Site Name: when you will add a new profile in the Google Authenticator app, the name you typed here will be used to identify your site,
- Max Attempts: if you force your users to enable 2FA, they will only be able to log-in a certain number of times WITHOUT using 2FA. After that, if they still didn't enable the extra security, they won't be allowed to log-in,
- Authorized Delay: this last option will allow you to give more time to your users to type the one time password. The TOTP is valid for 30 secs by default, but you can add some extra "validity time".
Generate your Secret & Setup the Mobile App
Three steps are required to completely enable the 2FA on your site:
- Go to your profile, scroll to the "WP Google Authenticator Settings" section, and click the "Generate Key" button,
- The page will reload. Scroll back to the settings section and click "Get QR Code",
- Flash the QR code with the Google Authenticator app on your mobile
That's it! You WordPress site in now protected with 2-factor authentication.