How to enable Google Authenticator two-factor security in WordPress website?

How to enable Google Authenticator two-factor security in WordPress website?

Two-factor security is an extra layer of security in login process in which users have to enter some other code other than username and password. Such codes are only available to the dedicated user only. In this article, we are going to learn how to enable Google Authenticator based two-factor security on our WordPress website.

What is Google Authenticator?

Google Authenticator is the app from Google which helps you set up two-factor security. It provides special code for your login process which changes in every 60 seconds. And, Google Authenticator’s login credential data is saved on the single device only. So, every time you need to log in, you need to have the device in which you’ve installed Google Authenticator app with you. This is what provides brilliant extra-layer security for your system. You can download this app from Google Play store and Apple app store. After downloading, you need to log in using your Google Account. Now, you are ready to use it.

How to enable Google Authenticator on WordPress website?

First of all, you need to install Google Authenticator app on your mobile device. Then, you need to install Google Authenticator plugin on your WordPress website. If you need help to install new plugin, read this blog: How to install new WordPress plugin on your website

After installing the plugin, go to Users >> Your profile.

Setup google authenticator two step verification system on WordPress website

Click on the checkbox next to Active, to activate the system. Then, click on the Show/Hide QR code button next to Secret. You’ll see QR code as shown in below image.

Setup google authenticator two step verification system on WordPress website step 2

Now, you need to open the Google Authenticator app on your mobile. Click on the Plus (+) icon in the app. Scan the QR code. As soon as the scanning process completes, 6 digit code with description ‘WordPressBlog‘ is shown. This code changes in every 60 seconds.

Go to the end of the profile page, and click on the update profile button.

Congratulations! You’ve successfully setup two-step security on your WordPress website with Google Authenticator. Now everytime you log in, you’ll be asked Google Authenticator code in addition to the password.

Wrapping up

Signin credentials of Google Authenticator cannot be transferred to another device. So, if you are using Google Authenticator, don’t forget to remove two-step security from your website before you factory reset your device or change your device. Also, be aware of the security of your device as well. If your device is stolen, you will fall into trouble.

We’ll be posting more WordPress security-related posts on our blog in upcoming days. So, keep following WPCounsel.


How to protect WordPress Admin area at premium level?

How to protect WordPress Admin area at premium level?

We all want to ensure that our WordPress website is safe from hacking, don’t we? WordPress website is controlled by WordPress admin area. It is the part which should be accessible to the admins of the website only. In this article, we are going to know how to protect your WordPress Admin area with premium ways?

Using Two-Step Verification for WordPress login

Two-step verification adds an extra level of protection to your WordPress admin area other than password. When you use two-step verification, you need a code from authenticator app like Google Authenticator when you login your website. You can also use SMS or Phone Call based system for two-step verification. At WPCounsel, we have used Jetpack and thus are using SMS based two-step verification system. Due to this, if hackers get success to get my password as well, he should be able to get SMS passcode send to me during login process which is out of his/her access. Thus, our WordPress website becomes secure.

Limit the Login Attempts

If hackers get an opportunity to try thousands of possible password combinations through brute force attack, they may get success in getting your right password. Not only that brute force attack makes your website slow giving lots of load to the server. To tackle this issue, you need to limit the login attempts.

You can limit the login attempts using a simple plugin called Loginizer. This plugin allows you to set maximum password retries, lockout time, maximum lockouts and many more. This is one of the must-have WordPress plugins for WordPress website security.

Reset Password for all users

If you’ve a big website with several users, there is always higher security risks as well. Your user account’s password may be safe. But, the hacker may be able to get into the account of some other random users. Its hard to know which user’s password has been compromised. In that case, all you can do is reset password for all users at a time.

Its very easy to setup this feature in your WordPress website. All you have to do is install a plugin called Emergency Password Reset. Upon the installation of this plugin, you can go to Users >> Emergency Password Reset page and click on the Reset all passwords button. Now, all users get an email to reset the password of their user account.

Using Website Application Firewall (WAF)

Website Application Firewall (WAF) is third-party service which monitors all the traffic that comes to your website and automatically blocks the suspicious traffics. It’s best in controlling the brute-force attack as well because such traffics get stopped from WAF itself. Well, this is the feature which generally costs you. You can use the WAF of Sucuri or CloudFlare. WPCounsel is using free-version of CloudFlare to protect itself from such attack. You can pay for Sucuri or Cloudflare to get premium services which really values.

Use strong password

The most important part is using the strong password. WordPress suggests you use the strong password. Never hesitate to use then just because such passwords are difficult to remember. If you think you cannot remember, you can save that password somewhere safe and get that when you need to login. But, never ever compromise with website security using a weak password.

Wrapping up

Website security is always the dynamic subject. There are very smart hackers who could find loopholes in your website and get into it. Using above ways, you are doing minimum security arrangement for your website. These ways will help you to keep your website secure to much extent.

We’ll be updating and posting more WordPress website security-related articles in coming days as well. So, keep following WPCounsel.