Protect your WordPress blog with two-factor authentication

Martin Brinkmann
Aug 29, 2012
Updated • Aug 30, 2012
Development, Security

As a webmaster I know that it is important to keep a close eye on the security of web properties. This includes updating scripts to new versions when they came out, making sure files and directories have the correct access permissions, and that all users with access to the site have selected secure passwords.

Two-factor authentication has been added to various platforms recently. Google, Microsoft, Facebook, PayPal, Last Pass and more recently Dropbox have all implemented an optional two layered log in process on their sites and for their services.

Google Authenticator is a free plugin for the popular blogging platform WordPress that is adding two-factor authentication to a blog's login process. It uses Google's Authenticator app for that which is available for Android, iPhone and BlackBerry smartphones at the time of writing.

To enable two-factor authentication for a WordPress blog do the following:

  • Install and activate the Google Authenticator plugin
  • Open a user profile and enter a description that you see in the Google Authenticator app


  • This creates a QR code that you need to scan with the app in your phone. If you can't do that you can alternatively use the secret code on the page and enter it in the app.
  • You can download the app by following links on this Google Support page. Android phones must be running at least on version 2.1.
  • Press the update profile button to save the settings

When you now try to log in with the user account, you are asked to enter the username, password and the Google Authenticator code that you can generate on your smartphone.

wordpress two-factor authentication

A few notes:

  • Google Authenticator is a third party plugin and not an official feature of WordPress
  • You need to enable it for every user account that you want to protect this way separately. I'd suggest to protect all system admin accounts this way at least
  • You can generate app specific passwords to log in with an app or software that does not support two-factor authentications
  • If you are running a multisite network, you need to enable the plugin on all sites separately
  • If you lose your phone, you can either delete the plugin from the plugin directory via ftp/sftp, or from the database directly to gain access again. Since attackers could do the same, it is important to make sure that those passwords are very secure.

The Google Authenticator plugin for WordPress is a great app for companies and webmasters who want to improve their site's login security. This renders brute force and dictionary attacks, as well as other forms of guessing or stealing account credentials useless. (via Caschy)


Tutorials & Tips

Previous Post: «
Next Post: «


  1. raef said on October 23, 2012 at 4:46 pm

    do u think this two-factor authentication are enough to protect wordpress ?

    1. Martin Brinkmann said on October 23, 2012 at 5:27 pm

      It is not enough to protect WordPress from certain types of vulnerabilities. What it does though is protect the system from brute force attacks, phishing and other forms of attacks that steal user credentials.

  2. Jamie Hymanm said on August 31, 2012 at 4:41 am

    Thanks for the interesting post. At least this one doesn’t look like someone from India wrote it!

  3. John said on August 30, 2012 at 6:30 pm

    It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience by implementing 2FA which allows you to telesign into your accounts. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your site(s) are secure. I’m hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.

  4. Beecher Bowers said on August 30, 2012 at 1:59 pm

    This sounds like a good idea for the future. With complex passwords though, I’m not sure multiple factor auth is needed right now. There are free plugins available that limit bad logins by IP and autolockout after a preset number of attempts. For now, I think that’s adequate when balanced with the extra effort involved with two-factors.

  5. Duplich said on August 30, 2012 at 1:12 pm

    This sounds a bit complicated but pretty cool though. I haven’t had problems with hackers yet. Excluding those anoying spammers, but I plan to adopt this method if I get any problems like those mentioned in the article

  6. Simon Motto said on August 30, 2012 at 10:43 am

    Thank for this a great security plugin indeed

    1. ilev said on August 30, 2012 at 12:22 pm

      An interesting WordPress application : Instant WordPress

      Your Free WordPress Power Tool
      Instant WordPress is a complete standalone, portable WordPress development environment. It turns any Windows machine into a WordPress development server. It will even run from a USB key.

  7. ilev said on August 30, 2012 at 8:35 am

    Regarding WordPress security :

    Fixing WordPress Website Constantly being Hacked

    …..About a year ago, a vulnerability has been found in the popular TimThumb PHP script that is widely being used to automatically resize images. The hackers gained access to many websites running WordPress with TimThumb and infecting all PHP files with eval(base64_decode code to redirect every visitors that comes from search engine to websites of their choice…..
    You can easily clean up the malicious gzinflate/eval(base64_decode codes from all PHP files by using this cleaner script to gain back the traffic from search engine but unfortunately using the script alone is not enough. You may notice that your website gets hacked again and again even if you’ve updated to the latest version of TimThumb because the hacker has already planted a few backdoors. The only way to prevent your website from being constantly hacked is to locate the backdoor and remove it from your server….

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.