Wondering about how to add 2-step verification to your WordPress site? Here’s the complete scoop. Also known as 2-step authentication and two-factor authentication (2FA), two-step verification is my favorite way to secure my WordPress logins. As a bit of background, the two in 2-steps means:
- something you know (your password)
- something you have (such as a secret code generated on your phone)
With two-step login verification, you could post your WordPress password on a billboard in Times Square, and no one would be able to use it to get into your WordPress site. Unless they also had your phone. Which might happen, especially if you were wandering around Times Square snapping selfies in-front of your billboard. 🙂
Securing your WordPress login involves installing the Google Authenticator Authy app on your iPhone or Android phone, and installing the Google Authenticator plugin on your WordPress site. [Editor’s Note 12/1/2017: I recently changed my app recommendation from the Google Authenticator app to the Authy app.]
But I’ll make it easy for you. Just watch the demo below.
Barbara J. Feldman: Hi. Barbara Feldman of WordHer.com here to show you how to add two-step verification to your WordPress login.
The “two” in two-step verification, or two-factor authentication, involves two things. First is something you know, and that would be your password, and second is second you have. In this case, that’s gonna be your phone, which is going to generate an authentication code with an app.
So, our very first step is to go to either the Google store or the iPhone store and download Google Authenticator, the app, onto your phone. There is also one for BlackBerry.
The second step is to open up your WordPress control panel and install and activate the Google Authenticator plug-in by Henrik Schack. There are a few others, but this is the one with the most downloads and the best reviews.
So, you’re gonna download it, you’re gonna install it, and you are going to activate it. After the plug-in is activated, you’re gonna go to Users and you’re gonna go to your profile. (And you can do this one at a time for multiple users). And now you will see the Google Authenticator settings.
And this is where we turn it on for each individual user. What I do on my sites is I turn it on for all of my administrator accounts, but not for other accounts that have less access to the important parts of my blog.
Another thing that I do is to check “relaxed mode.” And this gives you a little bit of leeway if your clock is a little bit off. Because each of the codes that are generated only last for 20 seconds and so it’s very important that both your server setting for time and your phone for time are accurate. And that’s something, if you’re having any trouble at all with this process, that’s something you’re going to need to look into is how accurate your time phone and how accurate your server time is.
OK. So, we’re activating, we’re turning on “relaxed mode,” because I’m a relaxed sort of person, and we are giving your authenticator a name. And in this case, I’m gonna use the name of my site. And now we have a description that’s gonna show up on your phone and we have a secret: At any time you can create a new secret. And you notice when I do I get a QR code.
So, I have a secret and I have a QR code. So now I am gonna go to my phone and, under Add an Account, it’s gonna look something like this and it’s gonna give you the option of either scanning a barcode or entering a key. The key is the secret and the QR code, of course, is the corresponding QR code right here.
I always use the barcode because who likes to type in long series of letters and numbers?
So, you take your phone right up to your screen and you scan it until it goes “click.” And then you will have a new account in your Google Authenticator app on your phone that will look something like this.
Now, this is not a screenshot from the site I just created, but it will have the title here and then it will have a code. And this code is going to change every 20 seconds. The next time you go to log in to your website, it’s going to look like this: your username, your password, and the Google Authenticator code.
And that’s all there is to it. I hope you found this helpful. If so, please let me know so in the comments and be sure to sign up for our occasional WordHer newsletter. Bye bye!
(Text on screen): Was this helpful? Visit WordHer.com and sign up for my occasional email newsletter. It’s free and you’ll be the first to learn of new tips and how-tos.
Security is important. I agree.
But putting a Google App on the phone is scary.
Isn’t that a risk in itself? There’s been talk of Google monitoring everything we do.
Good question, Steven. I appreciate your cynicism. There are risks in using your phone as a 2-factor code generator, primary among them are that you can easily lose your phone, or it could be stolen by sophisticated thieves who also know your site password. As far as Google goes, I can not see how using a code generation application reveals much personal information about you.
Keep asking these good questions, though. It made me stop and think.
I love the tips you have on this website. I’m relatively new to blogging and since I don’t know what I don’t know, it is a great resource for me. Since I’m an occasional poster (2-4 times a month) and my site is for fun, not commerce, do you think it’s important to add this 2-step verification?
Website security is a matter of layers or small steps. No one step is REQUIRED. It’s a matter of how important your WordPress blog is to you. I find it an easy way to give me peace of mind,
Enjoy your blogging adventure! Be sure to let me know what questions and problems I can help you with.
I am so thrilled that you have created this useful website Barbara, although I have used WP for years I know I will pick up lots of great information that I would never have sought out! Thank you!
Thanks, Elin. I’m still working on finding the right audience for this information. I consider it a “work in progress!”