Written by on

How to Set Up Two-Factor Authentication for Your WordPress Site with Google Authenticator

When it comes to protecting your WordPress site, two-factor authentication is one of the best things you can do to secure your site — but how do you implement it? In this post, we’ll cover how to set up two-factor authentication for your WordPress site with Google Authenticator and iThemes Security Pro.

Why Use Two-Factor Authentication? The Problem With Passwords

With major security breeches like the recent Heartbleed bug that compromised passwords for millions of users, passwords are becoming an increasingly risky way of allowing user access to admin accounts.

Google’s spam guru, Matt Cutts, explained it best:

Two-factor authentication is a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone).

With two-factor authentication, users are required to enter both a password and a second code sent to a device. Both the password and the code are required to log in to a user account, adding an extra layer of security that verifies it’s actually you logging in and not someone who gained access (or even guessed) your password.

How Two-Factor Authentication Works with WordPress

To start using two-factor authentication, you’ll need to have Google Authenticator, a free two-factor application, installed on your smart phone. To download the Google Authenticator app, visit the App Store (for iOS devices) or from the Android App Store on Google Play.

Once the app is configured with your site using iThemes Security Pro, your WordPress site will require both your password and a verification code generated with the Google Authenticator app.

WordPress Two-Factor Authentication

Google Authenticator creates a token of 6 digits that is only good once and changes every 30 seconds.Once configured, you can get verification codes without the need of a network or cellular connection.


Getting Started: Setting Up Two-Factor Authentication on Your WordPress Site

To get started setting up two-factor authentication for your WordPress site, you’ll need the following:

  • iThemes Security Pro — our WordPress Security plugin — installed on your self-hosted WordPress site
  • The Google Authenticator App — for iOS or Android — installed on your mobile device

Configuring in iThemes Security Pro

1. Once you’ve installed iThemes Security Pro on your WordPress site, navigate to Security > Pro from the left-hand navigation menu. Click Enable Two Factor authentication.

Two-Factor Authentication-iThemes Security

2. Next, you can set the lowest role  — or the the minimum user role at which a user can use two-factor authentication. This is helpful if you don’t want to risk users like subscribers losing their phone.

Click Save All Changes.

3. Once two-factor authentication has been activated within iThemes Security Pro, any applicable user can then activate the feature for their own account by editing their profile.

Activating from Your WordPress User Profile

1. From the WordPress dashboard, visit Users > Your Profile. Scroll to the Google Authenticator Settings section and click Enable.


2. Add a description label to identify the site in your Google authenticator app.

3. The Key and QR Code included here will be used to set up your site in the Google Authenticator app.

Adding Your WordPress Site to the Google Authenticator App

1. Open the Google Authenticator App on your mobile device.


2. The app will walk you through the setup. Click Begin Setup.


3. On the next screen, you’re given two ways to add a new site to your Google Authenticator app. Select Scan Barcode or Manual Entry.


4. For scan barcode, a QR code scanner will appear for you to scan the QR code included on your WordPress User profile page. Scan this QR code by pointing your phone camera at the screen (yep, this works.)


5. For the manual entry method, use the key provided above the QR code on your WordPress User Profile page.


6. Once Google Authenticator has recognized your QR code or key, a new site will be added to the app.


7. Now you can use the 6-digit code generated by the app to log in to your WordPress site (just note this code refreshes every 30 seconds).

WordPress Two-Factor Authentication

What Happens if I Lose My phone? Disabling Two-Factor Authentication

If you lose your phone, two-factor authentication can be disabled. Any administrator on your WordPress site can override and disable the feature by turning it off on the user’s profile. Just note that admins can only disable it for a user, not enable it.

Using Authy to Manage Your Google Authenticator Keys

If you’re adding two-factor authentication protection to your WordPress site with iThemes Security Pro, you can also manage your Google Authenticator keys with the Authy app.

Authy has several features not included in the Google Authenticator app, including encrypted key backups, the ability to share keys between multiple devices or your computer and protected pins.

Read more on how to manage your Google Authenticator Keys with Authy.

Get Two-Factor Authentication + 30 Other Ways to Secure Your WordPress Site

With iThemes Security Pro, you can lock down your WordPress site with two-factor authentication and 30+ other security settings like brute force protection, file change detection and away mode — all important security measures you can take to secure your site.

Get iThemes Security Pro Today


  1. Hi Guys,

    Its great to se you have added 2-step authentication to the iThemes security pro. Its a little disappointing to see however that you went with the Google authenticator rather than Duo-security or Launchkey.

    I used Google a long time ago but quickly learned that even if the code is not entered into the field but all the other fields are correct, Google will let you login. I believe it was possible to force 2-step but doing so was not obvious on set up. so unless you know how, its not intuitive in google.

    I don’t believe this has changed since then so what have you done to selectively FORCE 2-step authentication in the plugin.

    Interested in hearing from the rest of the community too about this addition to the plugin.

    • I’ve used the others myself (Duo, Launchkey, Authy and others) and I chose to go with just GA (for now) for a few reasons. First, it is quite easy to setup and second users can use whatever app they wish.

      That said, I do recommend Authy’s app with GA as it provides a number of advantages over Google’s native app.

      As for your concerns, I’m afraid I’m not sure what you’re you are referring to. If your GA code is not correct iThemes Security Pro will disregard your login and you will not get into your site. Now we are working on tutorials for setup and you’re right, it can be problematic if you’re not sure what you are doing but each service has its benefits and problems and we chose to use GA as it has, in my opinion, the least of the latter.

  2. Will this work on a multisite install where the subsites are domain mapped. Even network admins have to log into each domain-site separately in that case, so I’m thinking that it could work.

    Would I network activate the plugins, to give every site user account the option to enable?

    • The plugin must be network activated and works with domains or subdirectories in multi-site. The catch is the user will still have to activate it on one of their sites (which one doesn’t matter).

  3. Will this work for members logging into our website so we know they aren’t giving out their password to others.

  4. Hi Chris,

    Adding this extra step insures my site in what way?
    “Just” securing the admin (Important) but the site can still be attacked. Do you mind explaining to me what this extra step for me as admin would mean in practice other than giving me more keystrokes :)

    I am also “co-admin” on other sites than my own. For this 2-step dance move to work all admins need to activate it correctly?
    Some of the other admins are not really “admins” but designers :-( but owners at the same time… So kind of hard to teach them all this (except if you get your videos done) and to enforce them. But for the site to be secure all admins MUST have this new dance step in place?

    Another question – A compare chart Pro vs Free? Is that avail somewhere?
    I sometime have trouble to explain to a client why the free is not enuf … I used the free one a long time before I got the pro and started selling it to clients… Now I am a raging fan!! Somehow it stimulates my “Justice-Complex” every time I get a notice that someone evil has been blocked or locked out! :)

    BTW – I Love the plugin :-)

    Have a great day


  5. @Kristen and Chris,

    Thanks for enriching the WP community with your awesome security plugin.

    It is nice to see that there is more than one option (Authenticator and Authy) for two-factor apps. Given that these are both temporary-code-based solutions, I wanted to ask whether iThemes might consider adding a non-temporary-code option such as Clef (https://getclef.com).

    I myself, and likely many existing iThemes Security users, would be very interested in upgrading to Pro if it offered a token-free, password-free (i.e., distributed PKI) two-factor WordPress authentication option in addition to the token-based options.



Sale Ends Today! Save 35% OFF BackupBuddy with coupon code BACKUPWP35