Add Secure Authentication to your WordPress Site in 15 Minutes

avatar-aaronpk.jpg Aaron Parecki

Do you run a WordPress site and want to avoid managing a separate list of user accounts? Have you ever wanted to add two-factor authentication to WordPress? Typically WordPress keeps its own database of usernames and passwords, but if you run multiple websites, I’m sure you’re familiar with the pain of keeping lists of users in sync. Wouldn’t it be great if you could manage all your users in one place, letting them log in to all your websites using the same password?

This is where Okta can help out! Okta is an API service that allows you to create, edit, and securely store user accounts and user account data, and connect them with one or more applications. It also provides a sign-in widget which you can embed into your own applications to avoid creating your own login form for every application.

We’ve created a proof of concept WordPress plugin that replaces the WordPress login form with the Okta Sign-In Widget! Once you install and activate this plugin, the next time you try to log in to WordPress, you’ll instead see the Okta sign-in page.

WordPress Authentication

Any users that exist in your Okta account will be able to log in, and a WordPress user will be created for them automatically. If your users have multi-factor authentication enabled, they’ll be prompted for that too when they log in!

Get Started with Okta’s WordPress Login Plugin

To get started, sign up for a free Okta Developer account.

Download the Okta WordPress plugin into your plugins folder, and copy the env.example.php to env.php. This is where you’ll configure your Okta API credentials.

Go into your Dashboard and create a new web application.

Create a new web application

Make sure to set your Base URI and Login redirect URI to the location of your WordPress installation. The Login redirect URI should include /wp-login.php as well.

Configure your application settings

Copy the Client ID and Secret and paste them into your env.php file. You’ll also need to set the base URL to https://{yourOktaDomain}, and you can leave the authorization server ID set to “default”.

Client Credentials

Make sure the email address on your Okta account matches the email address of your WordPress admin user, as that’s what will be used to match up Okta accounts to WordPress accounts.

Activate the WordPress Authentication Plugin

In your WordPress admin page, you’ll see the Okta plugin listed. Click “activate” to enable the plugin! If you’ve configured everything right, you’ll see the plugin listed as activated.

WordPress plugin activated

Now log out of WordPress and try to log back in! When you visit the WordPress login page, instead of the default WordPress username and password fields, you’ll see your Okta Sign-In Widget! Enter your Okta account credentials and you will be logged in to WordPress!

Enable Multi-Factor Authentication for WordPress

You now have an easy way to enable multi-factor authentication for your WordPress site as well! You can choose to require the MFA challenge on every login, or you can require it after a certain number of days.

From your Okta Developer dashboard, first switch into the Classic UI.

Switch to the classic UI

Next you’ll need to create what’s called a “Sign-On Policy” for your Okta application. Click on the Applications menu, then select your application from the list. Click the Sign On tab to navigate to the place you can create the policy.

Sign-on Settings

Scroll to the bottom of this page to the “Sign On Policy” section, and click Add Rule.

Give your rule a name like “Always require MFA challenge”, and check the Prompt for factor and Every sign on options.

Configure an MFA rule

Lastly, navigate to the Security -> Multifactor menu to configure which types of multifactor authentication you want to support.

MFA Settings

From here, you can enable the Okta Verify app, Google Authenticator, a U2F security key, or others!

You can find the source code for the application at github.com/oktadeveloper/okta-wordpress-sign-in-widget.

Learn More About Authentication in PHP

If you want to read more about app security in PHP or Angular, we’d love to have you follow the Okta Developer Blog. Here are some great posts to get you started:

As always, we’d love to hear from you. Hit us up with questions or feedback in the comments, or find us on Twitter @oktadev, Facebook, and LinkedIn!