Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-mail-logging domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u313897478/domains/teachdeveloper.com/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the breadcrumb-navxt domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u313897478/domains/teachdeveloper.com/public_html/wp-includes/functions.php on line 6114
How to add two-factor authentication (2FA) to WordPress using the Google Authenticator plugin. - Teach Developer

How to add two-factor authentication (2FA) to WordPress using the Google Authenticator plugin.

Home  »  Wordpress   »   How to add two-factor authentication (2FA) to WordPress using the Google Authenticator plugin.
Posted on No Comments on How to add two-factor authentication (2FA) to WordPress using the Google Authenticator plugin.
691

WordPress two-factor authentication (2FA) is a more simple work than you imagine. You can improve the security of your website by adding WordPress two-factor authentication. If you are worried about brute-force attacks and hacking, then you should instantly go for 2FA.

The essential step in protecting your WordPress setup is adding a two-factor authentication system. If the bad guys have got hold of your password, yes it is possible. A study says that a staggering 76% of Internet users have the habit of using the same password across the sites. In a situation, when your password is compromised, the last line of defense is two-factor authentication.

It is important to have two-factor authentication enabled in banking, shopping, email, and any system that you feel is critical.

In this tutorial, we are going to see how to enable WordPress two-factor authentication feature for the blog admin login, using the Google Authenticator and miniOrange plugin.

There are various plugins available to set up two-factor authentication in a WordPress blog. For example, Duo, and Rublon Two Factor Authentication plugins are popular choices. In this article, I will guide you through the step-by-step procedure to configure WordPress tw0-factor authentication by installing the Google Authenticator plugin (by miniOrange).

The two-factor authentication adds an additional layer of security while logging into the system. When the WordPress users enter the username and the password, the WordPress two-factor authentication code is generated dynamically and sent to the user via SMS or email, or App notification as per the configuration.

In addition to the username and password,  the users will be asked to enter the two-factor code to successfully log in to the system.

The Google Authenticator plugin is one of the best plugins for making two-factor authentication. It has many features for implementing the two-factor authentication system. It supports both the Google Authenticator app and the miniOrange Authenticator app and more.

mini orange and Google Authenticator Plugin for WordPress 2FA

MiniOrange provides the free plugin for one user forever. The second layer of two-factor authentication can be done in a variety of ways. In general, the authentication methods available are Google / Authy / LastPass Authenticator, QR Code, Push Notification, Soft Token, and security questions (KBA).

This plugin also has premium features for advanced usage like multi-site support, language translation support, etc. This needs to be purchased for more than one user usage.

Google Authenticator enables you to implement two-factor authentication. It generates a verification code on a phone and helps in doing the second step of the verification during the login process. WordPress’s two-factor authentication process also can also use Google Authenticator in implementing the second step.

Install Google Authenticator – WordPress Two-Factor Authentication Plugin

Download the miniOrange plugin from the WordPress plugin repository. Unzip the plugin folder and put it into the wp-content/plugins directory of your site. By doing this, the miniOrange plugin will be listed under the installed plugins.

You can also install plugins by searching with the WordPress admin filter. If you are a beginner in WordPress development, read my WordPress plugin installation guide.

After installing the miniOrange two-factor authentication plugin, activate it by the option provided in the WordPress admin panel. Then, a new menu item miniOrange 2-Factor will be added to the WordPress admin menu. Click that menu and follow the steps listed below.

  1. Register with miniOrange.
  2. Choose the two-factor authentication method.
  3. Test your authentication method.
  4. Configure roles to which you prefer this two-factor authentication is applicable. (Optional)

After completing the above set of configurations, the WordPress two-factor authentication will be enabled for your blog or website. In the following section, we will see how to perform the above-given steps.

Register with miniOrange

The first step of this configuration process is to register with the miniOrange application. If you are not having an account then the registration wizard will be shown to the user. The registration is very simple and easy. The wizard will require the email and password field from you to register with.

On successful registration, the page will show the options to select any one of the two-factor authentication methods listed on the plugin settings flow. In this next section, we will see the methods provided by the miniOrange plugin to add an additional level of security with the two-factor authentication.

Once registered with the miniOrange the account details will be populated on the user profile page as shown in the following screenshot.

Choose WordPress Two-Factor Authentication Method

The miniOrange plugin supports numerous methods for adding more security to the login with the WordPress two-factor authentication feature. These methods are available depending on the basic(free), standard, or premium version of this plugin. The plugin settings page contains the option to upgrade to the higher version to get additional features of this plugin.

The below list shows the two-factor authentication methods supported by this plugin.

  • One-time passcodes (OTP) over SMS
  • OTP over Email
  • OTP over SMS and Email
  • Out of Band SMS
  • Out of Band Email
  • Soft Token
  • Push Notification
  • USB based Hardware token
  • Security Questions
  • Mobile Authentication
  • Voice Authentication (Biometrics)
  • Phone Verification
  • Device Identification
  • Location
  • Time of Access
  • User Behavior

In the following sections, we are going to discuss the authentication methods allowed with the free version of this plugin. The below screenshot shows the plugin settings page to choose any one of these auth methods.

Set with Google Authenticator

To configure this authentication method, you need to set up an account using Google/Authy/Last Pass Authenticator app. Then, this account will be verified with the reference of the verification code.

First, install the Google Authenticator app on your phone. This app is available for both Android and iOS. After installation, follow the below steps to set up an account.

  1. Choose the account name to be configured with the Authenticator app.
  2. Open the Authenticator app and Set up account and Scan QR Code.
  3. Enter OTP to verify the account.

Once configured with the above settings, a soft token will be created in the authenticator app account. This token will be used as a second factor of the WordPress two-factor authentication.

If you are using this step, then you have to always carry your mobile phone on which you have installed this APP. Since the verification code will be generated using the APP and you will need it to log in to your WordPress site. If you feel that it is a handy cap and not in a position to always carry the phone with you, then you can choose the following option.

Set with Security Questions

This is another method that I have chosen for implementing two-factor authentication in my WordPress demo site.  This method will let you configure 3 security question-answer pairs.

By choosing this method, these questions will be prompted to the user or admin when they attempt to log in to the WordPress site. This will surely tighten the WordPress login process and make it secure.

Once the security questions are selected and configured, then they could be used as a backup code at the time of unfortunate scenarios. For example, if the device mapped with the two-factor login authentication is lost, then the security questions could be used to revoke the account access.

Important thing is that you should remember the security question and answer you are using. Also more important is that, do not make it very predictable and do not use the same set of questions and answers everywhere as a habit.

If you have a problem remembering the security questions and answers, use the pattern mapping technique to remember them. Create a pattern of answers that relates to the site in a unique way and then it will be easier to remember. Same as passwords, you should not write them on paper or in a diary.

The following screenshot shows the plugin interface used to configure the security questions. Two of the three questions are selectable whereas the last question is a custom fillable field.

Set with miniOrange Soft Token

This plugin supports many authenticator apps and also the miniOrange authenticator app. A straightforward, simple two-step process is enough to set up WordPress two-factor authentication with this method.

  1. Download and install the miniOrange authenticator app.
  2. Scan the QR code from the plugin settings page by using this app.

After these sets of configurations, the soft taken will be generated by the authenticator app. This token will be used on the second layer of secured authentication.

Set with QR Code Authentication

The configuration steps are very similar to that of the Soft Token authentication method which we have seen in the last section. After configuring this type of authentication method, the second-level authentication will prompt you to scan the QR code from the account in your authenticator app.

Set miniOrange Push Notification

By setting with the Push Notification method, the login authentication will send the notification to the authenticator app. The user has to Accept the notification to proceed further with the login process.

This method and the last two authentication methods require the miniOrange authenticator app to be installed on your mobile device. Like the other authenticator app the miniOrange app is also available for both Android and iOS devices.

Test Authentication Method

After setting up the authentication method the selected method will be populated on the Two Factor configuration page. For this tutorial, I have set up two-factor authentication on my WordPress demo site. I have used the security questions authentication method.

By clicking the Test Authentication Method button the page will be redirected to the form to test your selected authentication method. Once everything is working perfectly as you have expected then you have done with the two-factor authentication setup. From the next login onwards your WordPress site login will contain an additional level of authentication based on the method configured with the authenticator plugin.

Login Interface with WordPress Two-Factor Authentication

After configuring the WordPress two-factor authentication plugin and testing with the trial option as it is provided by the plugin interface, then this is the time to see how it is implemented on our WordPress site. Once submitting the login username and password, the user will be redirected to a page that will prompt the user to come across the additional level of authentication.

As I have selected the security questions option, the second level of the authentication page will randomly show any two of the selected security questions. The below screenshot shows the second-level authentication form with the random security questions. Entering valid answers these questions will make the user get into the WordPress dashboard.

Everybody knows the URL of the login page of your WordPress site unless you have changed the default setting. In the first place, it is easier to identify that you are using a WordPress site and there are numerous signatures a WordPress website leaves for that. Same way, it is easier to get the WordPress author URLs and subsequently admin usernames. All it is left is the password.

Wordpress

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *