How To Secure WordPress

If you’ve paid a little attention to tech news lately, you know that there’s a chance that you have an account somewhere that has been compromised. Maybe at Sony, Sega or StartSSL.

That companies with millions and millions of registered users are unable to keep our information safe is rather disturbing. But a major side effect of one compromised account is that there is a good chance you’ve used the same username and password for a lot of other services as well. Someone gets their hand on your login information at Sony and they automatically gets access to your other accounts: Facebook, Flickr, Dropbox and PayPal. Crap!

One solution is to use a unique username and password on every site. But can be very inconvenient as the number of accounts increases. Another solution is to use two-factor authentication.

One way to implement two-factor authentication is to require that the user has access to a token that only the end user has access to. An example of this is a credit card with a PIN code. You need both to get money out of an ATM, with only one of them you can’t. Another way is to use a password together with a one-time code provided by a token. This is supported by WordPress, and it is a great way to secure your account. Here’s how you do it.

  1. Install Google Authenticator on your phone (Android version 1.5 or later, BlackBerry OS 4.2 - 4.7, iPhone iOS 4 or later)
  2. Install and activate the Google Authenticator WordPress plugin.
  3. In WordPress, go to the users configuration, enable Google Authenticator login for your user and follow the instructions.

Easy as pie. Now anyone who wants to access your account need your username, your password and the one-time code. It’s very hard for them to get their hands on all three.

The flip side of things is that if you misplace your mobile phone you are screwed and will be unable to log in to your account. If you run your own WordPress installation, this can be resolved. You can dig down in the wp_usermeta table in the database, find the googleauthenticator_enabled setting and change its value to disabled. This SQL statement should enable you to log in again without using the Google Authenticator code. Replace XXX with your own user_id:

UPDATE wp_usermeta
SET meta_value = 'disabled'
WHERE user_id = XXX AND meta_key = 'googleauthenticator_enabled'

The Google Authenticator field will be visible during login, but you don’t have to enter anything.

Another unfortunate side effect is that you can’t use the WordPress for Android application because it doesn’t support two-factor authentication. Since this entry was written, the author has added support for the WordPress for Android application.


This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.