Secure your WordPress Blog with two-factor authentication

I recently installed the Google Authenticator application and was astonished you were able to add 3rd party accounts to it. I used the application to secure my Google Account, my FaceBook Account and this personal blog.

I’m running a WordPress version 4.1 and installed the Two Factor Auth plugin version 4.4. The plugin adds an additional menu item in the left side of the dashboard called “Two Factor Auth”. This section allows you to configure the two factor authentication on your blog.

First thing to do, is to select how the OTP is required to be delivered. I personnally prefer the use of a 3rd party application, called Google Authenticator. I use this application already to secure my Google Account and my FaceBook Profile. Choose “Third Party Apps” as the delivery type to be used.

TwoFactorAuthentication-1

Once you click “Save Changes” a QR code is added in the lower part of the page. Open the Google Authenticator application on your smartphone and add a new account by using a barcode.

TwoFactorAuthentication-3

Once you scanned the QR code provided by the WordPress site, the OTP authenticator clock is automatically added to the accounts section.

When you logon onto your wordpress site, the regular authentication box appears where you need to fill in your username and password. Once you clicked logon, a new dialog box appears that requires you to fill the 6-digit code provided by Google Authenticator.

TwoFactorAuthentication-2

In the configuration section of Two Factor Auth “Menu > Two Factor Auth“, you can find 3 panic codes. It’s highly advised to store these on a safe location. These codes will provide you access to the WordPress site when you are unable to provide the Google Authenticator 6-digit code. Please note, you can use each code only once and they cannot be regenerated.

By default all user rolesĀ are activated with two factor authentication. When you have users with limited administrative privileges defined, you can allow them not to use these extra security measure by changing the options in “Settings > Two Factor Auth“. From this configuration panel, you also have the ability to change the delivery type for other users when they lost their panic codes.

Happy securing!

Leave a Reply