In case you haven’t heard, apparently self-hosted WordPress blogs are a current target for building botnets. CERT-FI wrote about it,1 too, mentioning two-factor authentication2 as a solution. Unfortunately they originally forgot to add a link to the plugin they had in mind, but added it after I wrote them asking about it.
The plugin in question is the Google Authenticator plugin by Henrik Schack. Installing the plugin is straight-forward following its instructions.
I ran into an issue when scanning the QR code: the URL in the code was invalid. If you try to use a description with spaces (or other characters problematic in URLs) the resulting URL wouldn’t work. This is because the description is used in the URL without encoding it first. I created a quick patch to add the necessary encoding.
http://kimmo.suominen.com/stuff/google-authenticator-spaces.diff
You can always edit the description on your phone,3 but given a choice I prefer to enter it using a real keyboard.
Hopefully the fix will be included in the next release of the plugin. I’ve opened a support thread about it for version 0.44.
-
Apple iOS app, or Android app, or see Wikipedia for more. ↩