Enable Two-Factor Authentication on Your Account
Please enable two-factor authentication for your WordPress.com account.
Because we want to make WordPress.com accounts as secure as we can, we’ve made it easier for you to set up two-factor authentication for your account, so you can take advantage of the top-of-the-line security standard.
WordPress.com has supported two-factor authentication (2FA) since 2013. Also known as two-step verification, two-factor authentication allows you to protect your WordPress.com account with both a password and a time-sensitive code you get from your mobile device.
To enable two-step authentication, tap your profile picture to jump into the “Me” section and hit the Security tab. Click on “Two-Step Authentication,” and initiate the setup wizard. You can opt to use an independent mobile app, like Google Authenticator or Authy, that will generate access codes for you, or you can get codes texted to your phone via SMS.
Once two-factor authentication is set up, when logging into your WordPress.com account, you’ll use both your account password in addition to the unique code you receive, ensuring that nobody but you can access your information.
Our teams work around the clock to ensure that WordPress.com is the most secure place to host your website and blog content. We encourage our wonderful users to leverage all of the security measures out there, and hope that two-factor authentication will become a part of your daily blogging routine. For extra help, check out our support documentation.
- April 24, 2015
- Security
WordPress.com News 
What percentage of your users use two factor authorization?
LikeLiked by 4 people
That’s not public info at the moment, but we hope the percentage will go up now that the setup process is more intuitive!
LikeLiked by 6 people
I think it’s the implementation on a daily basis across multiple devices for people with multiple sites. Maybe we’re imagining that it would be cumbersome to easily work on our sites with that process. I think users need to know more about that. Do I have to login to each of my sites? Do I have to login every time I close and reopen a device?
LikeLiked by 4 people
Good questions Barbara,
You should only need to login once to have access to all of your sites on WordPress.com.
In regards to your second question, when you enter your two factor authentication code, you are able to select a checkbox that says, “Remember me for 30 days”, which minimizes how often you will have to login on each device.
On a completely unrelated note – I saw that you have a PhD in American Literature (from your Gravatar profile). I’ve recently been reading some Frost and found “Home Burial” to be very touching personally.
LikeLiked by 13 people
One of my favorites.
LikeLiked by 5 people
Hello again Barbara,
I was able to get a number for you. We currently have about 123,000 users that have enabled two factor authentication, and we are looking to greatly improve that.
LikeLiked by 5 people
Two-factor authentication is great…but it’d be even greater if the only way to do it wasn’t with a mobile phone. Not everyone has one. Thank you, at least, for not making it mandatory for those of us who are not mobile users.
LikeLiked by 9 people
You can also use Two-Step Authentication with authentication apps on devices like iPads, if that helps.
LikeLiked by 5 people
Thanks for the tip Allen, I wish it did, however I don’t own any other similar devices. At least it isn’t mandatory. I’ve been on some sites where it was, and there was just nothing to be done for it.
LikeLiked by 5 people
I have not tried it personally, but Authy has a desktop versions for Windows and OSX. Perhaps that may help. You could use the “time code” flow to set that up (instead of scanning the QR code.)
LikeLiked by 3 people
Thanks–I’ll see if I can look into it 🙂
LikeLiked by 3 people
I don’t get the two step key to Indian Mobiles, How to work?
LikeLiked by 3 people
I apologize that you are not getting the two step key. One option would be to use either Google Authenticator or Authy instead of SMS.
Alternatively, please get in touch with support at https://wordpress.com/support/contact/.
LikeLiked by 3 people
What can you do if you don’t have reliable cellphone reception? Lots of people are doing something like this – Google for one – and it can be very difficult if you can’t get a signal.
LikeLiked by 3 people
Hello there,
If you don’t have reliable cellphone reception, I would suggest using either Google Authenticator or Authy which do not require cell reception to work.
LikeLiked by 4 people
Eric, and if one doesn’t use a mobile device?? I’m assuming you aren’t including tablets? In other words, I use a Nexus Android tablet but choose not to use a cell phone.
LikeLiked by 2 people
Hello Paul,
You should still be able to use two factor authentication by using either Google Authenticator or Authy instead of SMS.
LikeLiked by 3 people
While the idea is great in principle, the number of users that come to the forums daily for help after being locked out of their accounts by this very feature (usually due to lost backup codes or backup codes not working, usually after getting a new phone) has made me very unlikely to ever use it. And while one can’t blame the system if users don’t follow the instructions to save the backup codes, the fact that they at times don’t work is rather disconcerting.
I’ll rather stick with a very secure and regularly updated password, and add my voice to Author Unpublished in saying thanks that this feature isn’t mandatory. I hope it remains optional.
