Google Authenticator for WordPress

Flattr this!

The Google Authenticator plugin for WordPress gives you multifactor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you’re security aware you may allready have the Google Authenticator app installed, using it for multifactor authentication on your Gmail or Google Apps account.

The multifactor authentication requirement can be enabled on a per user basis, You could enable it for your administrator account, but login as usual with less privileged accounts.

Notice: This plugin requires the SHA1 & SHA256 hashing algorithms to be available in your PHP installation, it’s not possible to activate the plugin without.


Howto

  1. Install and activate the plugin.
  2. Enter a description on the Users -> Profile and Personal options page, in the Google Authenticator section.
  3. Scan the generated QR code with your phone, or enter the secret manually (remember to pick the time based one)
  4. Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
  5. That’s it, your WordPress blog is now a little more secure.

Screenshots

Google Authenticator enhanced login box

Google Authenticator Settings

Google Authenticator QR code

Android Google Auhenticator App


354 kommentarer til “Google Authenticator for WordPress

  1. David Stevens siger:

    I have tried to activate GA for another user and cannot seem to get it to work. The box for the secret does not appear.

    Also I am wondering if I can use the same secret on multiple sites to avoid having a long list of sites in GA on my phone?

    When setting up my google account it gave me emergency numbers that I could use without my phone. Is there a way to do that with this plugin?

    • Henrik Schack siger:

      1) You have to be logged in as the user in question in order to setup the secret.

      2) Not really, that would be bad security, but if you manipulate the database content on your own it would be possible

      3) Use FTP/SSH to get access to your accounts files and delete/rename the plugin folder.

      Best regards
      Henrik Schack

  2. Tomisalav siger:

    Hello,

    After updating from “Better WP Security” to now called “iThemes Security”, and enabling hide backend feature, this plugin just disappiers from the login form.

    • Henrik Schack siger:

      Hi
      I’m unable to reproduce the issue on my own server.
      But perhaps you should not use that hide backend feature then ?

      Best regards
      Henrik Schack

    • r000t siger:

      I’m also not getting 2-FA after upgrading to iThemes Security. I find hiding the backend to be very helpful because I get a lot of requests for wp-admin from people who obviously shouldn’t be seeing it. I like having multiple layers of security, that’s why I installed Google Authenticator in the first place.

  3. Tomisalav siger:

    Have you enabled the hide backend feature? I need it because it is a good way to hide WP login form.

  4. Deltablue siger:

    HOW TO FIX
    ERROR: The Google Authenticator code is incorrect or has expired.

    Simply download a transients cleaner plugin and remove them.

    Your re-installation should work just fine.

    Cheers

    D.

  5. draekko siger:

    Made an update for a client to be able to toggle certain features from an admin page, i can provide a diff if you’d like to see it. Or you can get the code from my github page at https://github.com/draekko/google-authenticator-with-an-admin-page works nice with the addon i made for woocommerce for that one site that needed it 🙂 Have a good one.

  6. draekko siger:

    In case you’re interested i created a companion plugin to use G-A with WooCommerce login page. https://wordpress.org/plugins/google-authenticator-for-woocommerce/

  7. Phil Risk siger:

    All of a sudden I get the error that the code is invalid or expired. Its only happening to some of my admin users. Any ideas for a fix?

  8. Phil W siger:

    Downloaded the plug-in, but when I tried to activate it, I got this error message:

    Fatal error: Cannot redeclare class GoogleAuthenticator in /home3/leadesa6/public_html/wp-content/plugins/google-authenticator/google-authenticator.php on line 46

    Any assistance is appreciated.

  9. Bunn siger:

    Greetings,

    I am trying to figure out exactly how I can use the Google Authenticator plugin for WordPress with this service:

    gauth.apps.gbraad.nl/#&ui-state=dialog

    I install the plugin, and then what? I apologize for being confused.

    ~Bunneah

    • Henrik Schack siger:

      Take your secret key from your profile and use it at the website to generate the 6 digit otp.
      Actually you should create a website of your own with the source from the site, I see it’s available.

