WordPress 2-Step Verification (WP2SV) is a fantastic new security plugin. (FYI: There’s another Google Authenticator plugin that allows app-specific passwords but doesn’t have email as a 2-factor authentication option, which I fancy.)
It uses Google’s 2-step authentication (video describing the concept is below) for your WordPress logins.
Initial setup is easy. Go to Users -> 2-Step Verification and click the verification method you prefer (Android, iPhone, or BlackBerry and/or email).
After you’ve successfully added one, there will be a big button (you can’t miss it) to click to activate 2-factor authentication for this WordPress user.
Each user can only have a single mobile device but can have both a mobile device and an email address setup for 2-step authentication. The Google Authenticator Android app and iOS app are very easy to use and don’t even require a data connection.
If you enter the wrong authentication code (a typo), it won’t let you try to enter that same code again. You’ll need to generate a new code (or click to send a new email).
The 2-step verification setting is activated per user, not site-wide. So if one user turns it on, it doesn’t lock out everyone else who hasn’t setup 2-factor authentication yet.
It works for all user levels, from Subscriber to Administrator.
If you remove your active verification (mobile and/or email) but do not click to deactivate 2-step authentication, you’ll get locked out.
If this accident happens, you can go into PHPMyAdmin and find the ‘wp2sv_enabled’ meta_key in the wp_usermeta database table. Then just delete the row (not change the meta_value) and 2-step verification will be turned off for that user.
The plugin is fully functioning, and I’m sure it will get some tweaks as more people download it.
Maybe it’ll even be enhanced in a way that forces the 2-step verification for all users, including setting it up as part of the new WordPress user registration process. How do you like that idea?
Overall, it’s a great tool to add an extra layer of security to one of the easiest WordPress security exploits — your username and password combination — especially for sites that don’t have HTTPS logins.
Credit: screenshots from the plugin’s WordPress.org page