Two-factor authentication for WordPress

Written late in the morning in English • Tags: , , ,

In case you haven’t heard, apparently self-hosted WordPress blogs are a current target for building botnets. CERT-FI wrote about it,1 too, mentioning two-factor authentication2 as a solution. Unfortunately they originally forgot to add a link to the plugin they had in mind, but added it after I wrote them asking about it.

The plugin in question is the Google Authenticator plugin by Henrik Schack. Installing the plugin is straight-forward following its instructions.

I ran into an issue when scanning the QR code: the URL in the code was invalid. If you try to use a description with spaces (or other characters problematic in URLs) the resulting URL wouldn’t work. This is because the description is used in the URL without encoding it first. I created a quick patch to add the necessary encoding.

You can always edit the description on your phone,3 but given a choice I prefer to enter it using a real keyboard.

Hopefully the fix will be included in the next release of the plugin. I’ve opened a support thread about it for version 0.44.