      Best regards
      Henrik Schack

      • Bunn siger:

        I am very new at this kind of thing.

        Is there an easy way to do this on my site? I’m using wordpress (current version) with a CPanel on the backend.

        Is there a tutorial? Thank you so much for your amazingly fast response 🙂

        ~Bunn

        • Henrik Schack siger:

          Ok, I just downloaded the sourcecode for you, you don’t even need to install it on a webserver.
          Send me an email on henrik at schack dot dk, then I’ll reply with a zipfile containing the source you can unzip on your own computer and run by opening it in Firefox or Chrome

  10. Carlos siger:

    Hi,

    I know I am stupid but each time that I try to setup this on a blog of mine I make the same mistake because I use a bar scanner app on my phone, not the bar scanner of the Google Authenticator app. The other time I was able to use FTP to delete the plug-in folder but in the blog of today I don’t have the FTP option.

    Would you mind to enhance the step 3 as follows?:

    3. Open the Google Authenticator app on your phone and scan the generated QR code with its “Scan a barcode” option, or enter the secret manually (remember to pick the time based one)

  11. Giles siger:

    I would be interested to know whether this only protects the login screen at login.php, or if it protects any use of the admin account (ie. through xmlrpc.php)?

    Kind regards,

    Giles

  12. Alan siger:

    Hi – Can you please advise when this plugin will be approved for the latest version of WP 3.9.1
    Thanks
    Alan

  13. Eve siger:

    What happens when I get a new phone? What if I lose my previous phone?

    “Other services that use Google Authenticator may not offer this feature, so you may need to disable and re-enable your account or extract your codes instead.” http://www.howtogeek.com/130755/how-to-move-your-google-authenticator-credentials-to-a-new-android-phone-or-tablet/

    How would I disable the account or extract the codes?

  14. Michael siger:

    Hi Mr Henrik Schack,

    French people don’t speak very well English 🙂

    After f.. hacking, I have discover your ‘Google Authenticator’ plugin for WordPress and install them on my blog.

    I think is it a very good idea !

    But I dont have either android nor smartphone (and I don’t want that).

    Reading on the web, I learn that Google Authenticator Code is not a specific code.

    So I think that it’s will be possible to bring back this code with Gmail.

    But I dont catch any fish about that on the web 🙂

    May you help me ?

    Thank you !

    Best Regards,
    Michael

    • Peter siger:

      Michael, malheureusement je ne parles pas du Français 🙂

      This webpage may have some alternatives for you. The idea is to run the same process (which is, after all, an RFC standard) on a desktop. Good luck (about to grab the JAuth thing for a Mac myself 🙂 ).

      Kind regards, Peter

  15. John Allen siger:

    Thank you, I use your plug-in on many sites and am very pleased!

    I recently lost my phone and had to recreate all my codes. It was laborious process to disable, log-in, re-enable, and scan the codes in (many sites). I have a similar plugin on a couple of Joomla sites that, in the event your phone is lost, will email you a code to get in. This is a REALLY handy feature and made re-gaining access much easier.

    Please consider adding something similar!

  16. Peter siger:

    Just wanted to say thank you. There is another plugin called WP Google Authenticator, but despite you modestly labelling your plugin as a beta (a 0.xx version number), yours seems to work well for the combination of plugins I have on my website, which includes “All in one WP Security”.

    Now I don’t want to be picky, but I much prefer yours because it works 🙂

    Kind regards, Peter

  17. Anthony siger:

    Hi Henrik,

    I’d like to use your Google Authenticator plugin, but according to the WordPress plugin directory it hasn’t been tested with WordPress 4.0.

    Could you test it please with 4.0 so I can use it.

    Thanks,

    Anthony

  18. Harsh Singh siger:

    Hi Henrick,

    I have recently added the Google Authenticator plugin in my site and have came across something strange. I found that even without adding the authenticator code I am able to login. In-fact I got this checked from one of my friend as well with different IP and same thing happened.

