Setting Up Two-factor Authentication for WordPress with Google Authenticator

You know how they say that insects develop resistance to insecticides over time? Well, that’s sort of how it’s become with passwords these days. Passwords have been used to secure user accounts for such a long time now that they’ve started to lose their effectiveness. Of late, more and more hack attacks have become successful. The need of the hour, therefore, is to put to practice novel methods to strengthen existing authentication processes. In this light, the easiest and most practical thing you can do to further secure your WordPress site is to set up a two-factor authentication process for your WordPress login.

Two-factor authentication requires users to provide a code sent to them, in addition to their login credentials, in order to login to the admin dashboard. This way, an extra layer of protection is added to confirm that it’s indeed the user that’s logging into his profile and not someone else that’s gained access to his password.

The iThemes Security Pro plugin for WordPress sets up a second verification step for your WordPress login by using Google Authenticator. For using this feature, you’ll have to first install iThemes Security Pro on your WordPress and then download the free Google Authenticator app onto your smartphone. Once that’s done, you’re good to go.

Setting up Two-factor Authentication

Step 1: Enable Two-factor Authentication in iThemes Security Pro

  • Scroll to the two-factor authentication section on the ‘Pro’ tab of the plugin.
  • Here, you’ll find options for time-based OTP (one-time password), email and backup verification codes. In time-based OTP, the secondary code will be generated by an app like Google Authenticator. In the email option, the code will be sent through email once the login credentials are provided. The backup verification codes comprise a set of secondary codes that can be used in the event that access to the primary two-factor provider is lost. These codes expire after use and should be stored in a safe place.
  • It is advisable to enable more than one of these three options by checking the boxes next to them (preferably, all three).
  • Click on ‘Save All Changes’.
  • Once two-factor authentication has been enabled by admin, other users can activate it on their individual accounts by editing their profiles.

setup two factor authentication 01

Activate by Editing Individual User Profile

  • Click on the ‘Your Profile’ option found under ‘Users’ on your WordPress dashboard and scroll down to ‘Two-factor Authentication Options’.
  • Here, you’ll find the list of authentication code providers.
  • Enable ‘Time-Based One-Time Password (TOTP)’ and make it your primary provider of two-factor authentication.
  • It is advisable to enable either one or both of the remaining options for backup, in case you lose access to your primary two-factor provider.

Now all that’s left is to set up your site in the Google Authenticator app. For this, you’ll require the QR code and secret key that appear on clicking ‘View Time-Based One-Time Password Configuration Details’.

setup two factor authentication 02

Step 2: Add your WordPress Site to the Google Authenticator App

  • Open the Google Authenticator app on your phone.
  • To set up the app on your phone, click on ‘Begin setup’.
  • You’ll then be given two options regarding how you want to add your WordPress site to the app: Scan Barcode and Manual Entry.
    • If you choose ‘Scan Barcode’, a QR code scanner will appear on our screen. Remember the QR code we spoke about earlier? The one on your WordPress profile page? Scan that QR code by pointing your phone’s camera at your computer screen.
    • If you choose ‘Manual Entry’, you’ll be asked for the ‘secret key’ mentioned on your WordPress profile page. Enter the key, and you’re good to go.
  • Once the QR code or secret key is recognized by the Google Authenticator app, your WordPress site will automatically be added to the app.

The Google Authenticator app will now start to continually generate 6-digit tokens – your authentication codes. Each generated token/code will hold good for 30 seconds, until the next token/code is generated.

In case you temporarily lose access to your primary two-factor code provider – say because you  don’t have your phone with you at the moment, but want to desperately log in to your WordPress dashboard nonetheless – you can always use a backup provider to log in to your account then. However, in the event that you lose your phone or something and want to completely disable two-factor authentication, any of your WordPress administrators can do it for you. All they need to do is turn the feature off on your user profile. This will override and disable two-factor authentication for your user account. It should be noted here that administrators can only disable the feature for a user, not enable it.

Two-factor authentication can also be enabled for WordPress using other plugins like Duo Two-factor Authentication, Clef Two-factor Authentication, and Rublon. Learn more about using these other WordPress plugins here.