Add 2-Factor Authentication to WordPress
This article is both a security tip and a tutorial to my WP Google Authenticator plugin.
2-factor authentication is a simple and efficient way to enforce security for your WordPress site. This will ensure you only can login to the WordPress dashboard with your credentials.
What is 2-factor authentication and why use it?
It is also referred to as 2-step verification. The standard way to log in your WordPress dashboard is to use a classic username / password couple. The problem with this is that security is low. A lot of people are debating about this system, arguing that it should not be used anymore.
There are two main possible ways for an attacker to get into your WordPress dashboard without too much difficulty:
- Your login / password were stolen,
- Your login / password are too weak and the attacker can brute force your login
2-factor authentication enforces security by requesting a one time password in addition to the username / password couple. This one time password is based on the current time, that's what makes it unique. You will generally receive this password by e-mail, SMS or via a dedicated app.
In our case, we will use a dedicated app: Google Authenticator.
EDIT: You can also use Authy which is a pretty good app. Its main advantage being that you can sync your profiles between different devices (computer, phone, tablet...).
This app, developed by Google, obviously, is available on iPhone, Android and Blackberry. Of course, this mean you will need to have your phone with you every time you need to login to your site.
WP Google Authenticator: Tutorial
Download & Install
First of all, obviously, download and install the plugin. You can find it on the WordPress Extend: WP Google Authenticator, or search for "WP Google Authenticator" directly in your WordPress dashboard.
Setup the Plugin
Once installed and activated, the plugin will add a new sub-menu to the "Settings" item.
Here you have just a few options. Enough to make your site more secure, and few enough to get it working in 2 minutes.
Let's see all these options quickly:
- Activate the Plugin: pretty clear right? You can have the plugin installed but not active if you don't check this box,
- Force Use: if you run a multi-user site, you might want your users to enable 2FA and not being the only one dealing with security. Enable this and all users will be asked to enable the feature,
- Site Name: when you will add a new profile in the Google Authenticator app, the name you typed here will be used to identify your site,
- Max Attempts: if you force your users to enable 2FA, they will only be able to log-in a certain number of times WITHOUT using 2FA. After that, if they still didn't enable the extra security, they won't be allowed to log-in,
- Authorized Delay: this last option will allow you to give more time to your users to type the one time password. The TOTP is valid for 30 secs by default, but you can add some extra "validity time".
Generate your Secret & Setup the Mobile App
Three steps are required to completely enable the 2FA on your site:
- Go to your profile, scroll to the "WP Google Authenticator Settings" section, and click the "Generate Key" button,
- The page will reload. Scroll back to the settings section and click "Get QR Code",
- Flash the QR code with the Google Authenticator app on your mobile
That's it! You WordPress site in now protected with 2-factor authentication.
24 Comments
Hello, I downloaded your Authenticator plugin and it works very good with the default wp-login page. However, I’ve a custom login template. How can I integrate or make the authenticator to work in custom login page?
That’s a pretty difficult question! It all depends on how the custom login page works. The plugin is hooked on the WordPress default hook for the login page form. The authentication process should remain the same anyway.
Very nice plugin. Authenticator works fine with the plugin “Theme My Login” (for custom login page) in my website. A small suggestion (if i may): add option to not ask OTP on some devices (as does Google in its accounts). Many thanks
That is indeed a good suggestion. I’ve added it in the GitHub issues: https://github.com/julien731/WP-Google-Authenticator/issues/7
I will work on it as soon as I find the time!
How do i get a password that i can use to activate the wordpress app at my phone?
There is no “app password” in the plugin yet, but it should not cause any trouble with the iPhone/Android WordPress app as both are supported by the plugin. Just login as usual.
Hi. I don’t quite get the fallowing. 1 It says that my internet time should be syncronized with the users time for the login to get the 30 sec time-frame. That means that plugin cant work with global websites? 2 Activated the plug-in and want to set the users (one by one) who will use 2 step authentication and I don’t see the option for that at all. Where can I find it ?
Hi Bob,
No worries, the plugin can work on sites anywhere in the world. The time I’m talking about it the “base” time. Every computer is set to a UTC time, and then it is altered depending on your timezone. What’s important is the UTC time which should be about the same on every computer / server.
Regarding the activation, you can only force all users to use the 2-steps authentication. You can’t set it on a user basis.
hi there,
this doesn’t work, every time i try to use scan the barcode on my screen with my phone, all i keep getting is “Invalid barcode”
problem is i don’t know where i’m going wrong
What app are you scanning the QR code with?
Hi Julien, i’m using my iphone to scan, this may sound silly but does my site have to be online for the Authenticatortor to work? or can it work while locally on my computer?
What app are you using on your iPhone to scan the QR code? Google Authenticator? Authy?
Your site doesn’t need to be online. The plugin should work even if the site is on a local development environment. An access to internet is required though in order to get the QR code (using the Google API), but if you do see the QR then it shouldn’t be a problem.
Oh i’m using Google Authenticator on my iphone 4
Could you possibly create a user account for me on your site. I don’t need to be admin or anything, I just want to try and setup the 2FA to see what happens. You can use the contact form to send me the credentials privately.
I installed your plugin but I am unable to login using the Google Authenticator enabled. I keep getting the message to try a newly generated password. I’m using XAMPP for my test environment but will eventually move the site to host provider. Thanks.
Unfortunately I won’t be able to help you much if your site is on a local development environment. I can try and have a look when you go live though (or if you have a test install live).
Hi,
I’m living in France, but my wordpress server is in Canada. I’ve installed WP Google authenticator, but it doesn’t work : the code is always wrong ? Is there a time-zone issue ??
What surprise me is that I use the same process for my ssh access on the same server, and it’s working well ?
Regards !!
Timezone shouldn’t be a problem. What you should try is to increase the clock discrepancy in case the server and your phone aren’t in sync.
Awsome plugin Julian keep up the great work I have to give you 10 stars never seen such clean PHP in my entire life. Its a real great thing you have done. You should consider speaking to me about getting paid for customizing this for a web site I have. Or if not keep it just the way it is you are getting the results you want. Question is plugin is great customize the wp login is easy. There are plugins that will do this or the theme functions codes I have will result in good login for the themes login. I am a Wordpress themes developer I am testing the plugin now at topa 2 time and its fine.
Just customize the themes functions.php and its close to google as you will get unless you have a sms server.
Great And thanks again Regards Vincent Juliano
Many thanks for the kind words Vincent. I’m actually working on version 1.2 of the plugin with improved code and some new functionalities.
If you want to have some customization done, feel free to get in touch through the contact page of this site.
Hello Julien,
First of all, congratulations for the plugin. Now, I have a problem. I have had to reset my phone to default factory sets, and I have lost my Authenticator codes. Now I decided to use Authy instead Google Authenticator, but the point is that I don’t know how to regenerate the QR code to be read by Authy.
Can you help me?
:)
Well, I’ve found the QR generator in the users account :)
Glad you finally found it. However, if you felt the need to ask in the first place, maybe this means something could be improved in the plugin? Would you have found it easier if it was somewhere else?
[…] for a few mins but couldnt figure out where I’d done the setting. Finally I went back to the tutorial for using the plugin. The “main” settings are under “Users > Your profile”. […]