How to Setup Two-Step Authentication in WordPress

Out of the box, although easy to set-up, WordPress is actually fairly insecure. Most sites only have one user, and are encouraged to use ‘admin’ as the default username on installing. But, of course, this means the only thing standing between anyone accessing your site is guessing your password, or, worse, a brute-force attack.

You could alter the location of ‘yoursite.com/wp-admin’, but this is liable to make more hassle than it is worth for most users. A much simpler way is to add another secure layer of protection to the process, namely two-step authentication.

You may have seen two-step authentication used on other sites – it’s become a very popular security measure in recent years. The method involves a user having to not only enter their password but also a second credential – usually a code provided from something they own such as a smartphone – in order to gain access to the site. This means even if somebody knew or forced your password, they still couldn’t access your site without the secondary information.

While WordPress.com users now have built in two-factor authentication, there’s no official method for self-hosted sites. Luckily, though, there is a fantastically simple plugin called Google Authenticator that does all the hard work for you – adding the two-factor infrastructure to your site using Google’s Authenticator app.

Set-up Google Authenticator Two-Factor Login

The set-up process is very simple, but important to do correctly:

1. In your WordPress admin dashboard go to Plugins > Add New

2. Search for ‘Google Authenticator’ and install Henrik Schack’s plugin, then Activate it.

(Note: There is another plugin called ‘Google Authenticator for WordPress’ that is almost identical and does an equally good job).

3. Go to Users > Your Profile and enter a (short) description in the Google Authenticator section. This serves only as reference on your smartphone app. DO NOT tick the ‘Active’ box yet or you might get locked out of your own site! Also DO NOT tick ‘Enable App password’.

4. In the ‘Secret’ section click the ‘Show/Hide QR Code’ button to reveal a barcode.

5. Using your smartphone open the Google Authenticator app (you will have to download it from the App Store if you don’t already have it) and hit the ‘+’ symbol in the top menu bar.

6. Scan the barcode and a new entry will be added under the reference name you chose earlier.

7. Now back in your WordPress Admin panel tick the ‘Active’ box and scroll down to the bottom of the page and hit the ‘Update Profile’ button.

8. To test if it’s working, log out of your WordPress dashboard (using the controls in the top-right corner) and you should see there is now a third box under ‘Username‘ and ‘Password‘ called ‘Google Authenticator Code‘.

9. To log in, enter your username and password as normal and enter the six digit code generated by your Google Authenticator app in the third box. Each code is time-restricted to 30 seconds, so be speedy.

Note: If you have logged out and can’t get back into your site for any reason, panic not – just FTP into your domain’s backend and delete the plugin.

Working With Two-Factor Authentication

While two-step authentication is fantastic it does have one major flaw – there isn’t currently a way for it to work with third party apps that want access to your site, including WordPress’ own iOS and Android app.

There is a simple way around this though, included in the plugin’s settings – setting an app specific password. This is essentially a one-off password that can be used instead of the code generated by the authenticator app. A word of warning though: This is much less secure, as the password never changes and as such is little more than having two passwords for your site rather than one.

If you need to use an app specific password it is worth doing this for a secondary (non-admin) user of the site that has far less access privileges. For example, if you just need to use the WordPress iOS or Android app to view your self-hosted site’s stats, just create a new user profile with a lower role such as a Subscriber and only activate the app specific password for that user.

Set-up an App-Specific Password for WordPress

  1. In Users > Your Profile, go to the Google Authenticator section and tick the ‘Enable App password’. Then click ‘Create new password’.

  2. This will reveal a password that serves as an override to the Google Authenticator code. WRITE DOWN THE PASSWORD. This is your only chance to see it!

  3. Crucially, scroll down to the bottom of the page and hit the ‘Update Profile’ button. (This is a common mistake that many people make and wonder why the new password isn’t working).

  4. You should now be able to log in using your usual username and password, and the new app specific password in the ‘Google Authenticator code‘ box. This also applies for the WordPress iOS and Android apps.

  5. If you are a Jetpack user and therefore have a WordPress.com login you should also use the built-in two-factor authentication as extra security.

Other Basic WordPress Security Tips

While this isn’t an article on overall WordPress security, there are a few simple tips that you should be using in addition to two-step authentication.

Don’t use ‘admin’ as your username

As mentioned above, and the most basic WordPress security tip. By default WordPress encourages you to use ‘admin’ as the first administrative user of the site after installation. If you don’t change this to something else this means you’ve already filled in the first field of your log in for any potential hackers. The simplest way to change it is to create a new user (Users > Add New) as an administrator, then delete the old ‘admin’ one.

Limit login attempts

Much like how your smartphone can lock you out after a certain amount of passcode attempts, so can WordPress. There are various plugins to do this including the basic Limit Login Attempts or as part of the most robust Wordfence. Both allow you to choose how many login attempts are allowed before lock-out and the length of time before you can try and log in again, and also email you directly every time a user attempts to log in.

Keep your WordPress version and plugins up to date

It sounds obvious, but out of date software is the most common entry point to hackers. Always check to see if your plugins need updating and with WordPress’ new auto-updates there’s no excuse to be out of date and vulnerable to attacks. On top of this WordPress has its own Codex article on Hardening WordPress that may be of some use for extra protection.

and lastly…

Backup your site!

The single most important security tip for WordPress is the most obvious – backup your WordPress site. You can either use one of several free or paid plugins to do this automatically, or manually do it yourself.

If you do go with the manual option – many people don’t realise the site (and all its pages and posts) isn’t just the actual files you can see on your server, but that most of the information is stored in a database file. This means just copying everything via FTP won’t do, although it will backup your theme and any changes your have made to the core files.

Luckily WordPress has a great export feature these days (Tools > Export) that allows you to simply download all your content as an XML file which your can reimport at a later date if the worst happens. There are also plugins which do a more robust version as well.