No security solution is perfect, but for the modern web, two-factor authentication is about as good as it gets. Also called two-step verification, multi-factor authentication or simply 2FA, this technique adds an extra step your login process, requiring you to enter a code sent to your mobile device (via text message or an app) after you successfully enter your username and password.
The result: even if a hacker obtains your password, they can’t access your account unless they are also in possession of your phone. This creates a much higher barrier to an infiltration than a simple username/password combo.
There are many plugins and apps out there that handle 2FA. This guide is a step-by-step solution for adding Google Authenticator 2FA support to your WordPress site for free. We use this plugin because it’s the simplest installation and configuration we’ve found, and because it relies on Google’s free Authenticator tool, there’s no charge for its use at any point in the process.
Install the WP Google Authenticator Plugin
There are a number of plugins with very similar names, so be sure you grab WP Google Authenticator by Julien Liabeuf. In our experience, other Google Authenticator plugins are harder to configure and more error-prone. This one hasn’t been updated since 2015, but it works like a charm.
Configure Your Settings
Once the plugin is installed and activated, go to Settings > Authenticator in your WordPress control panel. Here you can modify…
- “Activate Plugin” – Turn this on
- “Force Use” – This will require all users to set up Google Authenticator. You may want to give your clients some time to get everything set up prior to turning this on, but it’s a good practice, generally speaking. You can also choose only to force use for some roles, e.g. Administrators and Editors but not Subscribers.
- “Site Name” – This will appear in the user’s Authenticator app.
- “Max Attempts” – If you force use, this is the “grace period” before a user will get locked out if they fail to set up Authenticator.
- “Authorized Clock Desychronization” – This is an important feature if your clients are getting unexplained login failures despite entering the right code. Try setting it to 15 (minutes) to give them a longer margin of error, just in case the times on their computer or phone are out of sync. You can technically set this as high as you want, but the higher the number, the less secure your Authenticator codes become.
Set up Google Authenticator for all users
Now that the plugin is configured, each user of your site will need to set up their mobile app. Note that this only works if you adhere to a one account, one person policy – which means no sharing accounts or passwords between team members. We highly recommend this as a best security practice, regardless of whether you’re using 2FA.
Here are the complete instructions, which you can copy-and-paste and share with your users (or simply link them to this page):
- Download the free iOS/Android Google Authenticator app on your mobile device
- Log into WordPress as usual
- Click “Howdy, [Your Name]” in the top right to go to your profile
- Scroll down to WP Google Authenticator Settings
- Check the “Activate” box
- Click the “Generate Key” button
- The page will reload. Scroll back down to WP Google Authenticator Settings.
- Write down the Recovery Code on paper. Do not save it on your computer or in the cloud.
- Click Get QR Code. A large, square QR code should appear.
- Open the app on your phone and click the “+” button in the top right (after bypassing any welcome/signup messages) and take a photo of the QR code.
- You should now see a six-digit code labeled with your site’s name in your app.
- Scroll to the bottom of your profile page and click the blue Update Profile button
- Log out of WordPress.
- Log back in with your username, password, and the current six-digit code displayed in your app. Choose “Remember Me” so you don’t have to do this every time.
Welcome to a more secure WordPress
That’s it! Encourage or require your users to set up 2FA as soon as possible. When viewing each user’s profile as an administrator, you’ll know they’ve set up 2FA if you see the text “This user has a secret key” in the WP Google Authenticator Settings area of their profile editing form.
If anyone runs into issues, you can also revoke their key from this same spot on their profile form, which allows them to leave the Authenticator field blank on their next login and set it up again.
We also highly recommend setting up 2FA for all your accounts that support it, including business and personal. This includes Google, Dropbox, e-mail, Apple/iTunes, hosting, bank logins and anything else that touches any device related to your site or your business. It’s easy for one hack to cascade into others, so the best way to stay safe is to make sure every account you own is secure with 2FA.