A few weeks ago I wrote an article about how to improving WordPress security and having read an article about WordPress being hacking I thought I would look at ways to further improve WordPress Securty.
I stumbled on a plugin for WordPress that allows you to use the Google Authenticator app when logging into your WordPress website. The Google Authenticator app provides 2-step authentication and works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices so you need a smartphone to make use of the additional security.
How does Google 2-Step Authentication work?
Passwords are easily compromised no matter how complex you make them. This is why most online banking systems either ask for random characters of your password or secret phrase. Some organisations give you their own authenticator (like Halifax bank and Lloyds Business banking) – these devices generate a random code every 30-60 seconds and you need to enter the code along with your user ID and password in order to login.
If you are using the same password on numerous websites (and lets face it – a lot of you are) then a security leak on one website could put your other online accounts in danger. People are often lazy and don’t change their passwords, which is just asking for trouble.
How to setup 2-step authentication in WordPress
First you need to download the Google Authenticator WordPress Plugin by visiting: http://wordpress.org/extend/plugins/google-authenticator. Once this has been downloaded you need to upload the plugin to the /wp-content/plugins directory and activate the plugin in the WordPress dashboard.
Next you need to go to click on “Users -> Your Profile”. You will now see a section for, “Google Authenticator Settings”. Tick “Activate” to enable the plugin and enter a description in the box provided.
Now you need to download the Google Authenticator App for your mobile phone. Once the app has been installed you will have the option to setup a new account. In my case I called this account “Lacey Tech Blog”. On the smartphone there is the option to either enter the secret phrase shown on the user screen or to scan a QR code. Either method works, but I find scanning the QR code it easier. In the users screen in WordPress click the “Show/Hide QR Code” button and then scan this using the Google Authenticator app on your mobile phone.
Scroll down the WordPress users screen and click “Save Changes”.
When you log out of WordPress and re-visit the login screen www.yourwebsite.com/wp-admin you will now see a new box for the Google Authenticator code. Every time you login to your blog you need to enter your WordPress username and password, then open the Google Authenticator App and enter the code that is shown on your phone.