Google Authenticator for WordPress

Safely adds 2-factor authentication to your WordPress blog using the Google Authenticator mobile app.

Author:Julien Liabeuf (profile at
WordPress version required:3.0
WordPress version tested:4.1
Plugin version:1.1.0
Added to WordPress repository:16-11-2013
Last updated:15-11-2014
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
Rating, %:94
Rated by:15
Plugin URI:
Total downloads:23 465
Active installs:1 000+
plugin download
Click to start download

If you are concerned about security, you should look into 2-factor authentication.

Quick reminder: 2-factor authentication adds an extra layer of security by requesting a one time password in addition to standard username / password credentials.

This plugin uses the Google Authenticator app. I bet you know Google, and you probably know they have some good products out there. Google Authenticator is one of them.

Download the Google Authenticator app on your phone (iPhone, Android or Blackberry). Install this plugin on your site. After activating it and generating a secret key, you will be able to add the site to your app by scanning a QR code. That's it!

The QR code is generated with Google Charts API using HTTPS to avoid security issues while sending your secret for generation.

What the Plugin Does

  • Adds 2-factor authentication to WordPress login page,
  • Can be eanbled for each user independantly,
  • Admin can force users to use 2FA (and limit the number of allowed logins without setting up 2FA). The use of 2FA can be forced for all users or for specific roles,
  • Support applications passwords (with access log),
  • If admin forces users to use 2FA, users who didn't set it up will be reminded with a warning in their dashboard,
  • Set any name you want to appear in the Google Authenticator app,
  • Allow clock discrepancy (mins +/-),
  • Users can generate a new secret key anytime,
  • Admin can revoke any user's key at anytime,
  • If a user is locked-out after logging-in too many times without using 2FA, admin can reset the counter,
  • Used one time passwords are hashed and stored in the DB to avoid multiple use (in case of interception by an attacker)
  • Recovery code in case the user can't use the app

Using Authy

You're using Authy? Google Authenticator for WordPress is fully compatible with Authy. You can add the 2-steps authentication and use Authy to generate the one time password.