The login page of a WordPress website is the entry point to personal information, valuable content, and many other things that matter to your business. That's why it's extremely important to keep this page safe from brute force break-ins -- attacks that rapidly test out various combinations of usernames and passwords until one is successful.\r\n\r\nWhen admins and users employ short, simple number combinations and words for usernames and passwords, such as "1234" or "password," a website becomes <a href="https:\/\/www.teamsid.com\/worst-passwords-2015\/">much more susceptible to a security breach<\/a>. But even stronger passwords have a chance of being overcome.\r\n\r\nThere are several ways to make your login page more secure. You can <a href="https:\/\/pagely.com\/blog\/hiding-wordpress-login-page\/">hide your login page<\/a>, or use <a href="https:\/\/pagely.com\/blog\/account-security-1-login-or-2\/">separate logins<\/a>. But one of the most effective ways is to use Two-factor authentication.\r\n\r\nTwo-factor authentication <a href="https:\/\/codex.wordpress.org\/Brute_Force_Attacks" target="_blank" rel="noopener">secures your WordPress login page<\/a> and protects your site against attacks. This post will show you how to secure your WordPress site using Google two-step verification, one of the more reliable multi-factor authentication tools available today.\r\n<h2>What is Two-Factor Authentication?<\/h2>\r\nSingle-factor authentication is when a website requires just a user ID and password to log in. In this case, an attacker can gain entry to a site by simply guessing the right login credentials.\r\n\r\nTwo-factor authentication prevents your site from cyber criminals and brute force attacks by reconfirming a user's identity upon login. Specifically, multi-factor authentication requires each user to obtain a verification code from their smartphone to complete the login process.\r\n\r\nThis tutorial will show you how to receive a verification code through the Google Authenticator smartphone app, but you can also receive codes via text message or voice call.\r\n<h2>How To Enable Google Authenticator in WordPress<\/h2>\r\nBefore you install the <a href="https:\/\/play.google.com\/store\/apps\/details?id=com.google.android.apps.authenticator2&hl=en" target="_blank" rel="noopener">Google Authenticator App<\/a> on your mobile phone, you'll need to activate a Google Authenticator plugin on your WordPress website. There are a few to choose from, but at <a href="https:\/\/pagely.com\/">Pagely<\/a> we use <a href="https:\/\/wordpress.org\/plugins\/wp-google-authenticator\/">Google Authenticator for Wordpress<\/a>.\r\n\r\n<strong>1.<\/strong> Install and activate the Google Authenticator plugin on your WordPress site. Click through <em><strong>Dashboard > Plugin > Add New<\/strong><\/em> and search for the 'Google Authenticator' plugin. (You may need to scroll a bit to find Google Authenticator for WordPress. It's the one with the blue icon.)\r\n\r\nClick "Install Now," then "Activate."\r\n\r\n<img class="alignnone size-large wp-image-13010" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Screen-Shot-2018-02-22-at-2.11.40-PM-1110x491.png" alt="" width="730" height="323" \/>\r\n\r\n<strong>2. <\/strong>Once the Plugin is activated, you will be able to access it through Settings > Authenticator. From here, you can activate the plugin, decide whether or not you want to force users to use it (more on this later), and choose how many chances people have to log in without setting up 2-factor Authentication.\r\n\r\n \r\n\r\n<img class="alignnone size-full wp-image-13011" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Screen-Shot-2018-02-22-at-2.16.13-PM.png" alt="" width="1091" height="660" \/>\r\n\r\n<strong>3.<\/strong> Next, you'll need to install the Google Authenticator app on your mobile device. The app generates a temporary code that refreshes every minute, and once everything is installed successfully, you'll need your login ID, your password, and an active verification code from the app in order to log in.\r\n\r\nYou may want to install the app password feature if you do a lot of remote publishing via the WordPress smartphone app; however, this lessens security.\r\n\r\nNote: this tutorial shows what the installation process looks like on an Android device, but the process is very similar on an iPhone.\r\n\r\n<img class="aligncenter wp-image-8747 size-full" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Installing-App.jpg" alt="Google Two Factor Authentication" width="700" height="796" \/>\r\n\r\n<strong>4.<\/strong> To add your site to the Google Authenticator App, open the app on your smartphone. Go to <em><strong>Set Up Account <\/strong><\/em>and<em><strong> <\/strong><\/em>proceed to <em><strong>Add an Account<\/strong><\/em>.\r\n\r\n<img class="aligncenter size-full wp-image-8748" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Adding-an-account-to-Android-App.jpg" alt="Adding an account to Android App" width="700" height="727" \/>\r\n\r\nIf you'd like to manually add an account, <em><strong>enter the key<\/strong><\/em> provided. This is the key that is generated by the plugin against "Secret" in the Google Authenticator settings page. It's important to write down the secret on a piece of paper and keep it safe.\r\n\r\n<img class="aligncenter size-full wp-image-8749" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Manual-Account-Entry-in-Android.jpg" alt="Manual Account Entry in Android" width="700" height="732" \/>\r\n\r\nYou can also complete this step by using your smartphone's camera to take a photo of the QR code in WordPress.