“5sec Google Authenticator - Two Step Login Protection” Documentation by “Web factory Ltd” v1.20
“5sec Google Authenticator” WordPress plugin
Thank you very much for purchasing our premium WordPress plugin. If you have any questions that are beyond the scope of this help file, please feel free to email us via our user page contact form. Have a good one!
Getting started guide - top
Please read this! It'll take you just a minute and ensure everything goes smoothly and you don't have any problems.
5sec Google Authenticator requires WordPress v3.6 or higher to function properly!
- Install the plugin as you would do with any other (details are below if you need them)
- Depending on the mobile phone you have install the iPhone, Android or BlackBerry Google Authenticator app
- Open the app, click "add an account" (plus sign icon) and choose "scan barcode". Point your phone's camera to the QR code in the email you just received titled "IMPORTANT - 5sec Google Authenticator plugin is activated" (check SPAM folder if necessary)
- You're done! Next time you want to login to your site enter the usual username & password combination and the OTP the app generates. Please note that each OTP is valid for only 2 minutes so always use a fresh one.
Installation - top
Installation
- Download the ZIP package from CodeCanyon.
- Open WordPress admin and go to Plugins -> Add New -> Upload. Browse for the ZIP file 5sec-google-authenticator.zip on your computer and hit "Install Now".
- Activate the plugin.
Upgrade - method #1, it wont reset plugin's settings, security or QR codes
- Do NOT deactivate the plugin.
- Use FTP to locate folder wp-content/plugins/5sec-google-authenticator/
- Overwrite all files in that folder with new ones downloaded from CodeCanyon
Upgrade - method #2, it'll reset plugin's settings, security and QR codes
- Deactivate and delete the plugin in your WP admin -> Plugins.
- Use the Add New -> Upload function to upload the new plugin ZIP file.
- Activate the plugin.
Settings - top
Global plugin settings are available under the Settings - 5sec Google Authenticator menu. Following settings can be adjusted;
- Disable two step authentication on RPC login - if you're using any 3rd party apps such as WordPress for iOS you'll have to disable two step authorisation for RPC apps because they don't support it. If you don't use such apps, don't disable it; it'll increase the site's security.
- Auto logout after being idle for - if you often forget to log out or use public computers this is a great protection. After not clicking anything for the set amount of minutes a lightbox will pop up asking for username & password & OTP. After entering it you'll continue to work normally without leaving the page. The process is completely unobtrusive.
- Secret login URL - in case you're unable to login via username & password & OTP this URL will allow you to only use username & password. There's no need to change this URL unless it has been compromised. Don't share it with anyone except you fellow site admins.
- Send QR code to new users - when new users register they need to receive their authenticator QR code otherwise they wont be able to login. This option adds the QR code to the welcome email that has their username/password. If you choose not to send the QR code you'll have to do it manually. By going to Users screen in WP amdin and selecting "send QR emails" from the bulk actions dropdown.
- Maximum number of failed login attempts before ban - please don't set this number to a very low one because anybody can have a couple of failed login attempts. 5 failed attempts in 5 minutes is a reasonable number. After the time passes the counter is automatically reset.
- Ban time - 2 hours will cool down most attackers but if you're experiencing heavy traffic you can even ban users forever (10 years to be more precise).
- Banned users - can either be completely banned from accessing the site or just banned from trying to login. In normal circumstances banning them from logging in is enough. If you experience heavy brute-force attacks then block completely.
- IP whitelist - list of IP addresses that are ignored by ban rules. Wildcards are not supported. Write one IP per line without leading zeros, ie: 192.168.1.12.
Per-user settings are available in each users' profile. Following settings can be adjusted;
- Enable Two Step Authentication - only admins can change this setting. By default it's enabled. Please note that disabling two step authentication even for one user will significantly lower your site's security!
- Secret Key - users and admins can generate new secret keys. If you generate a new secret key you will have to add a new entry (scan the new QR code) in your mobile authenticator app. Old one will not work. Do not change the key unless you are having problems loggin in or the key has been compromised.
- QR Code - don't forget to save settings and scan the new QR after chaning the secret key.
How does it work - top
Traditional one-step authentication uses a username (in most cases not a secret) and a password (only known to the user) to identify a user. If someone steals the password he gains full access to the protected resources. Two step login adds another protection layer.
Username and password are still used and a third piece of data is required to login - OTP (one time password). This password is generated for you every time you need to login by a OTP device often referred as a token device. In our case it's the phone app. OTP is time bound meaning that once it's generated have only have 2 minutes to use it. If someone steals one OTP it won't do them much good. Also if you're tricked into clicking "save my password" no harm will be done because the saved OTP will be useless in two minutes. Same goes if your username & password are compromised in any other way. The attacker won't be able to login because they don't have a valid OTP.
This technology has been utilised by banks for years and has been proven as very reliable. It does add some overhead for the end user as he has to generate an OTP for each login but the security benefits are more than obvious.
How does the plugin know which OTP is valid and which not?
In order for an OTP to be valid it has to meet two requirements: it can't be too "old" and it has to belong to your account. You can't use an OTP generated for somebody elses account. Each account has a secret key. That key is knows to WordPress and to your phone (that's why you have to scan the QR code). Based on the key the phone generates an OTP and again, based on the key WordPress confirms that the entered OTP belongs to the specified user. If your secret key changes you won't be able to login.
Will this plugin slow my site down?
Absolutely not. Overhead that this plugin adds to WordPress is absolutely minimal.
Will it work on my theme?
Yes, it's theme independant. If your theme has a custom login form make sure it uses all actions and filters the default WP login form does.
Will it work with plugin XYZ?
If the plugin is security related or modifies the login form there might be conflicts.
Is this plugin safe to use?
Of course.
I can't login. It always says the OTP is wrong or expired.
Make sure your server's and phone's clocks are in sync. A difference of up to one minute is OK. Also make sure you scanned the right QR code. If you deactivated and activated the plugin all the QR codes will be regenerated and you have to use the latest one.
I locked myself out of my site.
As a last resort you can always delete/rename the plugin's folder via FTP and it'll deactivate.
E) Sources and Credits - top
5sec Google Authenticator uses the following external assets:
- Base Convert PHP library
(c) Bryan Ruiz
http://php.net/manual/en/function.base-convert.php
Once again, thank you so much for purchasing this premium WordPress plugin. As stated at the beginning, we'd be glad to help you if you have any questions relating to this plugin. We'll do our best to assist. If you have a more general question related to plugins on CodeCanyon, you might consider visiting the forums and asking your question in the "Item Discussion" section.
