Mar 272014

Google Authenticator Security WordPress tutorial show you how to create a second level security for your WordPress website.

Last Updated: May 10, 2019

Latest News: I updated the details in the documentation.

Google Authenticator 0.52 changelog.

  • Add a Dutch translation
  • Add a Portuguese translation

If you are serious about your website security then follow these instructions. They are simple and easy to follow.

What You Need:

  1. Google Authenticator Plugin
  2. A Smart phone, iPhone or a Google account to use an app through the browser
  3. Google Authenticator App is the app I am currently using. This App can be found through your smart phone or iTunes.
  4. (Optional) You might like to read my other tutorial WordPress Two Factor Authentication Core Files

Google Authenticator Security WordPress

Step 1 ) Install the plugin and activate it. See image below.

google authenticator-plugin-activated

Important Must Read

Remember: Every person that has an account in your website should have this security feature enabled.

Step 2 ) Go to Settings -> Google Authenticator as illustrated in the image below to set up the following options.

Google Authenticator Options

  • Two Screen Signing
  • Roles requiring Google Authenticator Enabled
  • Click on Save Changes button when you finish with your settings.


Step 3 ) Go to your user profile as illustrated in the image below.

google authenticator-your-profile

Step 4 ) Select which options you require while enabling Google Authenticator.

I have selected the following,  ActiveRelaxed mode to give me time to enter the code on my website, I entered a unique Description, copied the Secret code to my local hard disk and clicked on Show/Hide QR code. See images below.

Important: The activation is performed only once. After that the mobile app through your mobile phone or google account will provide you with your Google Authenticator Code which is used when login into the website via the admin panel.

Note: I have not selected to Enable an App password because it will decrease your overall login security.

google authenticator-plugin-settings

Step 4-a ) The following image shows you the QR code you need to scan only once with your iPhone or smart phone. (Note: Make sure you have a valid QR scanner installed in your phone)

I use Google Authenticator App from the iphone App store.

google authenticator-qr-code

Step 4-b ) Make sure you click on Update Profile button to save your settings.

google authenticator-update-profile

Step 5 ) Log out from your admin login as illustrated in the image below and view the new security layer added to your login screen.

google authenticator-log-out

Step 5-a ) If everything goes well you will see a second level of security on your login screen.

google authenticator-google-code

Google Authenticator Test Login

Step 6 ) To log back into your admin panel you will need to enter your usual Username, Password and now you will also have to enter your Google Authenticator code. Which is provided by the app you installed in your smart phone. See image below.

Note: The Google Authenticator Code you see in the image below is just an example of the code you will enter when login in.

google authenticator-login-with-code

Step 7 ) This plugin also works in a Multisite installation. Make sure you network activate the plugin and then log in as the user. This will allow you to activate the plugin for the current user logged in.

That is how simple it is to set up a Two Level Authentication Security for your WordPress website.


Note: If you enter a space on your description or you use a tilde, a character with a stress on top or accent the QR will not work.

Q1 ) What if you forget the code or security code, lost your phone, accidentally deleted the App from your mobile phone?

Follow these instructions.

Ftp into your server, I use Filezilla for windows. Locate your plugin directory and delete or rename the folder. See image below.

google authenticator-troubleshoot

Now check your login again and see if the extra security level has been removed. See image below.

google authenticator-basic-login


Q2 ) How do I show Google Authenticator to subscribed users only who have enabled the security in their profile?

Solution: You can also installed the following plugin Google Authenticator Per User Prompt.

Q3 ) How do I hide Google Authenticator from settings from users?

Solution:  You can check every user’s account profile. In their account profile you will see two options under Google Authentication Settings. Select Hide settings from user.


Alternative to Mobile Phone

Info ) If you don’t have a smart phone you can use some Google Extensions. The following is one that has very good reviews the-qrcode-generator.

If everything goes well you should now have a two level security for your website.

