Protect your WordPress blog with two-factor authentication
As a webmaster I know that it is important to keep a close eye on the security of web properties. This includes updating scripts to new versions when they came out, making sure files and directories have the correct access permissions, and that all users with access to the site have selected secure passwords.
Two-factor authentication has been added to various platforms recently. Google, Microsoft, Facebook, PayPal, Last Pass and more recently Dropbox have all implemented an optional two layered log in process on their sites and for their services.
Google Authenticator is a free plugin for the popular blogging platform WordPress that is adding two-factor authentication to a blog's login process. It uses Google's Authenticator app for that which is available for Android, iPhone and BlackBerry smartphones at the time of writing.
To enable two-factor authentication for a WordPress blog do the following:
- Install and activate the Google Authenticator plugin
- Open a user profile and enter a description that you see in the Google Authenticator app
- This creates a QR code that you need to scan with the app in your phone. If you can't do that you can alternatively use the secret code on the page and enter it in the app.
- You can download the app by following links on this Google Support page. Android phones must be running at least on version 2.1.
- Press the update profile button to save the settings
When you now try to log in with the user account, you are asked to enter the username, password and the Google Authenticator code that you can generate on your smartphone.
A few notes:
- Google Authenticator is a third party plugin and not an official feature of WordPress
- You need to enable it for every user account that you want to protect this way separately. I'd suggest to protect all system admin accounts this way at least
- You can generate app specific passwords to log in with an app or software that does not support two-factor authentications
- If you are running a multisite network, you need to enable the plugin on all sites separately
- If you lose your phone, you can either delete the plugin from the plugin directory via ftp/sftp, or from the database directly to gain access again. Since attackers could do the same, it is important to make sure that those passwords are very secure.
The Google Authenticator plugin for WordPress is a great app for companies and webmasters who want to improve their site's login security. This renders brute force and dictionary attacks, as well as other forms of guessing or stealing account credentials useless. (via Caschy)Advertisement