A few weeks ago I wrote about enabling two-factor authentication on several web sites, and yesterday LifeHacker published a similar article with a few more sites. One of these is WordPress – not wordpress.com, but self-hosted blogs, as it turns out there’s a plugin you can install.
The plugin is called Google Authenticator, and, as the name suggests, it involves adding the Google Authenticator app on iPhones and Android phones as a second factor to your password when logging in. Google Authenticator is designed so that it can provide login codes for multiple sites, not just Google itself, and indeed this is how Dropbox has implemented two-factor authentication.
Once installed, each user will need to activate two-factor authentication themselves in their user profile – this is so that the user can scan a QR code for Google Authenticator to work with. The plugin then adds a third field to the login form, alongside the username and password, to enter the generated code.
Although it worked fine in my testing, there are a few things to bear in mind:
- Firstly, there’s no backup option (i.e. SMS messages) – if you don’t have your phone, you can’t log in. The only way around this would be to delete the plugin via FTP from your web server, and then log in normally.
- This will break any clients which need to access your blog using XML-RPC, such as the WordPress apps for iOS and Android. You will instead need to create a separate ‘API password’ for these services which don’t require a second authentication factor. This is somewhat less secure, but does mean that if someone were to intercept your API password, they would not be able to log in via the WordPress dashboard and would not be able to change your password.
- If you use an iPhone, make sure that there are no spaces in the ‘description’ field when setting up the authenticator, as the iPhone app will throw an error. Android doesn’t have this problem, apparently.
Despite these issues, it works well, and offers an additional layer of protection against unauthorised access to your WordPress installation. With two-factor authentication, even if the attacker has your password, unless they also have your phone they won’t be able to break in. Still, I would definitely encourage you to use a strong, unique password for WordPress, and consider installing a plugin that limits the number of times you can unsuccessfully try to log in.