    Can you tell me why this is happening? Is there any issue that you think can resolve? It’s just I am afraid if it would easily let anyone enter my site if he/she know the login details.

    Kindly help.

    Thanks
    Harsh

    • Henrik Schack siger:

      Hi Harsh
      Normally this happens if you forget to push “save” after setting everything up.
      or
      From time to time people setup on one account and try to login with another account

      Best regards
      Henrik Schack

  19. Adam siger:

    Hello, Henrik! I’ve been successfully using your GA plugin for a while. BUT, I discovered what seems like a flaw:

    I use LastPass to remember my various credentials, including my WordPress admin credentials. LastPass stored a GA code when it saved my WP credentials, so it automatically populates GA field on the admin sign-in page. In theory, that code shouldn’t work because it’s only supposed to be valid for a short period of time. But, I’m able to login to my admin panel every time with the same code stored in LastPass. That sort of defeats the purpose of GA, doesn’t it?

    • Henrik Schack siger:

      Hi Adam
      Without more information I can only do some guessing.
      Did you by accident disable it on the account you are logging in to ?
      Did you recently install other security related plug-ins ?
      Best regards
      Henrik Schack

      • Adam siger:

        I don’t believe I did either of those things. After I wrote my previous comment, here, I actually tried (and successfully logged in with) “123456” and “000000”. After that, I removed the plugin entirely, so I can’t check those settings, now.

        • Henrik Schack siger:

          Well that’s not the way my plugin works, if it’s enabled and no other plugins interfere with the login process.
          Feel free to email me a list of plugins you have enabled on your WordPress installation : henrik at schack dot dk

          Best regards
          Henrik Schack

  20. Nik Dow siger:

    Thanks for this very good plugin. I give it 5 *’s and it is now installed on every WP site that I build or manage.

    Here is a suggestion for an enhancement. I could write it for you if you like and send you the code, if you are interested.

    I want all users with admin access to use the 2-factor, but not ordinary subscribers. Problem is I have to check each administrator to make sure they have Google Authenticator enabled for their account.

    Solution: cron job to check all administrator accounts (make the account level a plugin option? ) and email the site admin if any are not using Google Authenticator.

    Regards

  21. Mike Santana siger:

    Hi,

    I would like to know how to change the designation on the app, where is says “WordPress” on the Google Authenticator App.

    Can you say the exact line of it and where to change it!

    Thanks a lot!

    It’s a great plugin!

    Miguel

  22. Michael siger:

    Hi,

    is it possible to use the plugin with a custom login page?
    I use foo.php instead of wp-login.php

    Regards
    Michael

  23. Oliver siger:

    Hi,

    after renewing operating system on my iphone i haven’t any more data in my google authenticator app. And the key from the plugin site was not saved. So i have no more access to my blog 🙁
    Is there a solution?

    Many thanks
    Oliver

  24. Eduardo siger:

    I have tried to activate GA for another user and cannot seem to get it to work. The box for the secret does not appear.

    I saw in other comment that “the user have to be logged in as the user in question in order to setup the secret.”

    But how this is possible the user logged in if they don’t have the authenticator code??

    • Henrik Schack siger:

      Hi
      Until the user has performed the setup, he doesn’t need any code to login.

      Br
      Henrik Schack

      • Eduardo siger:

        Look what is happening:

        1 – I’m an Administrator

        2 – I create another user

        3 – I ACTIVATE this user

        4 – I try to login with this NEW USER

        5 – the login page SHOWS me the “Google Authenticator code” field and when I put username // password the login page gives me “ERROR: The Google Authenticator code is incorrect or has expired.”

        The problem are:

        I turn off and delete the plugin, but when I created another user I can’t login with this new user anymore because it says that the user IS NOT ACTIVE!!!

Skriv et svar

Din e-mailadresse vil ikke blive offentliggjort. Krævede felter er markeret med *