Enable Multi-Factor Authentication to Secure Your WordPress Website
Authentication refers to the act of confirming the identity of the person who is attempting to log in and obtain access to your WordPress installation — just like when you log in to your WordPress website by using a username and password. The idea for multi-factor authentication stems from the idea that one password alone is not enough to secure access to any environment.
Multi-factor authentication is also called strong authentication and, when in use, it requires more than one user-authentication method. WordPress, by default, requires only one: a username with password. Multi-factor authentication adds layers of authentication measures for extra security for user logins.
To use multi-factor authentication, you can use a free plugin called Google Authenticator. It provides two-factor user authentication through the use of an application on your mobile or tablet device (iPhone, iPad, Droid, and so on). For this plugin to work, you need the following:
Google Authentication app: Find it at the Apple App Store for iOS devices or the Google Play Store for Android devices.
Google Authenticator plugin: You can find this in the Plugin Directory.
When you have both of those tasks accomplished, you can configure the plugin for use on your website. Follow these steps to configure the plugin for each individual user on your site:
Click the All Users link on the Users menu on your Dashboard.
The Users page opens.
Select the users profile you’d like edit by clicking the Edit link underneath their name in the Users list.
The Edit Users page opens.
Select the Active check box in the Google Authentication Settings section.
Type a description in the Description text box.
This is the description you can see in the Google Authenticator application on your mobile device.
If you’re using an iPhone or iPad as your authentication device, the description field must not have any spaces. At the time of this writing, a bug in the Apple application prevents it from working if there are any spaces in the description.
Click the Show/Hide QR code button.
This displays the QR code on the page. A QR code is a scannable bar code that is readable by a mobile or tablet device using the camera.
Open the Google Authenticator application on your mobile or tablet device.
On the Dashboard of your WordPress site, click the Create New Secret button.
This refreshes the secret key and QR code needed to connect your mobile or tablet device.
In the Google Authenticator application on your mobile or tablet device, click the Scan Barcode button.
The camera on your device starts.
Scan the bar code displayed on the Google Authenticator page on your WordPress Dashboard by taking a photo of it with your device.
Point your device camera at your computer screen and line up the QR code within the camera brackets of your mobile device. The application automatically reads the QR code as soon as it is aligned correctly and displays a 6-digit code identifying your blog.
The 6-digit code will refresh on a time-based interval. After the QR code is scanned, the user receives a message on her mobile device that contains a unique, numeric code.
Click the Update Profile button at the bottom of the Edit Users screen in your Dashboard.
This refreshes the Edit Users page with a message at the top stating that the Google Authenticator settings have been successfully saved.
Now, with the Google Authenticator plugin in place, whenever anyone tries to log in to your WordPress Dashboard, she has to fill in her username and password, like usual; however, with multi-factor authentication in place, the user also needs to enter the authentication code that was sent to her mobile device in Step 9 in. Without this unique code, the user can’t log in to the WordPress Dashboard.
With the previous steps completed, you have enabled a form of multi-factor authentication, to your WordPress Dashboard.
The Google Authenticator application verification code is time based, which is why it is very important that your mobile phone and your WordPress blog are set to the same time zone.
If you get the message that the Google Authentication verification code you’re using is either invalid or expired, you need to delete the plugin and then go into your WordPress Dashboard settings and make sure the time zone is set to the same time zone as your mobile or tablet device.
The following steps show you how the multi-factor authentication is now implemented on your blog:
Log out of your WordPress Dashboard.
This step logs you out completely and displays the login page.
Type your username in the Username field.
Type your password in the Password field.
Do not click the Log In button yet.
Open the Google Authenticator application on your mobile or tablet device and locate the 6-digit number code assigned to your blog.
This 6-digit number code refreshes every 60 seconds. If you have more than one blog using the application, find the code that corresponds to the description you assigned to the site from Step 4 in the previous list.
Type the 6-digit number verification code in the Google Authenticator code field.
Click the Log In button.
You are now successfully logged into your WordPress Dashboard using a two-factor authentication method.
The biggest shortcoming with this plugin is the inability to force all users to configure by default. This is why it’s important the principle of least privilege is employed on your site — give access only to the users who absolutely require it. In an ideal world, however, every single one of your user accounts will require a two-factor authentication in order to log in to their accounts on your site.
If you do not have access to a mobile device, WordPress does have a couple of plugins you can use, including these two: