Google Authenticator for WordPress

The Google Authenticator plugin for WordPress gives you multifactor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you’re security aware you may allready have the Google Authenticator app installed, using it for multifactor authentication on your Gmail or Google Apps account.

The multifactor authentication requirement can be enabled on a per user basis, You could enable it for your administrator account, but login as usual with less privileged accounts.

Notice: This plugin requires the SHA1 & SHA256 hashing algorithms to be available in your PHP installation, it’s not possible to activate the plugin without.


Howto

  1. Install and activate the plugin.
  2. Enter a description on the Users -> Profile and Personal options page, in the Google Authenticator section.
  3. Scan the generated QR code with your phone, or enter the secret manually (remember to pick the time based one)
  4. Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
  5. That’s it, your WordPress blog is now a little more secure.

Screenshots

Google Authenticator enhanced login box

Google Authenticator Settings

Google Authenticator QR code

Android Google Auhenticator App


388 kommentarer til “Google Authenticator for WordPress

  1. David Stevens siger:

    I have tried to activate GA for another user and cannot seem to get it to work. The box for the secret does not appear.

    Also I am wondering if I can use the same secret on multiple sites to avoid having a long list of sites in GA on my phone?

    When setting up my google account it gave me emergency numbers that I could use without my phone. Is there a way to do that with this plugin?

    • Henrik Schack siger:

      1) You have to be logged in as the user in question in order to setup the secret.

      2) Not really, that would be bad security, but if you manipulate the database content on your own it would be possible

      3) Use FTP/SSH to get access to your accounts files and delete/rename the plugin folder.

      Best regards
      Henrik Schack

  2. Tomisalav siger:

    Hello,

    After updating from “Better WP Security” to now called “iThemes Security”, and enabling hide backend feature, this plugin just disappiers from the login form.

    • Henrik Schack siger:

      Hi
      I’m unable to reproduce the issue on my own server.
      But perhaps you should not use that hide backend feature then ?

      Best regards
      Henrik Schack

    • r000t siger:

      I’m also not getting 2-FA after upgrading to iThemes Security. I find hiding the backend to be very helpful because I get a lot of requests for wp-admin from people who obviously shouldn’t be seeing it. I like having multiple layers of security, that’s why I installed Google Authenticator in the first place.

  3. Tomisalav siger:

    Have you enabled the hide backend feature? I need it because it is a good way to hide WP login form.

  4. Deltablue siger:

    HOW TO FIX
    ERROR: The Google Authenticator code is incorrect or has expired.

    Simply download a transients cleaner plugin and remove them.

    Your re-installation should work just fine.

    Cheers

    D.

  5. draekko siger:

    Made an update for a client to be able to toggle certain features from an admin page, i can provide a diff if you’d like to see it. Or you can get the code from my github page at https://github.com/draekko/google-authenticator-with-an-admin-page works nice with the addon i made for woocommerce for that one site that needed it 🙂 Have a good one.

  6. draekko siger:

    In case you’re interested i created a companion plugin to use G-A with WooCommerce login page. https://wordpress.org/plugins/google-authenticator-for-woocommerce/

  7. Phil Risk siger:

    All of a sudden I get the error that the code is invalid or expired. Its only happening to some of my admin users. Any ideas for a fix?

  8. Phil W siger:

    Downloaded the plug-in, but when I tried to activate it, I got this error message:

    Fatal error: Cannot redeclare class GoogleAuthenticator in /home3/leadesa6/public_html/wp-content/plugins/google-authenticator/google-authenticator.php on line 46

    Any assistance is appreciated.

  9. Bunn siger:

    Greetings,

    I am trying to figure out exactly how I can use the Google Authenticator plugin for WordPress with this service:

    gauth.apps.gbraad.nl/#&ui-state=dialog

    I install the plugin, and then what? I apologize for being confused.

    ~Bunneah

    • Henrik Schack siger:

      Take your secret key from your profile and use it at the website to generate the 6 digit otp.
      Actually you should create a website of your own with the source from the site, I see it’s available.

      Best regards
      Henrik Schack

      • Bunn siger:

        I am very new at this kind of thing.

        Is there an easy way to do this on my site? I’m using wordpress (current version) with a CPanel on the backend.

        Is there a tutorial? Thank you so much for your amazingly fast response 🙂

        ~Bunn

        • Henrik Schack siger:

          Ok, I just downloaded the sourcecode for you, you don’t even need to install it on a webserver.
          Send me an email on henrik at schack dot dk, then I’ll reply with a zipfile containing the source you can unzip on your own computer and run by opening it in Firefox or Chrome

  10. Carlos siger:

    Hi,

    I know I am stupid but each time that I try to setup this on a blog of mine I make the same mistake because I use a bar scanner app on my phone, not the bar scanner of the Google Authenticator app. The other time I was able to use FTP to delete the plug-in folder but in the blog of today I don’t have the FTP option.

