Additional WordPress Login Authentication

One of the simplest ways a site can be hacked is with weak login (username/password) credentials. To protect your site we would recommend a added security layer to your login, with one such way being an additional authentication code.

The single most important thing you can do is not to use common usernames. WordPress gives you ‘admin‘ by default so you should never use that. Other common ones we would recommend you don’t use include: test, Admin, administrator, root

The details below show you how to install the ‘Google Authenticator’ App which is available on iPhone, iPad and Android devices etc., and how to use this along with the WordPress Plugin to provide additional login security.

Installing the ‘Google Authenticator’ iPhone/iPad App

The App is available currently for iPhone iOS 3.1.3 or later, Android version 2.1 or later and BlackBerry OS 4.5 – 6.0. Further details can be found by clicking here

1. If you have a iPhone or iPad then go  to the App Store and search for ‘google authenticator‘. This is a free App. Click the link and install the App.


2. The App is now available and will be required for every login to your WordPress site once this installation is completed. We will come back to this App shortly in the steps below.


Installing the ‘Google Authenticator’ WordPress Plugin

Now you have the Google Authenticator we now need to install the corresponding WordPress plugin.

3. In your WordPress Dashboard go to Plugins > Add New and use the search box and type in ‘google authenticator‘.


4. It should be the first plugin in the list but make sure you install the one called ‘Google Authenticator’. Click the Install  Now.


5. Now click the ‘Activate Plugin‘. This will make it appear on your login but note that it is not making your login anymore secure until this installation is completed.


6. Now from the Dashboard go to Users > All Users. For each user you will need to activate this and they will need the App (above) installed on their mobile device.


7. Click the user from the list. Look for the new section under the heading ‘Google Authenticator Settings‘. You will need to click the ‘Active‘ box. We also enabled ‘Relaxed Mode‘ and then set a Description which will be used in the Google Authenticator App to distinguish this site from any others. Then click the Show/Hide QR (3D Barcode) if it’s not visible as we use this to to setup the mobile App.


8. Now going back to the mobile Google Authenticator App. Click the link the ‘+‘ to add a new entry.


9. We used Time Based in this example. Click the ‘Scan Barcode‘.



10. Aim the mobile camera at the screen to just target the QR Code within the box shown on your mobile screen. This will automatically accept the code once it has recognised it. Make sure there is no glare as this can stop it accepting it.


11. Once the entry has been accepted you will see something like below. This shows our Description entry and what the authenticator code is now (this will keep changing over time in this mode).


12. Now it’s very important that you remember to save the new settings for this User otherwise this additional authentication will not be active. Click ‘Update Profile‘ to complete and activate this added security. It will be used the next time you have to login.


Login in to WordPress with the Additional Authentication

13. If you logout of WordPress then first try and login without entering the Authentication code. If it lets you in then you couldn’t have activated the authentication (or it’s not working) in Step 12. If it doesn’t let you in then get the current Authentication code from the mobile app and then login with your normal login credentials – you should now be logged in and your site is more secure.