Google Authenticator Made Easy For Added WordPress Login Security

By 16th February 2016 April 7th, 2017 News

We’re always on the lookout for ways to improve security on our WordPress sites. But equally, we want to make security easier and more accessible.

With the latest release of the Simple Security Firewall plugin, we’ve done just that. Version 4.17 adds full support for Google Authenticator within the WordPress login.

We will show you our approach to it, and how you can easily add multiple layers of security to your site login.

The Basics – What is Two-Factor Authentication?

First up, let’s cover our bases and get the fundamentals out of the way. What is 2-Factor Authentication?

When you log into any site or service, you will have a unique username and a password associated with it, right? This password is your “single”-factor authentication. That is, with that 1 factor alone (your password) you gain access to that account.

If anyone guesses or cracks your password, your account is wide open. How can we prevent this from happening?  We add another factor to the login process.

When you add another factor to the login process, it then becomes two-factor authentication. This makes it that bit harder for anyone to get into your account.

If you again add a another factor, this creates a multi-factor authentication process. In-fact, you can add as many factors as you desire.

What types of two-factor authentication options are out there?

There a many types of 2-factor authentication systems available to us. Probably the most common and versatile is email. This is where after you log into a service, you will receive an email with a link or code for you to complete your login.

This email verification ensures that the person logging into the service is in-fact the real person that owns the account.  Chances are slim that a hacker has cracked both your password and gained access to your email account. Slim, but not impossible.

So, it’s good to have other completely independent way to verify your identity.  Here are some available:

Each of these has their own various methods and advantages over the other. Some are free, some are premium. Some require extra hardware, or perhaps an App on your smartphone.

But what about WordPress?

What 2-factor authentication options are available for WordPress?

WordPress has only single-factor authentication out of the box. You have a username and password. Simple.

This leaves it susceptible to brute force attacks. If someone guesses your username and password enough times, they’ll eventually get in.

With our Security Firewall plugin we have offered two-factor authentication by email all the way back to v1.2.0.  That’s a long time!

Email-based two-factor authentication is a highly effective system. But, it does have issues, such as:

  • many web hosts block outgoing email
  • many email accounts filter messages as spam with certain links
  • end-users can find it a little cumbersome

With version 4.17 we’ve added a much requested authentication option – Google Authenticator.

Google Authenticator LogoWhat is Google Authenticator?

Google Authenticator is a App. You install it on your phone. This app implements a TOTP – a Time-based One-Time Password system.

A TOTP is a password that is automatically generated at a fixed period of time, say every 30 seconds. You then use this unique password to log into your account.

So, you’ll have your normal account password, plus another password that changes every 30 seconds that only you know.

Brilliant! That’s pretty cool security.

This is a nice improvement over email. Even if a hacker gets into your email account, they wont have your random password that’s constantly changing.

So how does Google Authenticator actually work?

You will need to install the Google Authenticator app on your smartphone. There are alternatives to what I’m about to outline, but this is the basics of it.

Activating the Google Authenticator of any system operates in this basic way:

  • You are provided a unique, secret code that is used to generate these random passwords (usually in the form of a QR code to scan)
  • You use the Google Authenticator app to save this secret code on your phone
  • Your phone then creates random passwords for you to use when you into your service (i.e. your WordPress sites)

Very easy!

How to set-up Google Authenticator for WordPress

First you’ll need to install or update your Security Firewall plugin so it is at least v4.17.0.

There are 2 steps to turning on Google Authenticator.  First, you must enable it in the plugin.  Then, you must activate it for your own particular WordPress user account.

Turn on the option in the plugin (see screenshots below):

  1. Go to the ‘Login Protection’ module under the Security Firewall WordPress admin menu
  2. Click on the tab labelled ‘Two-Factor Auth’
  3. Check the box beside ‘Enable Google Authenticator’
  4. Save options

Now add it to your WordPress user account:

  1. WordPress: Go to your WordPress user profile (Users > Your Profile)
  2. WordPress: Scroll down to the bottom and you’ll see a QR code to scan
  3. Phone: Install the Google Authenticator App on your smartphone
  4. Phone: Select to ‘Add Account’ from within the Google Authenticator app
  5. Phone: Scan the Google Authenticator QR code that has been presented to you
    • You will also be given the option to type in a code which is a series of 16 letters. This is an alternative to the QR code, but has exactly the same result.
  6. Phone: If this is successful, it will add the new account to your phone and display a 6-digit number
  7. WordPress: Use this 6-digit number and enter it on the same page you scanned the QR code in step 5
  8. WordPress: Save this page.