    Would you mind to enhance the step 3 as follows?:

    3. Open the Google Authenticator app on your phone and scan the generated QR code with its “Scan a barcode” option, or enter the secret manually (remember to pick the time based one)

  11. Giles siger:

    I would be interested to know whether this only protects the login screen at login.php, or if it protects any use of the admin account (ie. through xmlrpc.php)?

    Kind regards,

    Giles

  12. Alan siger:

    Hi – Can you please advise when this plugin will be approved for the latest version of WP 3.9.1
    Thanks
    Alan

  13. Eve siger:

    What happens when I get a new phone? What if I lose my previous phone?

    “Other services that use Google Authenticator may not offer this feature, so you may need to disable and re-enable your account or extract your codes instead.” http://www.howtogeek.com/130755/how-to-move-your-google-authenticator-credentials-to-a-new-android-phone-or-tablet/

    How would I disable the account or extract the codes?

  14. Michael siger:

    Hi Mr Henrik Schack,

    French people don’t speak very well English 🙂

    After f.. hacking, I have discover your ‘Google Authenticator’ plugin for WordPress and install them on my blog.

    I think is it a very good idea !

    But I dont have either android nor smartphone (and I don’t want that).

    Reading on the web, I learn that Google Authenticator Code is not a specific code.

    So I think that it’s will be possible to bring back this code with Gmail.

    But I dont catch any fish about that on the web 🙂

    May you help me ?

    Thank you !

    Best Regards,
    Michael

    • Peter siger:

      Michael, malheureusement je ne parles pas du Français 🙂

      This webpage may have some alternatives for you. The idea is to run the same process (which is, after all, an RFC standard) on a desktop. Good luck (about to grab the JAuth thing for a Mac myself 🙂 ).

      Kind regards, Peter

  15. John Allen siger:

    Thank you, I use your plug-in on many sites and am very pleased!

    I recently lost my phone and had to recreate all my codes. It was laborious process to disable, log-in, re-enable, and scan the codes in (many sites). I have a similar plugin on a couple of Joomla sites that, in the event your phone is lost, will email you a code to get in. This is a REALLY handy feature and made re-gaining access much easier.

    Please consider adding something similar!

  16. Peter siger:

    Just wanted to say thank you. There is another plugin called WP Google Authenticator, but despite you modestly labelling your plugin as a beta (a 0.xx version number), yours seems to work well for the combination of plugins I have on my website, which includes “All in one WP Security”.

    Now I don’t want to be picky, but I much prefer yours because it works 🙂

    Kind regards, Peter

  17. Anthony siger:

    Hi Henrik,

    I’d like to use your Google Authenticator plugin, but according to the WordPress plugin directory it hasn’t been tested with WordPress 4.0.

    Could you test it please with 4.0 so I can use it.

    Thanks,

    Anthony

  18. Harsh Singh siger:

    Hi Henrick,

    I have recently added the Google Authenticator plugin in my site and have came across something strange. I found that even without adding the authenticator code I am able to login. In-fact I got this checked from one of my friend as well with different IP and same thing happened.

    Can you tell me why this is happening? Is there any issue that you think can resolve? It’s just I am afraid if it would easily let anyone enter my site if he/she know the login details.

    Kindly help.

    Thanks
    Harsh

    • Henrik Schack siger:

      Hi Harsh
      Normally this happens if you forget to push “save” after setting everything up.
      or
      From time to time people setup on one account and try to login with another account

      Best regards
      Henrik Schack

  19. Adam siger:

    Hello, Henrik! I’ve been successfully using your GA plugin for a while. BUT, I discovered what seems like a flaw:

    I use LastPass to remember my various credentials, including my WordPress admin credentials. LastPass stored a GA code when it saved my WP credentials, so it automatically populates GA field on the admin sign-in page. In theory, that code shouldn’t work because it’s only supposed to be valid for a short period of time. But, I’m able to login to my admin panel every time with the same code stored in LastPass. That sort of defeats the purpose of GA, doesn’t it?

    • Henrik Schack siger:

      Hi Adam
      Without more information I can only do some guessing.
      Did you by accident disable it on the account you are logging in to ?
      Did you recently install other security related plug-ins ?
      Best regards
      Henrik Schack

      • Adam siger:

        I don’t believe I did either of those things. After I wrote my previous comment, here, I actually tried (and successfully logged in with) “123456” and “000000”. After that, I removed the plugin entirely, so I can’t check those settings, now.

        • Henrik Schack siger:

          Well that’s not the way my plugin works, if it’s enabled and no other plugins interfere with the login process.
          Feel free to email me a list of plugins you have enabled on your WordPress installation : henrik at schack dot dk

          Best regards
          Henrik Schack

  20. Nik Dow siger:

    Thanks for this very good plugin. I give it 5 *’s and it is now installed on every WP site that I build or manage.

    Here is a suggestion for an enhancement. I could write it for you if you like and send you the code, if you are interested.

    I want all users with admin access to use the 2-factor, but not ordinary subscribers. Problem is I have to check each administrator to make sure they have Google Authenticator enabled for their account.

    Solution: cron job to check all administrator accounts (make the account level a plugin option? ) and email the site admin if any are not using Google Authenticator.

    Regards

  21. Mike Santana siger:

    Hi,

    I would like to know how to change the designation on the app, where is says “WordPress” on the Google Authenticator App.

    Can you say the exact line of it and where to change it!

    Thanks a lot!

    It’s a great plugin!

    Miguel

  22. Michael siger:

    Hi,

    is it possible to use the plugin with a custom login page?
    I use foo.php instead of wp-login.php

    Regards
    Michael

  23. Oliver siger:

    Hi,

    after renewing operating system on my iphone i haven’t any more data in my google authenticator app. And the key from the plugin site was not saved. So i have no more access to my blog 🙁
    Is there a solution?

    Many thanks
    Oliver

  24. Eduardo siger:

    I have tried to activate GA for another user and cannot seem to get it to work. The box for the secret does not appear.

    I saw in other comment that “the user have to be logged in as the user in question in order to setup the secret.”

    But how this is possible the user logged in if they don’t have the authenticator code??

    • Henrik Schack siger:

      Hi
      Until the user has performed the setup, he doesn’t need any code to login.

      Br
      Henrik Schack

      • Eduardo siger:

        Look what is happening:

        1 – I’m an Administrator

        2 – I create another user

        3 – I ACTIVATE this user

        4 – I try to login with this NEW USER

        5 – the login page SHOWS me the “Google Authenticator code” field and when I put username // password the login page gives me “ERROR: The Google Authenticator code is incorrect or has expired.”

        The problem are:

        I turn off and delete the plugin, but when I created another user I can’t login with this new user anymore because it says that the user IS NOT ACTIVE!!!

  25. Cris Hazzard siger:

    Is there a way to generate backup codes? Maybe it obvious and I’m not seeing it.

  26. Chris siger:

    Hello Henrik,

    how can I install to a second admin the google authentificator app. I only see in the 2. User which is an admin the checkbox to use the authentificator code. But there is no QR Code to scan. I tried to scan the QR code of the first admin and use the App but it does not work.

    Can you help?

    Thank You

    Chris

  27. John siger:

    Hello:

    Can you please update plugin Google Auth. so it can support WordPress 4.6 or newer.

    Thank you

  28. me siger:

    Thanks for this nice plugin. works perfect with WordPress 4.7.1 <3

  29. Nathan siger:

    Hello,

    I am wondering if you can help.

    I have google authenticator for my wordpress admin set up (under my username – wordpress 4.7, google authenticator 0.48), and have the google authenticator app working on about 6 phones to be able to log into my wordpress admin.

    We have just tried setting it up on the 7th (for a new staff member), and we can’t log in with the google auth code to work.

    Curiously, I notice that on the 7th phone, the code is not the same as the one on my first 2 phones.

    Should the google auth code be the same on all 7 phones at the same time?

    Also, I then tried creating a new admin user, however it does provide a qr code for that user – see: https://drive.google.com/file/d/0B9FYbNbQc_kLcDRpSzlMX3BwT2M/view?usp=sharing

    Are you able to assist?

    Kind regards,
    Anthony

  30. Michael Zorko siger:

    I locked out of all 7 of my websites – have been for 3 days – tried everything

  31. Henrik Schack siger:

    OK, if you have mysql access, try this SQL, it’ll show you Google Authenticator settings for all users

    select * from wp_usermeta where meta_key like “googleauthenticator%”;

    Executing
    delete from wp_usermeta where meta_key like “googleauthenticator%”;

    Will remove your google authenticator settings, including the fact it’s enabled for your account.

    You should the be able to login with username/password again.
    Br
    Henrik Schack

  32. Raz siger:

    Hi,
    I installed your plugin successfully and added 7 of my wordpress websites that I administer without a problem. On one of my websites however, it takes a dump. I believe that its the QR code that its generating and is looking less graphical (sorry for my lack of understanding here). I have uploaded a sample qr code I think you will be able to see what I mean:

    http://www.exim.solutions/qr-code-sample/

    The main point aside from it not generating right type of QR code I have noted on my other websites (fuller QA graphics) — If I try to generate a new secret, the same damn qr code remains. I am taking it there is some error.

