admin-plugins author calendar category facebook post rss search twitter star star-half star-empty

Tidy Repo

The best & most reliable WordPress plugins

Free Google Authenticator for WordPress

Please read! This plugin is no longer available for download in the WordPress plugin repository. We suggest finding a similar, alternative plugin. We don't know the reason why the plugin is no longer available. Sometimes the author requests the removal, and sometimes it's removed by the repo administrators.

Google Authenticator for WordPress

Plugin Author: Julien Liabeuf

Jay Hoffmann

June 11, 2014 (modified on November 15, 2022)

Security

I’ve written about two-factor authentication before when I added Clef to the repo. Google Authenticator for WordPress allows you to use the Google Authenticator app to easily add two-factor authentication to your WordPress login screen, and let each user set up their own account.

What’s It Do?

Google Authenticator for WordPress adds a new text field to the WordPress login screen for people to enter their Google Authenticator code. For those unfamiliar, Google Authenticator is an app that anyone can install on their smartphone of choice (Android/iPhone/Blackberry/etc.). All you have to do is scan a QR code, and the app and your WordPress install will sync up. Then, a random code will generate on your app, that expires every 20 seconds or so, that must be entered alongside the username and password to log in. This is known as two-factor authentication, and it heightens security for your site, blocking outside attack.

The Google Authenticator for WordPress plugin allows you to activate the plugin so that users can use two-factor authorization if they want (or simply ignore it if they don’t) or you can “force” users to use it, which will ensure that any user accessing the site must enable the Google Authenticator app to log in. Each user sets up their own account and can use the device of their choice. The plugin also lets you tweak a few global settings.

How’s It Work?

When you install and activate the plugin, you will have to set it up to get it working. Go to Settings -> Authenticator to get started. The first thing to do is click “Activate plugin.” This will enable two-factor authentication on your site. However, this will not yet be required. We’ll get to that in a bit. You can also change the name of your site in the provided text box. This is what will show up on the Google Authenticator app after it has been set up.

The 2-Factor Code on your Google Authenticator App

The 2-Factor Code on your Google Authenticator App

In order to actually connect your WordPress install, you must first download the “Google Authenticator” app on your smartphone or mobile device. From there, click the Edit icon in the top right corner of the app, and the plus sign to add a new site. You will see two options, “Scan Barcode” and “Manual Entry.” Now, hop back over to your WordPress admin, and go to Users -> Your Profile and scroll down to the bottom of the page to the new “WP Google Authenticator” section. Now click “Generate Key.” Your page will refresh, and you will see a secret code at the bottom of the page, next to a button that says “Scan QR Code.” Click this button, then go back to the app on your phone and hit the “Scan Barcode” button in the Google Authenticator app. Line up the camera on your phone to the QR code on your screen and voila! you have enabled two-factor authentication.

Google Authenticator for WordPress Plugin

Setting up individual authentication settings

If you log out of your account and attempt to log back in, you will need to enter in the constantly changing 6 digit code on your Google Authenticator app into the provided field in order to log in. Other users on your site can repeat the steps above to add this extra layer of protection to their accounts, but it will not be required, yet.

If you do want to make sure users use two-factor authentication to log in, you can go to Settings -> Authenticator and check the box next to “Force Use.” If you do select this option, then users will not be able to log in unless they have set up their account with the Google Authenticator. However, users will be able to log in a few times without Google Authenticator so that they can set it up before being kicked out. When a user logs in for the first time after you have enabled “Force Use” there will be a red alert box at the top of the page that will inform users they need to set up Google Authentication with a link to their profile to do so. Users will be able to log in, by default, 3 times before they are kicked out, so they have a chance to set up their account. You can change this number, by changing the “Max Attempts” number in the Settings menu. The last option in Settings, “Authorized Clock Desynchronization” can be used to extend the amount of time the 6 digit code appears on an app before it expires.

Google Authenticator for WordPress Settings Page

Tweaking global settings

If you want to allow a user to log in again after they have been kicked out, you can visit their profile page as an administrator, scroll down to the bottom and click the “Reset” button next to Login Attempts, so the user can log in again. You can also click the “Revoke Key” button after the account has been set up to reset a user entirely, which will force them to set up their account all over again.

Costs, Caveats, Etc.

For adding a bit of security, two-factor authentication can go a long way. And Google Authenticator is open and used by quite a few people, so it may be a good choice for your site, depending on the user base. The plugin is free, and if you are having any problems at all, visit the support forums to get help from the developer.

Resources