WordPress sites are a common target for hackers. The most common form of attack used against WordPress is brute forcing. This is done with the help of automated programs known as bots. This happens at tremendous speeds so that our server becomes overloaded and may result in site crash. Adding 2-factor authentication in WordPress is an effective way to improve our site security. This two-step authentication can protect our site from any unauthorized login even if our username and password are compromised. In this blog, I will go through the step by step process to secure WordPress login with 2-step verification using Google Authenticator.
Step1: Install the Google Authenticator plugin.
Step2: Go to Google play store in our mobile and install Google Authenticator app.
Once the installation is complete the app will display two options to add an account. One is by scanning a barcode and the second is by entering a key. Let us stop at this screen and go to Your Profile section under users in the admin dashboard as shown below.
Step3: First tick the Active checkbox in the settings for enabling the plugin to add new authenticator section to our site. Also, check the Relaxed Mode check box so that the token that our app generates does not expire quickly. Enter a description and click the Create new secret button. Now click the Show/Hide QR code button. This will display a screen as shown below.
Step4: Now go back to the app installed on our phone. Select the option to scan the QR code and scan the code displayed on the screen. This will add an account to the app. This will now display a 6 digit number like 598376.
Step5: Now click Update Profile button in the profile page of admin to save our changes.
Step6: Now let us log out of our WordPress site and go to the login page again. We will see a new section added to the login page as shown below.
Now try to login by entering the correct username and password but some random value for Google authenticator key. We will see an error screen as shown below.
So from now on the login requires correct username and password combination together with the six digits code that we see on our Google authenticator app.
This method is adding an additional layer of security to our login page against unauthorized access. But this method requires us to have our mobile phone with us always to login to our site. In case we lose our phone or by mistake delete the app, then we are locked out of our admin access. In that case, we have to delete the plugin manually using FTP to regain the access.
Bonus Tip: The basic step towards creating a secure website begins at selecting a complex username as well as password. I have already explained about such simple steps to secure a WordPress site. We can also add Google reCaptcha to our forms to prevent spam form submissions. All these methods provide a basic level of protection against attacks. If our website is pretty popular and attracts a reasonable volume of visitors then it is essential to opt for advanced protection plugins like Sucuri.