Protect your WordPress blog with two-factor authentication

Martin Brinkmann
Aug 29, 2012
Updated • Aug 30, 2012
Development, Security

As a webmaster I know that it is important to keep a close eye on the security of web properties. This includes updating scripts to new versions when they came out, making sure files and directories have the correct access permissions, and that all users with access to the site have selected secure passwords.

Two-factor authentication has been added to various platforms recently. Google, Microsoft, Facebook, PayPal, Last Pass and more recently Dropbox have all implemented an optional two layered log in process on their sites and for their services.

Google Authenticator is a free plugin for the popular blogging platform WordPress that is adding two-factor authentication to a blog's login process. It uses Google's Authenticator app for that which is available for Android, iPhone and BlackBerry smartphones at the time of writing.

To enable two-factor authentication for a WordPress blog do the following:

  • Install and activate the Google Authenticator plugin
  • Open a user profile and enter a description that you see in the Google Authenticator app


  • This creates a QR code that you need to scan with the app in your phone. If you can't do that you can alternatively use the secret code on the page and enter it in the app.
  • You can download the app by following links on this Google Support page. Android phones must be running at least on version 2.1.
  • Press the update profile button to save the settings

When you now try to log in with the user account, you are asked to enter the username, password and the Google Authenticator code that you can generate on your smartphone.

wordpress two-factor authentication

A few notes:

  • Google Authenticator is a third party plugin and not an official feature of WordPress
  • You need to enable it for every user account that you want to protect this way separately. I'd suggest to protect all system admin accounts this way at least
  • You can generate app specific passwords to log in with an app or software that does not support two-factor authentications
  • If you are running a multisite network, you need to enable the plugin on all sites separately
  • If you lose your phone, you can either delete the plugin from the plugin directory via ftp/sftp, or from the database directly to gain access again. Since attackers could do the same, it is important to make sure that those passwords are very secure.

The Google Authenticator plugin for WordPress is a great app for companies and webmasters who want to improve their site's login security. This renders brute force and dictionary attacks, as well as other forms of guessing or stealing account credentials useless. (via Caschy)


Tutorials & Tips

Previous Post: «
Next Post: «


  1. iampriteshdesai said on March 26, 2009 at 3:15 pm

    Well, some time ago some guy (me) used to copy some of your articles with backlinks, but you said no.

  2. techandlife said on March 26, 2009 at 4:06 pm

    I came across an interesting blog post where they mentioned using Tracer to insert a script on your blog. If any part of your page is copied, it adds a link back to your site to the copied content.
    Here’s the link:

  3. Kaushik said on March 26, 2009 at 4:20 pm

    If you publish full feeds, which you do, you should include a link to the original article or link to the homepage at the bottom of each article. This can usually be done with plugins or simple hacks.

    This way everytime a spam blog republishes your feed, you automatically get an inbound link.

    You should do that.

  4. Daniel Pataki said on March 26, 2009 at 7:10 pm

    I personally hate it if people copy my content and I ask them to remove it every time. The reason is, that if they copy most of my article and link back, the article is still a copy and this does not bode well for me in search engines.

    Apart from that, I just get irked by it, it’s my article, not yours :)

    Kaushik, that’s a great tip, thanks!

  5. iampriteshdesai said on March 26, 2009 at 7:12 pm

    Well, I have read that google picks out the seeds from the fruit.
    If there is a link pointing back to the original article, google attributes the article to the place where the link points.
    Also your PR goes up dues to the links.

  6. Alfonzo Carco said on May 19, 2011 at 11:47 am

    Greetings! I’ve been reading your website for a long time now and finally got the bravery to go ahead and give you a shout out from Dallas Tx! Just wanted to say keep up the fantastic job!

  7. Mansoor said on August 27, 2011 at 10:26 pm

    I have a web portal designed to help students find educational content as they go online. My idea is to let them utilize their time effectively rather than just monkeying around on social networking sites. For the same, I need resources that I possibly can’t generate on my own. Resources like subject matter for example, for English I need grammar rules, summary writing rules etc. Now if I find some useful stuff on a website and I wish to copy it on my own providing the link of the source with it, will that be legal?

  8. Mel said on February 1, 2012 at 5:06 am

    If you’re going to copy content, always make sure to have at least a 3:1 ratio of commentary. For example, for every 3 paragraphs that you cite, make sure you have at least a paragraph of commentary for it. This tends to result in favorable SEO.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.