WordPress is probably the most popular blogging (and web development) platform at the moment.  It’s by far the most used CMS, with a little over 50% market share in 2013, and powering over 60 Million websites at the moment.  But this popularity comes at a price – it is also one of the most targeted CMS system for hackers. WordPress sites are currently  the subject of a large-scale attack from a huge number of computers from across the internet – a distributed brute-force attack.  What makes this current attack more destructive is that it targets the servers on which WordPress sites are hosted.  This is exponentially more dangerous as servers typically have tens, hundreds or even thousands of times faster network connections, thus out-computing normal bot-nets made up of infected home / office computers.

So how do you protect your WordPress site against these brute-force attacks?

Step 1

Download the Google Authenticator plugin for WordPress, install and activate it. (Currently version 0.44)

Step 2

Download and install the Google Authenticator app for your Smartphone

Step 3

Go to your User Profile (users>your profile) where you will be able to edit the Google Authenticator Settings.

Step 4

Activate the Authenticator by checking the box next to Active and click Show/Hide QR code which will show you your unique barcode. Also make sure that you add a name in the description box that you can associate with your site.

Step 5 – Important

Hit Update Profile once you have added your site description and checked the Active box

Now you are ready to scan your barcode.

Step 6

Grab your smartphone and open the Google Authentication app that you just downloaded. When you first start the app the main page will be pretty empty. Click on the Options icon (top right) and choose Set up account

Select Scan a barcode from the options, and choose which program you would like to complete the action. In my example below you can see that I can scan the barcode using either QR Droid or the default Google one.

The app will instantly scan and create your account. You will now see that your WordPress account details (the description name you gave it in WordPress) are present as well as a newly generated number.

These numbers change every 30 seconds meaning that once you have entered the number when you actually login again, you will have a short amount of time to hit enter. Don’t worry if you miss the time slot as you can simply use the next generated number instead.

Logging In for the first time

First, make sure that you are logged out of your site. Now log back in and you will see that along with having to input your Username and Password you will also be required to input your Google Authenticator code. You won’t have to do this every time  but will be required when logging on via other devices.


For more information, we recommend you head over to for their in-depth article  on Two-Factor Authentication