WordPress 2-Step Verification (WP2SV) is a fantastic new security plugin. (FYI: There’s another Google Authenticator plugin that allows app-specific passwords but doesn’t have email as a 2-factor authentication option, which I fancy.)
It uses Google’s 2-step authentication (video describing the concept is below) for your WordPress logins.
Featured Plugin - WordPress Ecommerce Shopping Cart Plugin
Initial Setup
Initial setup is easy. Go to Users -> 2-Step Verification and click the verification method you prefer (Android, iPhone, or BlackBerry and/or email).
After you’ve successfully added one, there will be a big button (you can’t miss it) to click to activate 2-factor authentication for this WordPress user.
Each user can only have a single mobile device but can have both a mobile device and an email address setup for 2-step authentication. The Google Authenticator Android app and iOS app are very easy to use and don’t even require a data connection.
Featured Plugin - WordPress Q&A Site Plugin
Usage
If you enter the wrong authentication code (a typo), it won’t let you try to enter that same code again. You’ll need to generate a new code (or click to send a new email).
The 2-step verification setting is activated per user, not site-wide. So if one user turns it on, it doesn’t lock out everyone else who hasn’t setup 2-factor authentication yet.
It works for all user levels, from Subscriber to Administrator.
Watch Out
If you remove your active verification (mobile and/or email) but do not click to deactivate 2-step authentication, you’ll get locked out.
If this accident happens, you can go into PHPMyAdmin and find the ‘wp2sv_enabled’ meta_key in the wp_usermeta database table. Then just delete the row (not change the meta_value) and 2-step verification will be turned off for that user.
Featured Plugin - WordPress Membership Site Plugin
Final Thoughts
The plugin is fully functioning, and I’m sure it will get some tweaks as more people download it.
Maybe it’ll even be enhanced in a way that forces the 2-step verification for all users, including setting it up as part of the new WordPress user registration process. How do you like that idea?
Overall, it’s a great tool to add an extra layer of security to one of the easiest WordPress security exploits — your username and password combination — especially for sites that don’t have HTTPS logins.
Credit: screenshots from the plugin’s WordPress.org page
This is a plugin I’ve been thinking about developing for months – obviously somebody beat me to it!
Looks like a very cool implementation.
peterbutler, I’m also glad he did it for you. Maybe donate $1? ;-)
As usual with new plugins, many want to know if they work with Multisite. This information is never available. So does it?
Anders,
I agree that plugin authors should add their opinion of whether or not it’s ready for MultiSite.
I’ll say that it IS because I tested it. Please test for yourself and report back as well.
Thanks!