See the screenshots below that highlight some of the steps above:

If you follow these steps correctly and the App accepts your code, then going forward you must always provide the codes generated by the App as you login.

Warning: If the IP Manager is turned on, repeated login attempts that fail will result in a ban of your IP address. So please take care.

Warning!

When this is activated on your WordPress account you must understand one very important fact.

If you lose your phone, or you delete your Google Authenticator app from your phone, you will lose access to your account.

Yes, that’s right, you will not be able to login.

So what can you do? As an site administrator, you use the tools built into this plugin to regain access once again.

Also, here are some other configuration settings you should be aware of when you use this feature:

  • Site administrator may remove Google Authenticator from any non-administrator account.
  • Site administrators may not remove Google Authenticator from any administrator account.
  • No-one can add Google Authenticator to any account, except their own.

Suggestions, Feedback, Hopes and Fears?

If you have any issues with this, or questions about the feature, please let us know below in the comments section.

Ideally, please use the support forums to ask for help.

Join the discussion 16 Comments

  • Tom says:

    no good for me, I only have a “dumb phone” — you know, the old fashioned cell phone that is actually used to make & receive PHONE CALLS?
    no texts, only phone calls..

    View Comment
    • Paul G. says:

      Hi Tom,

      Oh dear, sorry to hear that! When you get yourself a smartphone you’ll be able to take advantage of this, and all the other services that use Google Authenticator to sure up their security.

      Not only that, you could use the Email authentication already in the plugin, or get yourself a Yubikey and use that too! Lots of options 🙂

      Is an SMS service something you’d like to see added to the plugin?

      Thanks for your comment!

      View Comment
  • Mike says:

    What if I am already using Google Authenticator for my Google account? Do I need to go through the app setup process or do I use the current codes already being presented by the app? If I go through the setup for the app on my phone, will it affect using it for my Google account?

    View Comment
    • Paul G. says:

      With Google Authenticator already installed on your phone, you don’t need to reinstall it. From within the App, click to “Set Up Account”, then go through the process of scanning the QR code etc (step 5 above). This will create a brand new entry on the App.

      Assuming you don’t remove or edit any existing Authenticator accounts on your phone, going through this process will not affect your Google account or any other account on there.

      Hope that helps!

      View Comment
  • Oliver says:

    Hi, unfortunately I´m getting “Invalid Barcode”… Barcode not guilty..

    View Comment
    • Paul G. says:

      Have you tried this with multiple codes? If so, then your app probably has an issue as this code/chart is regenerated anew every page load.

      If the QR code isn’t working for your app, then you can use the 16 digit secret below the QR code.

      Thanks.

      View Comment
  • Umair says:

    How about nagging other users to enable and configure it? May be give them some time limit to configure or be locked out? May be the admin can make it mandatory for some users and not for others?

    View Comment
    • Paul G. says:

      Hi Umair,

      Thanks for the suggestion for this, but I think this sort of thing is really down to the site administrator to manage. There are 101 ways to implement and enforce security policies and everyone does it differently. I’ll have a think about how this can be done in a scalable way.

      Thanks again for your security suggestions!

      View Comment
  • Romain Caisse says:

    Outstanding post! Thanks for sharing your great experience through this effective and helpful tips.

    View Comment
  • sudheer says:

    Hi,

    I have started using this plugin, it looks awesome, but I’m little bit puzzled with authenticator app. As an admin, is there any other way to gain access in the event of mobile lost or App was deleted..? if no, then I’d disable this feature.

    View Comment
  • brad says:

    “If you follow these steps correctly and the App accepts your code, then going forward you must always provide the codes generated by the App as you login.”

    I followed the instructions, but I am still able to log in even though I’m providing only username and pass and no Google Authenticator code…

    Any suggestions?

    Thanks,
    Brad

    View Comment
  • Hi, this might be a dumb question, but how do I get my users (both bloggers and customers) to sign set up this feature? It seems like they can log in just fine until the set it up, but if they don’t ever, then the security isn’t really doing anything? What am I missing here? Cheers!

    View Comment
    • Paul G. says:

      Hi Levis,

      This article demonstrates how users can add Google Authenticator to their account. Shield does not currently enforce Google Authenticator for users. So for now you’ll have to communicate with them… tell them to turn it on.

      We may add security policies to the plugin at a later date. Thanks for the suggestion!

      View Comment
  • Tim says:

    Be sure you are in the Shield Plugin directory to use “Forceoff and Forceon.”

    View Comment

Leave a Reply