When it comes to protecting your WordPress site, two-factor authentication is one of the best things you can do to secure your site — but how do you implement it? In this post, we’ll cover how to set up two-factor authentication for your WordPress site with Google Authenticator and iThemes Security Pro.
Why Use Two-Factor Authentication? The Problem With Passwords
With major security breeches like the Heartbleed bug that compromised passwords for millions of users, passwords are becoming an increasingly risky way of allowing user access to admin accounts.
Google’s spam guru, Matt Cutts, explained it best:
Two-factor authentication is a simple feature that asks for more than just your password. It requires both “something you know” (like a password) and “something you have” (like your phone).
With two-factor authentication, users are required to enter both a password and a second code sent to a device. Both the password and the code are required to log in to a user account, adding an extra layer of security that verifies it’s actually you logging in and not someone who gained access (or even guessed) your password.
How Two-Factor Authentication Works with WordPress
To start using two-factor authentication, you’ll need to have Google Authenticator, a free two-factor application, installed on your smart phone. To download the Google Authenticator app, visit the App Store (for iOS devices) or from the Android App Store on Google Play.
Once the app is configured with your site using iThemes Security Pro, your WordPress site will require both your username and password and a verification code generated with the Google Authenticator app.
Google Authenticator creates a token of 6 digits that is only good once and changes every 30 seconds. Once configured, you can get verification codes without the need of a network or cellular connection.
Getting Started: Setting Up Two-Factor Authentication on Your WordPress Site
To get started setting up two-factor authentication for your WordPress site, you’ll need the following:
- iThemes Security Pro — our WordPress Security plugin — installed on your self-hosted WordPress site
- The Google Authenticator App — for iOS or Android — installed on your mobile device
Enabling Two-Factor Authentication in iThemes Security Pro
1. Once you’ve installed iThemes Security Pro on your WordPress site, navigate to the Pro tab within iThemes Security. Scroll to the Two-Factor Authentication section.
2. To allow users to log in with two-factor authentication, enable one or more of the two-factor providers in the list by checking the box next to it (Time-Based One-Time Password (TOTP), Email or Backup Verification Codes).
If possible, we recommend that all providers should be enabled. A provider should only be disabled if it will not work properly with your site. For instance, the email provider should not be enabled if your site cannot send emails.
Click Save All Changes.
3. Once two-factor authentication has been activated within iThemes Security Pro, any applicable user can then activate the feature for their own account by editing their profile.
Enabling from the WordPress User Profile
1. From the WordPress dashboard, visit Users > Your Profile. Scroll to the Google Authenticator Settings section and click Enable next to Time-Based One-Time Password (TOTP). You can also select to make this method your primary form of two-factor authentication.
2. Click the “View Time-Based One-Time Password Configuration Details” link.
3. You’ll now see the QR Code and Secret key that will be used to set up your site in the Google Authenticator app.
Adding Your WordPress Site to the Google Authenticator App
1. Open the Google Authenticator App on your mobile device.
2. The app will walk you through the setup. Click Begin Setup.
3. On the next screen, you’re given two ways to add a new site to your Google Authenticator app. Select Scan Barcode or Manual Entry.
4. For scan barcode, a QR code scanner will appear for you to scan the QR code included on your WordPress User profile page. Scan this QR code by pointing your phone camera at the screen (yep, this works.)
5. For the manual entry method, use the key provided above the QR code on your WordPress User Profile page.
6. Once Google Authenticator has recognized your QR code or key, a new site will be added to the app.
7. Now you can use the 6-digit code generated by the app to log in to your WordPress site (just note this code refreshes every 30 seconds).
What Happens if I Lose My Phone? Disabling Two-Factor Authentication
If you lose your phone, two-factor authentication can be disabled. Any administrator on your WordPress site can override and disable the feature by turning it off on the user’s profile. Just note that admins can only disable it for a user, not enable it.
Using Authy to Manage Your Google Authenticator Keys
Authy has several features not included in the Google Authenticator app, including encrypted key backups, the ability to share keys between multiple devices or your computer and protected pins.
Get Two-Factor Authentication + 30 Other Ways to Secure Your WordPress Site
With iThemes Security Pro, you can lock down your WordPress site with two-factor authentication and 30+ other security settings like brute force protection, file change detection and away mode — all important security measures you can take to secure your site.