If you have spent a great deal of time and effort into creating your site or blog over the years, then making sure that it is secure has to be one of the most important things you must consider. So for this article I will show you how you can set up 2-Step Authentication for your self-hosted WordPress.org site which should take you less than 5 minutes to complete, but will give you a much better level of security. If you are looking for the steps to take to implement 2-Step Authentication on your free WordPress.com site, then please refer to this article
Download the Google Authenticator plugin for WordPress, install and activate it. (Currently version 0.44)
Download and install the Google Authenticator app for your Smartphone
- Android (Requires Android OS 2.1 and up)
- iPhone, iPod Touch, iPad (Requires iOS 3.1.3 or later)
- Blackberry (Requires BB10.0 or higher)
Go to your User Profile (users>your profile) where you will find the Google Authenticator Settings
After clicking Show/Hide barcode (just reveals the barcode so you can scan it)
Activate the Authenticator by checking the box next to Active and click Show/Hide QR code which will show you your unique barcode. Also make sure that you add a name in the description box that you can associate with your site. (My example is TechFleece 2-Step) If you wish to enable an App password you can, but bear in mind that will decrease the overall login security. People who use third-part software in which to post articles to their WordPress account may wish to enable this.
Note: Users of the iPhone app may have issues scanning the barcode if there are spaces in the description. This may have been resolved by now, but am unable to confirm as I don’t have an Apple device.
Step 5 – Important
Hit Update Profile once you have added your site description and checked the Active box
Now you are ready to scan your barcode.
Grab your smartphone and open the Google Authentication app that you just downloaded. When you first start the app the main page will be pretty empty. Click on the Options icon (top right) and choose Set up account
Select Scan a barcode from the options, and choose which program you would like to complete the action. In my example below you can see that I can scan the barcode using either QR Droid or the default Google one.
The app will instantly scan and create your account. You will now see that your WordPress account details (the description name you gave it in WordPress) are present as well as a newly generated number.
These numbers change every 30 seconds meaning that once you have entered the number when you actually login again, you will have a short amount of time to hit enter. Don’t worry if you miss the time slot as you can simply use the next generated number instead.
Logging In for the first time
First, make sure that you are logged out of your site. Now log back in and you will see that along with having to input your Username and Password you will also be required to input your Google Authenticator code. You won’t have to do this every time but will be required when logging on via other devices.
What happens if I lose my smartphone or get it stolen?
If you lose your smartphone or get it stolen, all is not lost. Simply SSH/FTP into your sites server (using something like FileZilla or via your hosting companies Control Panel) and delete the Google Authenticator plugin. You will find it in wp-content/plugins/google-authenticator If this does happen then security wise, I’d remove the plugin manually (as stated) and create another barcode. See question below for generating codes without a smartphone.
I want to create a new Secret, do I just scan the new barcode?
No, you will have to remove the existing account from the Google Authenticator (Press and long-hold on the account information to bring up the delete dialogue) Confirm the deletion. Once that is done, you can create a new Secret (remember to hit Update Profile afterwards) and then re-scan.
I don’t have a Smartphone, can I generate these codes another way?
Yes. There is a great free Firefox application called GAuth Authenticator that will generate TOTP tokens for you. The application was written by Gerard Braad and works brilliantly. Let’s take a quick look at it. Follow this link (using Firefox) and click on the icon that says Free. (towards the top of the page) This will install the app to your machine (no user input required). Now you can launch the application via Start>Programs>GAuth Authenticator or by clicking on Launch in Firefox. Once the app is launched you will be presented with a window displaying a dummy account. This just demonstrates how it works, and you can remove it if you want. As you will see, it also generates a new number every 30 seconds.
Now let’s add our site details to generate the required code. Select the + sign (top left) and input the required information. Input your sites description (as you did previously when you first installed the Google Authenticator plugin for WordPress earlier) and the outputted Secret (Secret Key) and hit Add
You will now see your site in the window with a newly generated code. Note that these, as with the Android app, change every 30 seconds making it extremely hard for a would be hacker to guess in the required time frame.
Note: Do not put the App password as the Secret key (if you enabled it). Use the long number next to Secret.
Does the WordPress plugin support multiple-users?
Yes, according to the developer of the plugin, Henrik Schack, it does.
I hope this has been of use. Any questions, please ask below and I will try to help if I can.
Note: If you have your site hosted with DreamHost, then it is also advisable to enable 2-Step Verification on your Web Panel.