With the Google Authenticator plugin you can quickly and easily add two-factor authentication for the WordPress login form. By better protecting your account against attackers, you increase the security of your WordPress website.
WordPress login security
In addition to security gaps in the core as well as in themes and plugins, the WordPress login is one of the possible weak points for the security of your WordPress website.
This is where the human factor comes into play.
As before, passwords that are much too weak are usually chosen, which can easily be cracked by brute force attacks. This means simply trying out login data through automated requests from bots.
With Limit Login Attempts and Login LockDown there are also some plugins to ward off such massive requests. However, these no longer offer effective protection in large botnets with many different IP addresses, as Matthias Pabst recently explained in his blog .
Long and complicated passwords can also be unsafe if the same password is used on multiple websites. A security breach on one of the sites can make all of your accounts vulnerable if hackers get your access data.
Two-factor authentication offers increased protection for the WordPress login.
In addition to the conventional access data (user name and password), you need another way of identification (second factor) to log in.
In the online area, many services rely on a randomly generated number code. This is either sent to the user via SMS / e-mail or generated using an app on the smartphone. The login is only possible with a combination of both factors.
Even with knowledge of the login data, an attacker has little chance of intruding because he lacks the security key as the second factor for logging in.
Google Authenticator Android / iOs app
One of the most popular apps for two-factor authentication is Google Authenticator. The app can be downloaded free of charge for iOS and Android . The authenticator can also be used with many other services such as Amazon, Dropbox, Mailchimp, Facebook and Google in order to additionally secure your accounts there.
The app generates a new six-digit number code every 30 seconds. This must be entered with every login process. The increased security is therefore associated with a little less comfort. In addition, you always have to have access to your smartphone, which can also be a disadvantage.
WordPress Google Authenticator Plugin
With the matching Google Authenticator plug-in you can expand the WordPress login form on your website with an additional field for entering the security key.
Henrik Schack's plugin is available for download in the WordPress plugin directory. Almost 100 mostly positive reviews speak for the flawless functionality of the plugin. I've been using it on my websites for several years and have never had any problems.
Connect WordPress and Smarthone App
After installing the plugin, you can activate two-factor authentication for your account under User → Your profile .
The plug-in generates a QR code with a random secret key, which has to be scanned with the Google Authenticator app on the smartphone. This links your own WordPress website with the app.
After the scan process, the Google Authenticator app creates the website with the selected description in the plugin settings as a new service and generates a new auth code for the login every 30 seconds.
The use of the plugin is therefore determined individually for each user. This allows you to protect your own account with admin rights, but normal users can log in without two-way authentication. In this way, your own account can be secured without affecting other users, especially for online shops, membership pages or forums based on WordPress.
If a smartphone app is necessary for login, one naturally wonders what happens if my smartphone breaks or is lost. Most platforms with two-factor authentication therefore offer options to log in anyway if the security code is not available. For example with backup codes or resetting by telephone number.
It's even less dramatic on your own website. The Google Authenticator plug-in can easily be deleted via FTP, which means that you can log in again without a security key. The plugin can then be reinstalled and reconfigured for the new smartphone.