How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site

wordpress-logo

If you have spent a great deal of time and effort into creating your site or blog over the years, then making sure that it is secure has to be one of the most important things you must consider. So for this article I will show you how you can set up 2-Step Authentication for your self-hosted WordPress.org site which should take you less than 5 minutes to complete, but will give you a much better level of security. If you are looking for the steps to take to implement 2-Step Authentication on your free WordPress.com site, then please refer to this article

Step 1

Download the Google Authenticator plugin for WordPress, install and activate it. (Currently version 0.44)

Step 2

Download and install the Google Authenticator app for your Smartphone

Step 3

Go to your User Profile (users>your profile) where you will find the Google Authenticator Settings

activate Google Authentication on wordpress

After clicking Show/Hide barcode (just reveals the barcode so you can scan it)

Main image with barcode

Step 4

Activate the Authenticator by checking the box next to Active and click Show/Hide QR code which will show you your unique barcode. Also make sure that you add a name in the description box that you can associate with your site. (My example is TechFleece 2-Step) If you wish to enable an App password you can, but bear in mind that will decrease the overall login security. People who use third-part software in which to post articles to their WordPress account may wish to enable this.

Note: Users of the iPhone app may have issues scanning the barcode if there are spaces in the description. This may have been resolved by now, but am unable to confirm as I don’t have an Apple device.

Step 5 – Important

Hit Update Profile once you have added your site description and checked the Active box

update profile after making active

Now you are ready to scan your barcode.

Step 6

Grab your smartphone and open the Google Authentication app that you just downloaded. When you first start the app the main page will be pretty empty. Click on the Options icon (top right) and choose Set up account

create new GA account

Select Scan a barcode from the options, and choose which program you would like to complete the action. In my example below you can see that I can scan the barcode using either QR Droid or the default Google one.

select which app to scan with

The app will instantly scan and create your account. You will now see that your WordPress account details (the description name you gave it in WordPress) are present as well as a newly generated number.

Google Authentication code

These numbers change every 30 seconds meaning that once you have entered the number when you actually login again, you will have a short amount of time to hit enter. Don’t worry if you miss the time slot as you can simply use the next generated number instead.

Logging In for the first time

First, make sure that you are logged out of your site. Now log back in and you will see that along with having to input your Username and Password you will also be required to input your Google Authenticator code. You won’t have to do this every time  but will be required when logging on via other devices.

Wordpress login

Questions

What happens if I lose my smartphone or get it stolen?

If you lose your smartphone or get it stolen, all is not lost. Simply SSH/FTP into your sites server (using something like FileZilla or via your hosting companies  Control Panel) and delete the Google Authenticator plugin. You will find it in wp-content/plugins/google-authenticator If this does happen then security wise, I’d remove the plugin manually (as stated) and create another barcode. See question below for generating codes without a smartphone.

I want to create a new Secret, do I just scan the new barcode?

No, you will have to remove the existing account from the Google Authenticator (Press and long-hold on the account information to bring up the delete dialogue) Confirm the deletion. Once that is done, you can create a new Secret (remember to hit Update Profile afterwards) and then re-scan.

remove account

I don’t have a Smartphone, can I generate these codes another way?

Yes. There is a great free Firefox application called GAuth Authenticator that will generate TOTP tokens for you. The application was written by Gerard Braad and works brilliantly. Let’s take a quick look at it. Follow this link (using Firefox) and click on the icon that says Free. (towards the top of the page) This will install the app to your machine (no user input required). Now you can launch the application via Start>Programs>GAuth Authenticator or by clicking on Launch in Firefox. Once the app is launched you will be presented with a window displaying a dummy account. This just demonstrates how it works, and you can remove it if you want. As you will see, it also generates a new number every 30 seconds.

Dummy account showing

Now let’s add our site details to generate the required code. Select the + sign (top left) and input the required information. Input your sites description (as you did previously when you first installed the Google Authenticator plugin for WordPress earlier) and the outputted Secret (Secret Key) and hit Add

ADD SECRET KEY AND NAME

You will now see your site in the window with a newly generated code. Note that these, as with the Android app, change every 30 seconds making it extremely hard for a would be hacker to guess in the required time frame.

Note: Do not put the App password as the Secret key (if you enabled it). Use the long number next to Secret.

GAuth Authenticator

 

Does the WordPress plugin support multiple-users?

Yes, according to the developer of the plugin, Henrik Schack, it does.

I hope this has been of use. Any questions, please ask below and I will try to help if I can.

Note: If you have your site hosted with DreamHost, then it is also advisable to enable 2-Step Verification on your Web Panel.

Comments

  1. Awesome security tip. Kudos to you!

  2. Aalone Personn says:

    You Solve My Problem Thanks
    http://solutionsurdu.com

  3. Stephen Vanderwarker says:

    I can’t seem to log in with my phone :o Should I enable app passwords?

    • Yes, try that and see if it helps. Bear in mind though that enabling app passwords weakens the overall security of 2-Step.

      I’d disable/remove the Google Authenticator plugin via FTP (connect to your site via FTP and delete the Google Authenticator plugin) and then try the tutorial again..

  4. Yes, try that and see if it helps. Bear in mind though that enabling app passwords weakens the overall security of 2-Step.

    I’d disable/remove the Google Authenticator plugin via FTP (connect to your site via FTP and delete the Google Authenticator plugin) and then try the tutorial again.

  5. Good article for webmasters

Trackbacks

  1. [...] you can use this guide to enable two-step authentication. Self hosted WordPress blogger can use this guide to enable 2-step authentication on your [...]

  2. [...] if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a [...]

  3. [...] if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a [...]

  4. [...] if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a [...]

  5. [...] on two-factor authentication (here are instructions if you’re using WordPress.com and if you have a self-hosted WordPress blog), and making sure you’ve got the latest WordPress version. He says this should put you ahead [...]

  6. [...] turning on two-factor authentication (here are instructions if you’re using WordPress.com and if you have a self-hosted WordPress blog), and making sure you’ve got the latest WordPress version. He says this should put you ahead of [...]

  7. [...] wrote an article on how to enable 2-Step Verification on your WordPress.com sites as well as your self-hosted WordPress.org sites, so today I will be showing you how to enable the same level of security for your DreamHost [...]

  8. [...] if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a WordPress [...]

  9. [...] Implementing the above items should make your WordPress site less vulnerable to these types of attacks. Additionally, WordPress has instituted the Two Step Verification process that will secure your website even more.  For WordPress.com users, choose this guide, for WordPress.org self hosted sites, use this guide. [...]

  10. [...] Enable 2-step authentication on your WordPress site. This is pretty straightforward to do and is something you’ve probably seen if you use internet banking. An example is if you try to transfer money, it will send a unique code via SMS to your phone, which you have to enter in addition to your regular password. [...]

  11. [...] Enable 2-step authentication on your WordPress site. This is pretty straightforward to do and is something you’ve probably seen if you use internet banking. An example is if you try to transfer money, it will send a unique code via SMS to your phone, which you have to enter in addition to your regular password. [...]

  12. [...] at få en bestemt kode, som du bruger sammen med dit eget password til at logge ind. Du kan læse denne guide, hvis du ønsker at opsætte denne to-trins [...]

  13. […] if you then follow the excellent “How To Enable 2-Step Authentication On Your Self-Hosted WordPress.org Site” guide published last week by Techfleece, you’ll be up and running in no time with a WordPress […]

Leave a Reply

%d bloggers like this: