Use Google Authenticator Plugin to Improve WordPress Security

Last updated on April 12th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

Enable 2-Step Authentication on your WordPress

The Google Authenticator WordPress security plugin is a very easy to configure WordPress security plugin that allows you to enable 2 step verification (two-factor authentication) on your WordPress blog or website to improve WordPress security. In this WordPress plugin review and security tutorial we will show you how enable and configure the Google Authenticator plugin to strengthen the login of your WordPress blog or website.

Note: The Google Authenticator application only works on iOS, Android, Windows Phone, webOS, PalmOS, and BlackBerry devices. Therefore you must have a smart phone or any other type of device (such as tablet) with the respective operating systems to use the Google Authenticator plugin on WordPress.

How Google Authenticator for WordPress Works and Why it is More Secure

To login to the WordPress admin pages (dashboard) you need to specify a username and a password, which are values that do not typically change. Even though it is recommended that a password should be changed every couple of weeks, very few people do so. Even worse, many people use the same password on different websites. If there is a security breach on one of the accounts, all other websites are in danger.

WordPress Login Page which requires a Google Authenticator Code to allow the user to login to the WordPress dashboard

Once you install and configure the Google Authenticator plugin, you would need the following to login:

  • Username
  • Password
  • Google Authenticator Code (generated by an application on your smart phone / device)

Therefore even if a malicious hacker guesses your username and password, he cannot login to the WordPress dashboard because he does not have a Google Authenticator code, which can only be generated by your smart phone. Once you are ready with this tutorial, your WordPress login will include an extra input filed as seen in the above screenshot. This will improve the security of your WordPress by strengthening the login form.

Install Google Authenticator Application

First you need to install the Google Authenticator on your smart phone, tablet or any other supported device such as tablet. If you are familiar with adding apps on your device, proceed and install the app like any other app. If you need assistance, refer to Google’s own guide Install Google Authenticator.

Now we explain how to configure the Google Authenticator WordPress plugin. We will see how to use the Google Authenticator application later on in this tutorial.

Configuring Google Authenticator WordPress Plugin

Once you install and activate the Google Authenticator WordPress plugin, access your WordPress user profile and configure the Google authenticator for a more secure WordPress login. Below is a screenshot of the Google Authenticator settings which should be in your WordPress user profile.

Google Authenticator Plugin Settings in WordPress User Profile used to enable and Configure Two Factor Authentication for WordPress

Google Authenticator Plugin Settings

Active:  Toggle this option to enable Google Authenticator for your login on WordPress. Activate this option once you are done with the entire setup.

Relaxed Mode: The one time Google authenticator code generated by your smart phone application that is used to login expires every 30 seconds or so. By enabling this option you will be allowed to use the same code for up to 4 minutes. It is not recommended to enable this option unless you type very slowly.

Description: Specify a user friendly description as your account name on the Google Authenticator application. Note: You cannot use spaces in the description if you are using iOS (iPhone, iPad etc).

Adding an Account to Google Authenticator Application

Secret: The secret key is needed if you will manually add the newly configured WordPress account to Google Authenticator app, i.e. without using the QR code. To enter the secret key in the Google Authenticator app and add the account, run the Google Authenticator application on your device, and select Add Account > Enter Key Provided.

Show / Hide QR Code: Alternatively, to add the account to your google authenticator application click the Show / Hide QR Code and scan the code. The account will be added automatically once you click the scanned QR code.

Allowing Remote Publishing to Bypass Google 2 Step Verification

Enable App Password: You only need to enable this option is you are using remote publishing on your WordPress blog or website with applications such as Windows Live Writer. Therefore enable this option and specify a password for such application to be able to “bypass” the Google Authenticator Code. Tip: It is not recommended to enable the option Enable App Password since it decreases the overall login security of your WordPress blog or website.

Enabling Google Authenticator on Multi User Blog

As a multi user WordPress blog administrator you cannot configure Google Authenticator for the other users on your blog, because each user has to have his or her own unique settings. But you can enforce (or hide the settings) for a WordPress user by navigating to the WordPress user profile and enable the desired options in the profile, as seen in the below screenshot.

Google Authenticator WordPress Security Plugin Settings on other users profiles

Logging in to WordPress with Google Authenticator Enabled

To login to your WordPress with 2 step verification enabled, as per usual navigate to the /wp-admin/ directory follow the below procedure:

  1. Enter a username and password
  2. Launch the Google Authenticator application on your device
  3. Type in the 6 digit code generated by your app into the Google Authenticator Code

Download the Google Authenticator Code from the WordPress Plugin Directory to improve your WordPress Security.

WordPress Hosting, Firewall and Backup

This Website is:


David Anderson 09/01/2018

Hi Robert,

I was a bit disappointed that you didn’t review (I am the lead developer) – which has more active installs than any of those that you did review, as far as I can say.

It should also be mentioned that if you enable two factor codes by email, then this removes the “two” from “two factor”… unless you have two separate email addresses, access to your email account will yield both your two factor codes, and the WordPress password reset email if you request one.

Robert Abela 12/02/2018

Hello David,

Thank you for reaching out. In this article we only included plugins that allow you to implement a complete 2FA solution for all users without having to pay for premium functionality. We might make another article at a later stage to review ALL 2FA plugins.

Leave a Reply

Your email address will not be published. Required fields are marked *