Yubikey plugin for WordPress

Yubikey This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token. The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Your PHP installation must have the Hash and Curl libs enabled, otherwise this plugin won’t work.


  1. Buy a Yubikey.
  2. Create a Yubico ID & API Key.
  3. Download, install and activate my Yubikey plugin for WordPress. (goes into wp-content/plugins).
  4. Enter Key ID on the Users -> Profile and Personal options page.
  5. Enter Yubico ID & API key on the Settings -> Yubikey options page.
    Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates, they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server.
  6. That’s it, enjoy the looks of Your new loginbox, and try logging in.


  • 2011-04-14: Styling added to descriptions, thanks to Uwe Moosheimer
  • 2011-04-11: German translation by Uwe Moosheimer added
  • 2011-04-10: Multiple Yubikeys per account now possible, TAB index on registration page fixed.
  • 2009-08-19: Russian translation contributed by M. Comfi
  • 2009-02-09: Plugin has been moved to the official plugin directory
  • 2008-12-13: Minor CSS change, making things look nicer with WordPress 2.7
  • 2008-07-20: API ID & Key moved to a separate optionspage, thanks to Phil Massyn for idea and code.
  • 2008-07-02: Plugin will now fail gracefully if Curl or Hash extensions are missing.
  • 2008-06-25: Initial version

96 kommentarer til “Yubikey plugin for WordPress

  1. borisa siger:

    I am Borisa Djuraskovic and I am working for Web Hosting Hub. I red your yubikey-plugin at http://henrik.schack.dk/yubikey-plugin/ and found that very interesting to be translated to Serbo-Croatian. Let me know if you are Ok with that.
    Thank you very much.
    Borisa Djuraskovic

  2. Stefan Lehrer siger:


    thanks for this great plugin! Would it be possible to support WordPress multisite installations? At the moment, it is just possible to enter the api-key etc. on the individual sites, not the network admin interface.

    Thank you!

  3. borisa siger:

    A week ago, I asked for your permission to translate your plugin. Since I didn’t get any answer from you, it would be very kind of you to consider my proposal and let me know if its alright to translate it.

  4. Kamus Hadenes siger:


    I would like to fork your project and keep the development, since it works so well but hasn’t been updated in 3 years. My first idea is to improve it to support the WordPress mobile app (for now I just did a user agent check to avoid using it, but it can be improved to allow only specific devices). Do you allow me to fork it? Thanks!

    • Henrik Schack siger:

      Hi Kamus
      I have intentionally never implemented support for the mobile app in order to keep the plugin as secure as possible.
      Mobile app support involves removing the requirement for 2 factor authentication in order to publish content.

      If convenience is more important than security there are other 2 factor solutions available that supports what you want.

      Best regards
      Henrik Schack

  5. Martin Boyle siger:


    The link for generating api keys seems to have changed to: https://upgrade.yubico.com/getapikey/


    • Martin Boyle siger:


      Getting confused with an older web page that had the wrong link.

      Thanks for the plugin, it’s keeping my admin account happy 🙂

  6. Anhur siger:

    Is it possible to add a custom val-server?

  7. Michael siger:

    Hi Henrik,
    I have used your plugin for a while. The problem I have discovered is when I change the yubikey (ID and key) it still does not let me to log in. I still have to use the old yubikey.
    I have uninstalled and reinstalled the plugin and it looks it still remember the new ID and key, but the yubikey associated with it does not work – the old one does.
    Please advise.
    Best regards,

  8. andrew siger:


    Week ago I have asked for your permission to translate your yubikey-plugin plugin in Spanish and I didn’t hear any from you since. I hope that you will find time to provide the reply, because we believe that the translation would be of a great use.

    All the best,

    Andrew Kurtis

  9. Dear sir,

    I’ve used your plugin for quite some months.
    Today, I’ve played with the Yubico personalization tool and generated a new configuration for Yubico OTP.
    After doing this and re-configuring your plugin, I’m not able to login to my WordPress blog anymore.
    I guess something went wrong and some old information is still kept in WordPress’s databases.
    I’ve uploaded the new config to Yubico after reconfiguring the Yubikey and also generated a new app key.

    I’ve tried running:
    DELETE FROM wp_usermeta WHERE user_id= AND meta_key LIKE ‘yubikey%’;

    but it still doesn’t work.

    Any help here would be highly appreciated.

    • Henrik Schack siger:

      Hello Mr. Rachita
      If you have overwritten the original configuration on your Yubikey I don’t think you’ll be able to use it with my plugin anymore.
      But you can get access to your blog by simply renaming the yubikey plugin directory
      Best regards
      Henrik Schack

  10. Marc Freimann siger:


    I use your plugin with wordpress 4.1. I am able to create a key and ID and I activated the plugin in WordPress.
    The problem is that for unknown reasons I am still able to login to wordpress (by only using username and password without the OTP).

    I would be really happy if you have any idea.

    BR Marc

    • Henrik Schack siger:

      Hi Marc
      Hmm strange… 2 questions:

      1) Are you sure you’re trying to login with the useraccount you enabled it on ? (Sorry if you find this a very stupid question .. but it has happened to others)

      2) Are you using any other security related plugins ?

      Best regards
      Henrik Schack

      • Marc Freimann siger:

        Hello Henrik,

        thank you very very much for your feedback.

        About your questions:

        (1) I am the only wordpress user on the system but I forgot to active it for this single user.
        After I activated it, all worked perfect. Thank you very much.

        BR Marcus

  11. Björn siger:

    Hello Henrik,

    I can’t authenticate with Version 4.3.1 from wordpress.

    The API Call was successfully, but the yubikey_check_otp function doesn’t work somehow.

    I tried to debug it:

    if ($yubikeyserver==’yubico’) {
    // Does keyid match ?
    if (strtoupper($yubikey_key_id)!=strtoupper($keyid) && strtoupper($yubikey_key_id2)!=strtoupper($keyid) && strtoupper($yubikey_key_id3)!=strtoupper($keyid)) {
    return false;
    // is OTP valid ?
    if (yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key)) {
    if ($user) {
    shell_exec(“echo user_is_set >> /tmp/foobar.txt”);
    return $user;
    } elseif ($yubico_api_key2 !=” && yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key2)) {
    shell_exec(“echo 1 >> /tmp/foobar.txt”);
    return $user;
    } elseif ($yubico_api_key3 !=” && yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key3)) {
    shell_exec(“echo 2 >> /tmp/foobar.txt”);
    return $user;
    } else {
    shell_exec(“echo 3 >> /tmp/foobar.txt”);
    return false;
    return $user;

    cat /tmp/foobar.txt

    I don’t get it 🙁

    Another question would why I can enable the yubico server just in one profile only?


  12. Konstantin siger:

    Yubikey-plugin doesn’t seems to be compatible with WordPress installations using Bedrock’s https://roots.io/bedrock/ bcrypt-password storage.

    I recently tried to use it in a bedrock-wordpress-installation and got locked out after activating the yubikey inside the plugin

  13. GERARD BENNET siger:

    I am logging into my WordPress site from my iPad for the first time. There is no USB slot so I cannot use my yubikey for authentication. If I leave the yubikey field blank, it will not allow me to proceed.

    How can I get past this??

  14. Max siger:

    Hi Henrik,

    it seems the plugin will stop working soon, Details see here: https://status.yubico.com/2018/11/26/deprecating-yubicloud-v1-protocol-plain-text-requests-and-old-tls-versions/


    • Max siger:

      Fixed it with the following modifikation …

      function yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key){

      //Pure PHP Yubicloud class from https://developer.sysco.ch/php/
      $yubicloud = new Yubicloud($yubico_api_id, $yubico_api_key);
      $result = $yubicloud->checkOnYubiCloud($otp);
      return true;
      return false;


Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *