How To Add Two-Factor Authentication To WordPress


bwf
How To Add Two-Factor Authentication To...

What Is Google Authenticator?

Google Authenticator implements TOTP security tokens from RFC6238 in mobile apps made by Google, sometimes branded “two-step authentication”. The Authenticator provides a six digit one-time password users must provide in addition to their username and password to log into Google services or other sites. The Authenticator can also generate codes for third party applications, such as password managers or file hosting services. Some versions of the software are open source.

Source: Wikipedia

Why Use It?

WordPress gets hacked. It’s unfortunate but it’s true. One of the most common methods hackers use is to try to brute-force the WordPress login screen. So the more security we can add to that page, the better. This is where Google Authenticator comes in.

Using this will act as a deterrent as well since the hacker will have to guess your username, password and a 6 digit code that changes every minute!

That is not to say that your WordPress site will be bulletproof after installing this as a lot of hacks are done in the database but this should help significantly.

Installation:

Step 1: Installation is much like any other plugin for WordPress, simply log in and head to the ‘Install Plugins’ screen and search for ‘Google Authenticator’

Screen Shot 2016-05-20 at 10.34.13

Step 2: Activate & Setup

Once the plugin is activated we need to link your Google Authenticator device to your WordPress site. To do this we need to head over to the ‘Your Profile’ page under the ‘Users’ tab in WordPress.

Then you’ll see a button to show a QR code along with your ‘Secret Key’

Screen Shot 2016-05-20 at 10.38.36

Now let’s download the app to your smartphone/tablet, using the links below.

Android: Here
iOS: Here

When you first launch the Google Authenticator app you will be guided through the process of adding sites by scanning a QR code.

Once the site is added you’ll have to use a 6 digit code on that device each time you want to log in.

What if I lose/break my phone? 

The simplest way to disable the 2 factor authentication is to simply delete the plugin from FTP or from cPanel. Just navigate to the wp-content/plugins folder and delete the ‘google-authenticator’ folder. Doing this will disable the plugin completely and you won’t have to worry about getting a 6 digit code next time you log in.

Obviously it goes without saying that the security of your site rests on the strength of your cPanel password so ensure you have a very strong password, perhaps from http://strongpasswordgenerator.com

 

Related Articles

Security

The Heart Bleed Vulnerability

You may have seen on BBC news last night a worldwide vulnerability in OpenSSL that could potentially place web servers at risk.  Simply put OpenSSL is a protocol for the secure...

Posted on by bwf
Security

Chrome Forges Ahead with Insecure Security Warnings…

Back in September 2016 we wrote a popular blog post alerting our users that very soon Google Chrome would start reporting websites that were not encrypted with an SSL Security...

Posted on by karl