We’re always on the lookout for ways to improve security on our WordPress sites. But equally, we want to make security easier and more accessible.
With the latest release of the Shield Security plugin, we’ve done just that. Version 4.17 adds full support for Google Authenticator within the WordPress login.
We will show you our approach to it, and how you can easily add multiple layers of security to your site login.
The Basics – What is Two-Factor Authentication?
First up, let’s cover our bases and get the fundamentals out of the way. What is 2-Factor Authentication?
When you log into any site or service, you will have a unique username and a password associated with it, right? This password is your “single”-factor authentication. That is, with that 1 factor alone (your password) you gain access to that account.
If anyone guesses or cracks your password, your account is wide open. How can we prevent this from happening? We add another factor to the login process.
When you add another factor to the login process, it then becomes two-factor authentication. This makes it that bit harder for anyone to get into your account.
If you again add a another factor, this creates a multi-factor authentication process. In-fact, you can add as many factors as you desire.
What types of two-factor authentication options are out there?
There a many types of 2-factor authentication systems available to us. Probably the most common and versatile is email. This is where after you log into a service, you will receive an email with a link or code for you to complete your login.
This email verification ensures that the person logging into the service is in-fact the real person that owns the account. Chances are slim that a hacker has cracked both your password and gained access to your email account. Slim, but not impossible.
So, it’s good to have other completely independent way to verify your identity. Here are some available:
- Phone / SMS
- Google Authenticator (originally for Google/Gmail accounts)
- Yubikey / Yubico
Each of these has their own various methods and advantages over the other. Some are free, some are premium. Some require extra hardware, or perhaps an App on your smartphone.
But what about WordPress?
What 2-factor authentication options are available for WordPress?
WordPress has only single-factor authentication out of the box. You have a username and password. Simple.
This leaves it susceptible to brute force attacks. If someone guesses your username and password enough times, they’ll eventually get in.
With our Shield Security plugin we have offered two-factor authentication by email all the way back to v1.2.0. That’s a long time!
Email-based two-factor authentication is a highly effective system. But, it does have issues, such as:
- many web hosts block outgoing email
- many email accounts filter messages as spam with certain links
- end-users can find it a little cumbersome
With version 4.17 we’ve added a much requested authentication option – Google Authenticator.
What is Google Authenticator?
Google Authenticator is a App. You install it on your phone. This app implements a TOTP – a Time-based One-Time Password system.
A TOTP is a password that is automatically generated at a fixed period of time, say every 30 seconds. You then use this unique password to log into your account.
So, you’ll have your normal account password, plus another password that changes every 30 seconds that only you know.
Brilliant! That’s pretty cool security.
This is a nice improvement over email. Even if a hacker gets into your email account, they wont have your random password that’s constantly changing.
So how does Google Authenticator actually work?
You will need to install the Google Authenticator app on your smartphone. There are alternatives to what I’m about to outline, but this is the basics of it.
Activating the Google Authenticator of any system operates in this basic way:
- You are provided a unique, secret code that is used to generate these random passwords (usually in the form of a QR code to scan)
- You use the Google Authenticator app to save this secret code on your phone
- Your phone then creates random passwords for you to use when you into your service (i.e. your WordPress sites)
How to set-up Google Authenticator for WordPress
First you’ll need to install or update your Shield Security plugin so it is at least v4.17.0.
There are 2 steps to turning on Google Authenticator. First, you must enable it in the plugin. Then, you must activate it for your own particular WordPress user account.
Turn on the option in the plugin (see screenshots below):
- Go to the ‘Login Protection’ module under the Shield Security WordPress admin menu
- Click on the tab labelled ‘Two-Factor Auth’
- Check the box beside ‘Enable Google Authenticator’
- Save options
Now add it to your WordPress user account:
- WordPress: Go to your WordPress user profile (Users > Your Profile)
- WordPress: Scroll down to the bottom and you’ll see a QR code to scan
- Phone: Install the Google Authenticator App on your smartphone
- Phone: Select to ‘Add Account’ from within the Google Authenticator app
- Phone: Scan the Google Authenticator QR code that has been presented to you
- You will also be given the option to type in a code which is a series of 16 letters. This is an alternative to the QR code, but has exactly the same result.
- Phone: If this is successful, it will add the new account to your phone and display a 6-digit number
- WordPress: Use this 6-digit number and enter it on the same page you scanned the QR code in step 5
- WordPress: Save this page.
See the screenshots below that highlight some of the steps above:
If you follow these steps correctly and the App accepts your code, then going forward you must always provide the codes generated by the App as you login.
Warning: If the IP Manager is turned on, repeated login attempts that fail will result in a ban of your IP address. So please take care.
When this is activated on your WordPress account you must understand one very important fact.
If you lose your phone, or you delete your Google Authenticator app from your phone, you will lose access to your account.
Yes, that’s right, you will not be able to login.
So what can you do? As an site administrator, you use the tools built into this plugin to regain access once again.
Also, here are some other configuration settings you should be aware of when you use this feature:
- Site administrator may remove Google Authenticator from any non-administrator account.
- Site administrators may not remove Google Authenticator from any administrator account.
- No-one can add Google Authenticator to any account, except their own.
Suggestions, Feedback, Hopes and Fears?
If you have any issues with this, or questions about the feature, please let us know below in the comments section.
Ideally, please use the support forums to ask for help.