If you have any questions please leave a message. I will be updating this tutorial from to time to time. So keep coming back for any latest updates.


More WordPress Plugins Tutorials:

Manuel Ballesta Ruiz is a web developer, Blogger and WordPress Enthusiast.

  10 Responses to “Google Authenticator Security WordPress”

  1. Hi,
    Thanks for a great tutorial on Google Authenticator.
    I have read through and implemented the process that you outlined in your tutorial. I then updated my profile and saved my new settings as instructed. I then logged out and tried to log back in but couldn’t, as it was asking me to input the QR code but I couldn’t see the QR code. I then had to ask the administrator to re-set my log in. He also explain that i needed to click on the show/hide QR code during the setup stage. and also to scan the displayed QR code with my smart phone during the setup, and that this step is only done once before you update your profile. next time when I log back in it will ask me for the Google authenticator code, which i should get through my smart phone. I think that step 3 of the tutorial should be updated and include a step in there explaining that the scanning of the QR code is done once during the setup stage and that it will be the only time that you will see the QR code. because next time you log back in you will have the access code on the mobile phone, that is where i got confused as i automatically thought that the QR code will be visible every time you try to log in, which is not correct. anyway hope it makes sense what I am trying achieve as i think it would make it easier for a first timer like myself. Thank you. J.Romero

    • Hello Joaquin Romero, thank you for your comment.

      After reading your review and poiting out that more information needs to be added to step 3. I can see your point and will make some changes to better explain the whole procedure. It is always a good idea to take on what readers suggest as they are the ones that read my tutorials.

      Once again thank you for your review.

  2. Hi,
    Thank you for the change in your tutorial, I’ve had a browse and it looks great, that extra paragraph will really help.
    thank you.

  3. Just adding some insights to this post if you’re having troubles adding new users once 2FA has been enabled.

    Step 1: Install the per user plugin

    Step 2: When adding a new user, note their password and also ensure ‘active’ is disabled under their profile for Google Authenticator

    Step 3: Login as that user and set up their Google Authenticator details (if you login as an admin you can’t set these settings on behalf of another user, well I couldn’t if the user was say an Editor)

    Step 4: Provide QR Code to that user along with their access details

    Step 5: User downloads Google Authenticator App and scans code before first access

    Step 6: User (should) changes password as you’ve previously copied down their password to set it up for them

    Step 3-6 you can ask the user to do but you know what they’ll do, they’ll leave 2FA switched off until they need it (which will be after they get hacked) :)

    Hope this helps peeps out there.


    Tim Sutherland
    68 Consulting

  4. Hi, Great post and steps, thanks! I have a membership site using Wishlist Member and for new users all I want is for them to login using 2FA and access the content – 2FA to prevent sharing one account among many would be paying subscribers.

    However, the setup of this seems to require a manual process for each new user.

    Do you know of any integrations or processes with WLM that can assist an automatic signup by the new subscriber? Rather than having the administrator go through each new user and setup sending them the Secret key or QR code?

    As well if you’ve come across a better way to prevent people from sharing logins (currently using Limit Login Attempts Reloaded & Prevent Concurrent logins).

    much appreciate any comments/suggestions.

    • Hi, thank you for your comment. Unfortunately I don’t know much about Wishlist Member “I assume this is a plugin”. I know of a plugin that automatically logs the members into the site after they successfully register as a member. Would this information help you?

      Kind regards

  5. So I activated the plugin and then stepped away from my computer and got signed out without the setup :(. What do I do now? I didn’t scan the QRcode or anything!

    • Hi Ru, did you enable the plugin for your WP User? For example, when you try to log in does it ask you for the authentication code? If it does and as you mentioned above, you did not scan the bar; then you need to carry out the troubleshooting steps found in this tutorial. Let me know how you go.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



The following GDPR rules must be read and accepted:
This form collects your name, email and content so that we can keep track of the comments placed on the website. For more info check our privacy policy where you will get more info on where, how and why we store your data.