How To Enable 2-Step Authentication On Your Self-Hosted Site


If you have spent a great deal of time and effort into creating your site or blog over the years, then making sure that it is secure has to be one of the most important things you must consider. So for this article I will show you how you can set up 2-Step Authentication for your self-hosted site which should take you less than 5 minutes to complete, but will give you a much better level of security. If you are looking for the steps to take to implement 2-Step Authentication on your free site, then please refer to this article

Step 1

Download the Google Authenticator plugin for WordPress, install and activate it. (Currently version 0.44)

Step 2

Download and install the Google Authenticator app for your Smartphone

Step 3

Go to your User Profile (users>your profile) where you will find the Google Authenticator Settings

activate Google Authentication on wordpress

After clicking Show/Hide barcode (just reveals the barcode so you can scan it)

Main image with barcode

Step 4

Activate the Authenticator by checking the box next to Active and click Show/Hide QR code which will show you your unique barcode. Also make sure that you add a name in the description box that you can associate with your site. (My example is TechFleece 2-Step) If you wish to enable an App password you can, but bear in mind that will decrease the overall login security. People who use third-part software in which to post articles to their WordPress account may wish to enable this.

Note: Users of the iPhone app may have issues scanning the barcode if there are spaces in the description. This may have been resolved by now, but am unable to confirm as I don’t have an Apple device.

Step 5 – Important

Hit Update Profile once you have added your site description and checked the Active box

update profile after making active

Now you are ready to scan your barcode.

Step 6

Grab your smartphone and open the Google Authentication app that you just downloaded. When you first start the app the main page will be pretty empty. Click on the Options icon (top right) and choose Set up account

create new GA account

Select Scan a barcode from the options, and choose which program you would like to complete the action. In my example below you can see that I can scan the barcode using either QR Droid or the default Google one.

select which app to scan with

The app will instantly scan and create your account. You will now see that your WordPress account details (the description name you gave it in WordPress) are present as well as a newly generated number.

Google Authentication code

These numbers change every 30 seconds meaning that once you have entered the number when you actually login again, you will have a short amount of time to hit enter. Don’t worry if you miss the time slot as you can simply use the next generated number instead.

Logging In for the first time

First, make sure that you are logged out of your site. Now log back in and you will see that along with having to input your Username and Password you will also be required to input your Google Authenticator code. You won’t have to do this every time  but will be required when logging on via other devices.

Wordpress login


What happens if I lose my smartphone or get it stolen?

If you lose your smartphone or get it stolen, all is not lost. Simply SSH/FTP into your sites server (using something like FileZilla or via your hosting companies  Control Panel) and delete the Google Authenticator plugin. You will find it in wp-content/plugins/google-authenticator If this does happen then security wise, I’d remove the plugin manually (as stated) and create another barcode. See question below for generating codes without a smartphone.

I want to create a new Secret, do I just scan the new barcode?

No, you will have to remove the existing account from the Google Authenticator (Press and long-hold on the account information to bring up the delete dialogue) Confirm the deletion. Once that is done, you can create a new Secret (remember to hit Update Profile afterwards) and then re-scan.

remove account

I don’t have a Smartphone, can I generate these codes another way?

Yes. There is a great free Firefox application called GAuth Authenticator that will generate TOTP tokens for you. The application was written by Gerard Braad and works brilliantly. Let’s take a quick look at it. Follow this link (using Firefox) and click on the icon that says Free. (towards the top of the page) This will install the app to your machine (no user input required). Now you can launch the application via Start>Programs>GAuth Authenticator or by clicking on Launch in Firefox. Once the app is launched you will be presented with a window displaying a dummy account. This just demonstrates how it works, and you can remove it if you want. As you will see, it also generates a new number every 30 seconds.

Dummy account showing

Now let’s add our site details to generate the required code. Select the + sign (top left) and input the required information. Input your sites description (as you did previously when you first installed the Google Authenticator plugin for WordPress earlier) and the outputted Secret (Secret Key) and hit Add


You will now see your site in the window with a newly generated code. Note that these, as with the Android app, change every 30 seconds making it extremely hard for a would be hacker to guess in the required time frame.

Note: Do not put the App password as the Secret key (if you enabled it). Use the long number next to Secret.

GAuth Authenticator


Does the WordPress plugin support multiple-users?

Yes, according to the developer of the plugin, Henrik Schack, it does.

I hope this has been of use. Any questions, please ask below and I will try to help if I can.

Note: If you have your site hosted with DreamHost, then it is also advisable to enable 2-Step Verification on your Web Panel.

%d bloggers like this: