Securing your WordPress site with Google Authenticator.


Securing your WordPress site is a hot topic at the moment, with stories of comment spam and mass attacks on sites happening every day. Now if you are keen user of Google Apps then 2 factor authentication should be familiar to you. If you’re not then you are probably wondering what it is. Let me explain?

2 factor authentication adds an extra layer of security by adding time dependant codes that are required to login to your site or app. These can’t be easily guessed like a password as they are only valid for 60 seconds. These codes are provided by a mobile device using a dedicated app, such as the google authenticator app that is available on both Android or iOS, which you will need to download for this tutorial. The login is linked to your mobile device so the only person that can login to the site is the person that has access to the device. So even if they have your username and password they would be unable to login without this one time code.

Lets get started.

First we need to download the Plugin or add this to your WordPress install through the plugin installer. Once you have activated the plugin you now need to navigate to the your user profile via Users > Your Profile and you will be greeted with the following options.

A screenshot of the Google Authenticator WordPress plugin

To setup your app, open the app on your mobile device then tap the pencil icon, now navigate to the bottom and tap the plus icon to add a new site. Next choose the scan barcode option, which will bring up the camera to allow you to scan a barcode. Now go back to your WordPress install and click Show/Hide QR Code in the user options and scan the barcode, which will add the site to the app. You will now see a six digit figure which you have to input when you login.

Now if you navigate to the login page you will see an extra field to add your six digit login number.

WordPress Login Page

So you know have to add your Username, Password and the six digit number from the app, which you will notice changes every 60 seconds. This has now secured your blog because without your Mobile device a person can’t login. Now the benefit of this, is that it can be enabled on a per user basis so if you run a multi user blog then each user has their own security code to use.

Now if you use an app to access your WordPress such as the Mobile App then you will need to create an app password and use this instead of your default password as these don’t use the codes, so this will need to be kept secret and can be revoked at any time.

I hope this helps secure your WordPress blog and provide an extra level of security to your blog. Let me know how you get on in the comments below?