\r\n\r\n<img class="aligncenter size-full wp-image-8750" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Setting-showing-QR-Code.jpg" alt="Setting showing QR Code" width="700" height="490" \/>\r\n\r\nOnce you add the account, the app will recognize your website.\r\n\r\n<strong>5.<\/strong> Finally, click the <em><strong>active <\/strong><\/em>Button, click <em><strong>update profile<\/strong><\/em>, and log out of WordPress.\r\n\r\n<img class="aligncenter size-full wp-image-8751" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Update-Profile.jpg" alt="Update Profile" width="700" height="480" \/>\r\n\r\n<strong>6.<\/strong> When you open the login page again, you'll see an additional field requiring a Google Authenticator code.\r\n\r\n<img class="aligncenter size-full wp-image-8752" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Login-using-code.jpg" alt="Login using code" width="700" height="634" \/>\r\n\r\nTo log into your website again, enter your username and password as usual. You'll also have to add the code that's currently available on your mobile app.\r\n\r\n<img class="aligncenter size-full wp-image-8753" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Android-Generating-Code.jpg" alt="Android Generating Code" width="700" height="722" \/>\r\n\r\n<strong>7<\/strong>. If you'd like your users to have the option of two-factor authentication, you can leave the settings as such on each profile page. After logging in, users can choose to check<em><strong> active<\/strong><\/em> under settings, install the app on their phone, and <em><strong>update<\/strong><\/em> their profiles. If you don't want users to view or edit your website's Google Authenticator settings, simply check <strong><em>hide settings from users<\/em><\/strong> on each user's individual profile page.\r\n\r\n<img class="aligncenter size-full wp-image-8773" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/AUthentication-for-user.jpg" alt="AUthentication for user" width="700" height="458" \/>\r\n\r\n<strong>9.<\/strong> When you activate the Google Authenticator plugin, the verification field appears on the login page to all users, whether or not it's active. To avoid confusing your users, install <a href="https:\/\/wordpress.org\/plugins\/google-authenticator-per-user-prompt" target="_blank" rel="noopener">Google Authenticator's Per User Prompt<\/a>. Users who haven't set up multi-factor authentication will see the normal login screen without an extra field. Users who are employing two-factor authentication will see a Google Authenticator code field in addition to the usual login screen.\r\n\r\n<img class="aligncenter size-full wp-image-8774" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/2FA_secondpage.png" alt="2FA_secondpage" width="700" height="346" \/>\r\n\r\n<strong>10.<\/strong> If you wish to enforce two-factor authentication for all users, but you want more options than what Google Authenticator for WordPress gives you, you can employ <a href="https:\/\/wordpress.org\/plugins\/google-authenticator-encourage-user-activation\/" target="_blank" rel="noopener">Google Authenticator - Encourage User Activation<\/a>.\r\n\r\n<img class="aligncenter wp-image-8755 size-full" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Force-USer.jpg" alt="Force User" width="700" height="326" \/>\r\n\r\nThis plugin will allow you to choose between "Nag" and "Force." "Nag" reminds users to enable two-factor authentication each time they log in. "Force" allows users to log in, but prevents them from taking any action inside WordPress until the feature is enabled.\r\n<h2>Precautions<\/h2>\r\nHere are some precautions you must take while setting up two-factor authentication:\r\n<ul>\r\n \t<li>Make sure your web host is providing accurate time information.<\/li>\r\n \t<li>Write down the Google Authenticator secret and keep it safe for future reference. This is given to you when you first set up the app.<\/li>\r\n \t<li>Don't activate the two-factor authentication on behalf of other users, or else they'll be unable to login without your assistance.<\/li>\r\n \t<li>If you get a new mobile device, install the two-factor authentication code prior to discarding your old phone, if possible.<\/li>\r\n \t<li>Don't delete the app on your mobile without turning off two-factor authentication on your website.<\/li>\r\n<\/ul>\r\n<img class="aligncenter size-full wp-image-8756" src="https:\/\/pagely.com\/wp-content\/uploads\/2017\/01\/Precautions.jpg" alt="Precautions" width="700" height="904" \/>\r\n<h2>Troubleshooting<\/h2>\r\nAs an admin, it's still possible to lock yourself out of the site (either by losing your phone or for another reason). In such cases, you can manually delete the plugin from the <strong>wp-content\/plugins\/google authenticator<\/strong> folder. This will return you to a single-step authentication. If a user loses his or her phone, an admin can edit the user's profile so that the user can log in without a code.\r\n\r\nWebmasters and WordPress hosting services are required to respond to security threats as they arise. However, installing multi-factor authentication on your site is an important proactive measure for keeping your site safe and secure.\r\n\r\nWant to add an additional level of security? You can also <a href="https:\/\/pagely.com\/blog\/2015\/08\/toughen-wordpress-site-security-just-clicks-force-strong-passwords-plugin\/">force strong passwords<\/a>.