Two Way Authentication for WordPress

Security is no doubt is important. We have all heard about WordPress/Blogs getting hacked whereby the hacker would compromise someone’s blog. It can be nasty thing , especially if the hacker decides to post explicit pictures or steal valuable information that you may store within your blog  , or worst he/she could silently include some sponsored links without you knowing to generate hits to their site. Of course you have heard of the usual security tips such as secure your web-site , use a strong password and things like that.

Two factor authentication – something you know and something you have (picture taken from

In this post I would like to explain on two-factor authentication and how it can help to secure your WordPress. Before that , you need to understand to know a thing or two on information security. I am not going to you to bore you with a lecture , but rather give you a simple explanation. ATM (Automated Teller Machine) s a good example , for instance if you want to withdraw money from an ATM, firstly you need an ATM card (duh !) . That alone does not grant you the permission to withdraw , instead you are asked a pin. So if you are a bad guy trying to steal money from ATM , not only you need an ATM card , but you also would need a pin. This is how two-factor authentication works. Its just another layer , first you prove who you are to the server and the server again asks you to enter a generated code or a special pin to validate if it is really you.
Two-factor authentication is not something new , in fact a lot of banks in Europe use it. A prime example in Malaysia would be HSBC . HSBC online banking requires you to carry a small authenticator . When you enter your password you are presented with a “challenge” question (a random number)  , you’ll have to key in the “challenge” to your device and it would generate back a response. This is how server verifies it is really you. It makes outsiders to hack password using existing password cracking tools impossible.
Apart from gaming , two-factor authentication is commonly used in MMORPGS an example would be authenticator which is used in World of Warcraft
Installing for WordPress
Thankfully Google made their authenticator system public which simply means that it can be used for any application out there. People have used it and adapted it for various different application. One of the examples would be Guild Wars 2 authentication system. Of course some nice soul decided to port it to be used with WordPress as well . So basically all you need is an iPhone/iPad , Android Devices or Blackberry to generate a number for you. You may download the authenticator from here
Just keep in mind that you need a smartphone and as well as WordPress 3.x . I am told that they are physical devices out there that would do the trick , but your best bet is to use a smartphone. Suppose if you do not have a smartphone , Bluestack comes in handy (it allows you to run Android application on top of Windows/OSX). You may want to take a look at that as well , but I do not recommend you to run the authenticator on a PC , it defeats the entire purpose if your PC is compromised.
Oh yes you may download the plug-in from here and install it directly to your WordPress or alternatively install directly within WordPress itself via their plugin section. Thank You Henrik.Schack for creating this awesome plug-in for WordPress !
Configuring  Google Authenticator for WordPress
Activating the plug-in will not enforce two-way authentication for every user in your WordPress Blog. Instead you would have to configure per user basis. I highly recommend enabling two-way authentication for accounts with administrator rights
Activate the plug-in and go to the Users -> Profile and Personal options page, in the Google Authenticator section.
You should see a screen something like that. Fill it up and just follow the instructions. Its pretty straight forward. Once you have configured it , you’ll be presented  with something like this . All you have to do is scan the QR code using Google’s authenticator application on your Android smartphone/iPhone/Blackberry device.

Once the code is scanned, you’ll see a new entry in your Google Mobile Authenticator. So the next time if you want to sign in , you’ll have to enter your code along with your password as well as shown below.

google-authenticator screenshot 1
The new authentication page

google-authenticator screenshot 4

Discussion & Conclusion

There are few things that you should know before you implementing a two-factor authentication

  1. Your site has to be secured enough (that is your plugin folder is secured , your FTP , SQL , HTTP server). Suppose if it is not , an attacker could compromise your site in many other ways which makes having two-factor authentication pointless
  2. Two-factor authentication protects against brute-force , password-attack against wp-admin page. Together combined with other plugins you can “block” people who have tried to enter your site after too many attempts.
  3.  If you lose your phone , you are pretty much dead (and you would have to manually disable the addon via phpMyAdmin and edit a few things)
  4. You’ll have to configure for each and every user for your WordPress if you like to fully secure it. It becomes troublesome – This is why I highly recommend on doing it for Administrators only !

Certainly there are advantages of using two-factor authentication , mainly to make it much more secure and to scare script-kiddies away , to determine if this is the right thing for you or not – I recommend you to try it out first