When it comes to protecting your WordPress site, two-factor authentication is one of the best things you can do to secure your site — but how do you implement it? In this post, we’ll cover how to set up two-factor authentication for your WordPress site with Google Authenticator and iThemes Security Pro.
Why Use Two-Factor Authentication? The Problem With Passwords
With major security breeches like the recent Heartbleed bug that compromised passwords for millions of users, passwords are becoming an increasingly risky way of allowing user access to admin accounts.
Google’s spam guru, Matt Cutts, explained it best:
Two-factor authentication is a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone).
With two-factor authentication, users are required to enter both a password and a second code sent to a device. Both the password and the code are required to log in to a user account, adding an extra layer of security that verifies it’s actually you logging in and not someone who gained access (or even guessed) your password.
How Two-Factor Authentication Works with WordPress
To start using two-factor authentication, you’ll need to have Google Authenticator, a free two-factor application, installed on your smart phone. To download the Google Authenticator app, visit the App Store (for iOS devices) or from the Android App Store on Google Play.
Once the app is configured with your site using iThemes Security Pro, your WordPress site will require both your password and a verification code generated with the Google Authenticator app.
Google Authenticator creates a token of 6 digits that is only good once and changes every 30 seconds.Once configured, you can get verification codes without the need of a network or cellular connection.
Getting Started: Setting Up Two-Factor Authentication on Your WordPress Site
To get started setting up two-factor authentication for your WordPress site, you’ll need the following:
- iThemes Security Pro — our WordPress Security plugin — installed on your self-hosted WordPress site
- The Google Authenticator App — for iOS or Android — installed on your mobile device
Configuring in iThemes Security Pro
1. Once you’ve installed iThemes Security Pro on your WordPress site, navigate to Security > Pro from the left-hand navigation menu. Click Enable Two Factor authentication.
2. Next, you can set the lowest role — or the the minimum user role at which a user can use two-factor authentication. This is helpful if you don’t want to risk users like subscribers losing their phone.
Click Save All Changes.
3. Once two-factor authentication has been activated within iThemes Security Pro, any applicable user can then activate the feature for their own account by editing their profile.
Activating from Your WordPress User Profile
1. From the WordPress dashboard, visit Users > Your Profile. Scroll to the Google Authenticator Settings section and click Enable.
2. Add a description label to identify the site in your Google authenticator app.
3. The Key and QR Code included here will be used to set up your site in the Google Authenticator app.
Adding Your WordPress Site to the Google Authenticator App
1. Open the Google Authenticator App on your mobile device.
2. The app will walk you through the setup. Click Begin Setup.
3. On the next screen, you’re given two ways to add a new site to your Google Authenticator app. Select Scan Barcode or Manual Entry.
4. For scan barcode, a QR code scanner will appear for you to scan the QR code included on your WordPress User profile page. Scan this QR code by pointing your phone camera at the screen (yep, this works.)
5. For the manual entry method, use the key provided above the QR code on your WordPress User Profile page.
6. Once Google Authenticator has recognized your QR code or key, a new site will be added to the app.
7. Now you can use the 6-digit code generated by the app to log in to your WordPress site (just note this code refreshes every 30 seconds).
What Happens if I Lose My phone? Disabling Two-Factor Authentication
If you lose your phone, two-factor authentication can be disabled. Any administrator on your WordPress site can override and disable the feature by turning it off on the user’s profile. Just note that admins can only disable it for a user, not enable it.
Using Authy to Manage Your Google Authenticator Keys
Authy has several features not included in the Google Authenticator app, including encrypted key backups, the ability to share keys between multiple devices or your computer and protected pins.
Get Two-Factor Authentication + 30 Other Ways to Secure Your WordPress Site
With iThemes Security Pro, you can lock down your WordPress site with two-factor authentication and 30+ other security settings like brute force protection, file change detection and away mode — all important security measures you can take to secure your site.