    Btw — all websites are hosted on the same hosting company aside from 1 website. All worked but this one….(this is one of the 6 on the same host)

    Please advise.

  33. Mygalomorph siger:

    Great plugin; many thanks!

    I have a question about combining your plugin with a Google login plugin (such as Google Apps login). When two-step verification is already setup on the Google account, and the WP account is in turn protected by your plugin, the user has to go through two separate verification processes.

    Would there be some way of dealing with that problem?

  34. Olaf siger:

    Hi Henrik,

    Thanks for the great plugin. One concern though, are you still supporting and/or updating the plugin?

    Having a plugin older than 12 months would in itself be a vulnerability, don’t you agree?

    Greetings,
    Olaf

    • Henrik Schack siger:

      Hi Olaf
      No I can’t really say I agree on that.
      Br
      Henrik

      • Olaf siger:

        Hi Henrik,

        Thanks for your quick response.

        And what about my first question wrt updating/supporting? 🙂

        KR,
        Olaf

        • Henrik Schack siger:

          Hello again
          Yes I’ll probably do some updates some day when I have time and feel motivated.
          What I will never ever do is turn my very simple plugin into a swiss army knife of useless features, security related stuff should in my opinion be kept as simple as possible.
          Br
          Henrik

  35. Will Mowlam siger:

    You sir, are a legend. Thanks for all your time working on this useful plugin and your patience with its users.

  36. Bob siger:

    Hi there

    I may be misunderstanding this plugin a bit, but if I understand it correctly, it works strangely?

    I think:

    o As admin I can’t impose gauth on a user. If I do, the user can’t login for the first time to get the secret/QRcode
    o The user has to turn on gauth themselves
    o The user can turn off gauth any time they like

    Do I understand correctly? Knowing how people will bypass security given the chance, shouldn’t it be possible to force gauth on a user. You would need to allow them to login the first time without giving a code and take them straight to the secret/QRcode dialog.

    regards
    Bob

  37. Mygalomorph siger:

    Hi Henrik

    On one install I am testing, after entering the authenticator code I am being left at a blank screen (/wp-login.php?action=gapup_token&remember_me), without being redirected to the site.

    Authenticated login is working correctly, as I can manually go to a site page after entering the authenticator code. The only problem seems to be that redirection isn’t occurring.

    Would there be a known fix for that, or perhaps a likely cause?

    Sorry for the bother 🙂

  38. Eunkyung Song siger:

    Hello.

    Why key is different each device?
    Rebooting the device and reinstalling the app will result in the same phenomenon.
    What should I do?

  39. Jade Ryan siger:

    Good day Henrik! Jade here.. Just asking if there is a way to disable the Google Authenticator on some login inside a page or post?

  40. Oded siger:

    This plugin is activated by default to new users, I cannot get new users to login because they still haven’t gone through the process to scan the barcode… I have to deactivate the plugin and activate again once they are in.
    Can you fix that please?

  41. odedta siger:

    Well, I have this plugin installed on a few WordPress installation and this happens on every single one of them. Once I activate the plugin on my users, then create a new User for the client, they cannot login, the Google Authenticator Code textbox appear when they try to login. I have to disabled the plugin, they login, I re-enable the plugin and then teach them how to create a record of the website on the app.

    If you want I can create a test installation on my server…

    • Henrik Schack siger:

      The authenticator code field is always available when the plugin is installed, no matter if the user has activated it or not.
      If the user hasn’t enabled 2FA nothing should be entered in the field

  42. odedta siger:

    I see, well, that is confusing for the user, why don’t you add an if statement to show the field according to the enabled/disabled flag?
    Thanks

    • Henrik Schack siger:

      I try to avoid giving away useful information to the badguys looking for hackable accounts.
      I assume you somehow know your users? Have you considered explaining it to them perhaps when you ask them to enable 2FA
      Br
      Henrik Schack

  43. Patrick siger:

    Hi Henrik.
    I deactivated the GA plugin on my WordPress Dashboard and now I get an Error 500 whenever I try to log into my WP-Admin page.
    Can you tell me please if there is a way to re-activate my GA plugin from the CPanel?
    Many thanks,
    Patrick

  44. Ludo siger:

    Hi, your plugin is not working. I’m getting in on my admin page without enetring the 2FA code.
    Maybe needs updating?

  45. Menno siger:

    Hi Henrik,
    Love the WordPress GA plugin.
    I encountered a problem when changing iPhone… no data were stored/restored in the app.
    So all websites needed to be delete-plugin, login without, activate plugin, new GA code etc.
    Do you know a way to avoid this?

    Thanks again,
    Menno

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *