Resist Bad Guys by usingTwo-Factor Authentication in WordPress
What is Two-Factor Authentication?
Let understand it in very simple words (if you don’t know till yet). To gain access to PressTemple panel or WordPress admin panel you use “Username” and “Password” to verify yourself. So, the password is a secret combination of characters. Correct combination identifies as the valid request and let us access the system. There comes 2-Factor Authentication into the scene. In 2-factor authentication, one more credential adds after password and it totally different than the password method. Very frequently used second-factor authentication is OTP via SMS or App in mobile. In present times authenticator apps are the best convenient way for the second line of defense. Google Authenticator is the best available option for Android and iPhone devices.
How Does Google Authenticator Works?
Google Authenticator is a mobile app available for Android and iPhone. Whenever you try to log in, after entering the password instead of letting you access the system. It will ask you for the authenticator OTP. Interesting thing is that authenticator app OTP keep changing in every 30 seconds. After correct submission of OTP, you’ll get access to the system.
Does 2-Factor Authentication increase security?
Yes, it does. 2-Factor authentication increases the digital security for no doubt, but at the same time, it also increases the steps and device involvement. But how much it secures you, it depends upon the strength on your first step towards security. Yes, your password! Your password should be really strong and should create with the most recommended combination of characters. The most recommended combination is to combine the Upper and lower case of alphabets, numbers, and some kind of symbols. It should be of at least 8 characters. Because anyone only can get access for entering the OTP, if he/she cracked your first step password protection.
How to set up two-factor authentication for your WordPress Login
As we all know, WordPress is quite easy to use CMS and its plugins make it wider in use. Here again, plugins make our work easy and convenient. In this Step-by-Step process, we will follow the steps to set up the Google Authenticator.
First Thing is to download the Google Authenticator App and Plugin
Very first we need to download the Mobile Google Authenticator App (Available for both Android and iOS Store). Now install the plugin into WordPress and activate it. Now, we are ready to set-up the 2-step security into our WordPress website. Before, proceeding to next step you should know that:
- Google Authenticator could be used for the Multi-Author Website too.
- In multi-author blog or website, each and every user is free to use two-factor authentication or not to use.
- Once admin will install the plugin (Google Authenticator), it will provide an option to every user to enable it or keep it disabled.
- It means if some authors want it, then OK, but if some of them doesn’t want it, then again it’s cool.
Now activate and Setup the Google Authenticator Plugin
After downloading and activating the plugin, we need to set it up. To set it up you need to go to your profile by clicking the Menu “Users”. In your User profile, you’ll find the option to enable Google Authenticator for your login. Obviously, you’ve to enable it by checking the “Activate” box. Just down after the “Activate” option, you’ll find the “Relaxed” option. By checking this box, you’ll have more time to enter OTP. In general case, Authenticator changes the OTP codes in every 30 seconds, and expires in 1 minute. But if you’ll keep the “Relaxed” mode enabled then, your code will expire in 4 minutes. Actually, this is not necessary to activate and as per my recommendation, you should keep it disabled. 1 minute is the more than enough time to enter the OTP, if you miss than, another code will appear. No Problem. Then you’ll get the “Description” box. In this box, you’ll have to enter the Description or Name of the Website. This Name will be shown in your Google Authenticator app at the time of entering the OTP. This is important and you should enter the name by which you’ll quickly figure out which one you’ve to enter for any specific website. Suppose for a moment you are an author for 10 websites and you’ve to keep Authenticator enabled on all of them for two-factor authentication. Then, if you’re trying to login to the 5th website and at the time of Authenticator OTP you can’t enter the OTP for the 2nd website. It will show you invalid. So, a description should refer clearly and quickly, for which website, which OTP will be used.
Now open the Google Authenticator on your mobile device for Final Setup
Time has come to open the app in the mobile device and click on the ‘+’ sign into the app. After clicking on the ‘+’ button it will provide you 2 option. 1 is to enter the secret key and another is to scan the barcode. To scan the barcode is the easiest method and convenient. To get the key in the plugin setup screen (PC screen), you can see the last option called “Secret”. In that box you can see your secret key, buttons just right of the box will let you change the key and make visible the QR code to scan by mobile through Authenticator app. And now what? Nothing. You’re ready to login with 2-factor Authentication. Congrats.
What if I lost my device, how can I get access to system or website?
Like you should have your mobile to see and enter Authenticator OTP. Imagine for a second that you lost your mobile however and you need to access your system, website or anything wherever you activated 2-factor Authentication. This is a problem and you can face this issue. You then have to follow some extra steps to deactivate the authenticator and then you’ll be permitted to access your own system. There are a set of ways to get rid out of this. If you’re with PressTemple then don’t need to worry about it, just let us know and that’s it. We’ll cover you step-by-step till recovery of your WordPress login. For this kind of emergency, we do not oversell. But if your website is hosted somewhere else then you need to do something on your own. About this, we will discuss later that how can you disable Google Authenticator or Two-Factor authentication and recover your website.