Google Authenticator implements TOTP security tokens from RFC6238 in mobile apps made by Google, sometimes branded “two-step authentication”. The Authenticator provides a six digit one-time password users must provide in addition to their username and password to log into Google services or other sites. The Authenticator can also generate codes for third party applications, such as password managers or file hosting services. Some versions of the software are open source.
Source: Wikipedia
WordPress gets hacked. It’s unfortunate but it’s true. One of the most common methods hackers use is to try to brute-force the WordPress login screen. So the more security we can add to that page, the better. This is where Google Authenticator comes in.
Using this will act as a deterrent as well since the hacker will have to guess your username, password and a 6 digit code that changes every minute!
That is not to say that your WordPress site will be bulletproof after installing this as a lot of hacks are done in the database but this should help significantly.
Step 1: Installation is much like any other plugin for WordPress, simply log in and head to the ‘Install Plugins’ screen and search for ‘Google Authenticator’
Step 2: Activate & Setup
Once the plugin is activated we need to link your Google Authenticator device to your WordPress site. To do this we need to head over to the ‘Your Profile’ page under the ‘Users’ tab in WordPress.
Then you’ll see a button to show a QR code along with your ‘Secret Key’
Now let’s download the app to your smartphone/tablet, using the links below.
When you first launch the Google Authenticator app you will be guided through the process of adding sites by scanning a QR code.
Once the site is added you’ll have to use a 6 digit code on that device each time you want to log in.
What if I lose/break my phone?
The simplest way to disable the 2 factor authentication is to simply delete the plugin from FTP or from cPanel. Just navigate to the wp-content/plugins folder and delete the ‘google-authenticator’ folder. Doing this will disable the plugin completely and you won’t have to worry about getting a 6 digit code next time you log in.
Obviously it goes without saying that the security of your site rests on the strength of your cPanel password so ensure you have a very strong password, perhaps from http://strongpasswordgenerator.com