Passwords are no longer enough to fully protect WordPress sites from increasingly sophisticated cyber threats. According to Sucuri, over 80% of hacked WordPress sites did not use two-factor authentication (2FA).
Enabling 2FA must now be considered a mandatory WordPress security layer for every site owner. In this expert guide, we explain everything you need to know about setting up Google Authenticator two-factor authentication for your WordPress dashboard access.
Why Use Google Authenticator for WordPress Security?
Table: Advantages of Using Google Authenticator Plugin
| Benefit | Details |
|---|---|
| Free | Google Authenticator is a free, open source mobile app available for iOS, Android and other platforms. |
| Easy setup | The Google Authenticator plugin makes enabling 2FA a breeze in WordPress. |
| Enhanced login security | Adds an extra 6-digit one-time passcode needed to access WordPress admin, generated every 30 seconds in the mobile app. Massively boosts login security. |
| Broad device support | Works seamlessly across iPhones, Android phones tablets, Windows devices and more. Users can access codes from multiple trusted devices. |
The automated nature of the time-based one-time passwords (TOTPs) means users don‘t have to rely on clumsy SMS-based two-factor systems. The codes are generated on the fly directly within the mobile app for true 2FA protection.
According to Wordfence, sites using 2FA can block over 96% of automated bot attacks. It‘s one of the most effective ways to prevent unauthorized access and malicious activity.
Step 1 – Install and Activate Google Authenticator Plugin in WordPress
Installing Google Authenticator in WordPress takes just a minute.
- In your WordPress dashboard, go to the main Plugins > Add New page
- Search for "Google Authenticator"
- Install and activate the official plugin by MakoWeb once located
- Check your User Profile section for the new Google Authenticator configuration menu
Below is a screenshot of the plugin installation process:
The plugin was most recently updated in December 2022 for full compatibility with the latest WordPress 6.1 release and improved site-wide enforcement options.
Step 2 – Configure Google Authenticator Plugin Settings
Under Users > Your Profile:
- Go to the Google Authenticator Settings section
- Check the box to Enable 2FA
- Add a Description like your "Website Name"
- Use the QR Code or Secret Key in Step 3
- Click Save Changes
See below for example plugin settings:
Step 3 – Install Google Authenticator Mobile App
The next step is to install Google Authenticator on your iPhone, Android device or tablet:
- Download the iOS or Android app
- Open the app and add a new account
- Choose to scan the QR code from your WordPress plugin settings to instantly add your site details or optionally enter the secret key code manually
Once added, it will generate 6-digit verification codes that change every 30 seconds. Make sure to set up Google Authenticator on at least two trusted mobile devices as a backup.
Below shows the process of scanning your site‘s QR code:
Step 4 – Log into WordPress using 2FA Code
You can now log into your WordPress dashboard using 2-step verification powered by Google Authenticator:
- Enter your WordPress username and password first
- In the new prompt, input the current 6-digit code from your Google Authenticator mobile app interface
- Click Log In
This will securely authenticate access to your admin dashboard using both factors i.e. your password and the Google Authenticator time-based one-time password code.
See the following for reference:
Troubleshooting Tips
- Make sure to use current code – they expire and change every 30 seconds.
- Check date/time sync across devices if codes don‘t match up.
- Scan barcode again if issues adding site to Google Authenticator.
- Still stuck? Reset 2FA and scan QR code again.
Compare Google Authenticator vs Other WordPress 2FA Options
While Google Authenticator is recommended for ease of use, WordPress sites also support other methods for enabling two-factor authentication including:
- FIDO U2F – Hardware-based USB security keys like Yubikey. Most secure 2FA option.
- Duo Security – Premium third-party authentication service.
- Authy – Similar to Google Authenticator. Backed up tokens.
Evaluate your site‘s unique security needs and user preferences before deciding on the right 2FA provider. But no matter what, make sure to use some form of 2FA!
Conclusion
I strongly advise all WordPress site owners to implement Google Authenticator two-factor authentication, especially sites dealing with logins, private user data or handling monetary transactions.
The 6-digit login verification codes provide an indispensable additional layer of security beyond just username and password. Protect your site from unauthorized access with Google Authenticator 2FA today!
Let me know if you have any other questions in the comments below.
