Secure your WordPress login using Google Authenticator

This post was originally published in 2013
The tips and techniques explained may be outdated.

A few weeks ago I wrote an article about how to improving WordPress security and having read an article about WordPress being hacking I thought I would look at ways to further improve WordPress Securty.

I stumbled on a plugin for WordPress that allows you to use the Google Authenticator app when logging into your WordPress website. The Google Authenticator app provides 2-step authentication and works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices so you need a smartphone to make use of the additional security.

How does Google 2-Step Authentication work?

Passwords are easily compromised no matter how complex you make them. This is why most online banking systems either ask for random characters of your password or secret phrase. Some organisations give you their own authenticator (like Halifax bank and Lloyds Business banking) – these devices generate a random code every 30-60 seconds and you need to enter the code along with your user ID and password in order to login.

If you are using the same password on numerous websites (and lets face it – a lot of you are) then a security leak on one website could put your other online accounts in danger. People are often lazy and don’t change their passwords, which is just asking for trouble.

How to setup 2-step authentication in WordPress

First you need to download the Google Authenticator WordPress Plugin by visiting: Once this has been downloaded you need to upload the plugin to the /wp-content/plugins directory and activate the plugin in the WordPress dashboard.

Next you need to go to click on “Users -> Your Profile”

You will now see a section for, “Google Authenticator Settings”. Tick “Activate” to enable the plugin and enter a description in the box provided.

Google Authenticator User Settings

Now you need to download the Google Authenticator App for your mobile phone. Once the app has been installed you will have the option to setup a new account. In my case I called this account “Lacey Tech Blog”. On the smartphone there is the option to either enter the secret phrase shown on the user screen or to scan a QR code. Either method works, but I find scanning the QR code it easier. In the users screen in WordPress click the “Show/Hide QR Code” button and then scan this using the Google Authenticator app on your mobile phone.

Scroll down the WordPress users screen and click “Save Changes”.

When you log out of WordPress and re-visit the login screen you will now see a new box for the Google Authenticator code. Every time you login to your blog you need to enter your WordPress username and password, then open the Google Authenticator App and enter the code that is shown on your phone.

Google Authenticator WordPress Login


All content provided on this blog is for informational purposes only. The author of this article makes no representations as to the accuracy or completeness of any information contained within this article. The author will not be liable for any losses, injuries, or damages from the display or use of this information. If you choose to act upon information contained within this article you do so at your own risk.

Leave a Reply