Secure your WordPress login using Google Authenticator

A few weeks ago I wrote an article about how to improving WordPress security and having read an article about WordPress being hacking I thought I would look at ways to further improve WordPress Securty.

I stumbled on a plugin for WordPress that allows you to use the Google Authenticator app when logging into your WordPress website. The Google Authenticator app provides 2-step authentication and works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices so you need a smartphone to make use of the additional security.

How does Google 2-Step Authentication work?

Passwords are easily compromised no matter how complex you make them. This is why most online banking systems either ask for random characters of your password or secret phrase. Some organisations give you their own authenticator (like Halifax bank and Lloyds Business banking) – these devices generate a random code every 30-60 seconds and you need to enter the code along with your user ID and password in order to login.

If you are using the same password on numerous websites (and lets face it – a lot of you are) then a security leak on one website could put your other online accounts in danger. People are often lazy and don’t change their passwords, which is just asking for trouble.

How to setup 2-step authentication in WordPress

First you need to download the Google Authenticator WordPress Plugin by visiting: http://wordpress.org/extend/plugins/google-authenticator/. Once this has been downloaded you need to upload the plugin to the /wp-content/plugins directory and activate the plugin in the WordPress dashboard.

Next you need to go to click on “Users -> Your Profile”

You will now see a section for, “Google Authenticator Settings”. Tick “Activate” to enable the plugin and enter a description in the box provided.

Google Authenticator User Settings

Now you need to download the Google Authenticator App for your mobile phone. Once the app has been installed you will have the option to setup a new account. In my case I called this account “Lacey Tech Blog”. On the smartphone there is the option to either enter the secret phrase shown on the user screen or to scan a QR code. Either method works, but I find scanning the QR code it easier. In the users screen in WordPress click the “Show/Hide QR Code” button and then scan this using the Google Authenticator app on your mobile phone.

Scroll down the WordPress users screen and click “Save Changes”.

When you log out of WordPress and re-visit the login screen www.yourwebsite.com/wp-admin you will now see a new box for the Google Authenticator code. Every time you login to your blog you need to enter your WordPress username and password, then open the Google Authenticator App and enter the code that is shown on your phone.

Google Authenticator WordPress Login

Leave a Reply

  1. Gabriel Macknight says:

    Excellent post on adding more security to WordPress, but I was wondering if you could write a little bit more on the subject? I’m wanting to know a bit more about how to secure WordPress and would be very thankful if you could elaborate a little bit further. Cheers!

    • Ben Lacey says:

      Hello Gabriel,
      Thanks for taking the time to read my article. I have written a few articles about website security that (when combined) can offer more security to your website. If you can justify the expense of an SSL certificate this would help encrypt any data that is sent from the visitors web browser to the server, including WordPress login details! You can read about the benefits of SSL here:

      If you combine SSL with the Google Authenticator plugin then you make it very difficult for someone to gain unauthorised access to your website from the login form. I would also urge caution when choosing and installing plugins for WordPress as these can open your site up to attackers even with SSL and protection on the login form.

      Make sure you check the number of downloads and reputation of the plugin developers before you think about using it on your website. It might also be worthwhile doing a search for “ vulnerability” and make sure you exercise caution before installing.

  2. Mckenzie says:

    Just want to say your article is well written and easy to follow – even for a non-technical user like myself. I followed the instructions and was able to get the Google Authenticator setup on my website within 15 minutes. It’s a great way to add additional security to my WordPress website. I’ll be sure to keep an eye out for your new posts – keep up the good work!

    • Ben Lacey says:

      Hello Mckenzie,
      Thank you for commenting on the article – its always nice getting feedback especially when an article has helped someone. Please feel free to subscribe to my newsletter that way you’ll be notified when new articles are published on the blog.