Would it perhaps be possible, though, to add an option for account recovery via a one-time password sent by SMS, like Facebook and Twitter, and I think Google also does? If we can add our cell phone numbers for this purpose without activating two-step authentication it would be great.
LikeLiked by 4 people
Hello KokkieH,
Thanks for asking about a one-time SMS recovery code. We do currently support sending a backup code via SMS when logging into WordPress.com.
Part of setting up two factor requires entering a cell phone number for this purpose.
LikeLiked by 4 people
I get that, Eric, thanks, but I was wondering if it’s possible to register your cellphone number for recovery purposes without setting up two-step. The way I read the instructions on the security settings page make it seem that one is not possible without the other. Not a big deal if it’s not possible, but it would be nice.
LikeLiked by 4 people
Have you considered adding support for Clef? (http://www.getclef.com)
LikeLiked by 4 people
I am not sure if we have considered adding support for Clef to WordPress.com. I will, however, forward that to our partnerships team to consider. 👍
LikeLiked by 2 people
In my opinion this will be useful, but i think it could be time consuming. Could there be any not so elaborated or sophisticated method in favour of account authentication? Just a thought btw. 🙂
Thank you for sharing it with us. 😉
LikeLiked by 3 people
I agree that it may feel a bit time consuming to set up two factor for the first time. But, after the initial setup, it should only add a few extra seconds once or twice a month.
Thanks for reading the post and leaving a comment!
LikeLiked by 2 people
If the case is such, I will surely try it out. Thank you for your concise reply!
LikeLiked by 2 people
I tried it when it was first offered, but received a stream of SMS messages which I did not instigate. Was there someone out there trying to hack into the blog and being foiled by the new protection? If so, he’s been strangely inactive since I deactivated two step authentication in frustration. Willing to try again, but suspect I’ll be deluged with unnecessary texts this time too…
LikeLiked by 2 people
Hello there,
I am not sure why you received so many SMS messages before, and I apologize for that.
I do personally use two factor on all of my WordPress.com accounts, using SMS for one and Google Authenticator for the others, and I have not had the same issue.
I would suggest trying two factor out again. If you have another issue, please do create a support ticket and mention me in the ticket. I will personally look into that for you 👍
LikeLiked by 2 people
Don’t ever make 2-step authentication mandatory – you will shut me out completely!
LikeLiked by 8 people
I have no mobile phone, only a land line. Is there any way I can stiil use the 2 step?
LikeLiked by 2 people
If you have an Android Tablet or an iPad, you could use Google Authenticator or Authy to generate the security codes.
LikeLike
I am one of those “old” people who do not use a cell phone except in emergencies, and do not TEXT. So is there a way for us to have 2 step authentication?
LikeLiked by 1 person
If you don’t use your cell phone much, you may consider using Google Authenticator or Authy on an Android tablet or iPad if you have one of those.
LikeLiked by 1 person
thanks
LikeLiked by 2 people
I’m not a fan myself. I went to try it and it took me to google authenticator app. I hate having apps on my phone, taking up valuable space. Yes I understand that I could do it via sms but I agree with the first commenter, it adds time. Personally, I don’t want to have to faff around with a second code each time I need to log in. With that said, I am very skeptical so I think that changes my perception of it. Maybe if it were better explained, even more so in laymans terms?
LikeLiked by 2 people
Hi Faye,
Thanks you for commenting with your concerns and for requesting more explanation.
Two factor authentication greatly improves the security of your accounts on the Internet by requiring that a code be generated by a handheld device you have access to.
This means that a potential attacker would need to have your password AS WELL AS access to your mobile device in order to gain access to your account.
It will likely take you a few minutes to setup two factor for the first time. But, after that, it should only take a few extra seconds to login, a bit more perhaps if you use SMS.
Also, you only have to login once for ALL of your WordPress.com sites, and you can check the “Remember me for 30 days” option when logging in so that you only have to login about once a month.
Hopefully that explanation helps?
LikeLiked by 2 people
Thanks, if I enable it, is there an option to disable it if I change my mind?
Is it going to become mandatory?
LikeLike
There is definitely an option to disable it if you decide that you don’t like it. 👍
LikeLiked by 2 people
I hate this feature sometimes as I’ve my cell phone on charger which not close to my PC then I have to go there and make this work.
Otherwise this feature is great.
LikeLiked by 2 people
I’m glad that you use two factor 👍
LikeLiked by 2 people
I’m flat for your appreciation. 👍
LikeLiked by 3 people
I’m so glad to see this post. I have two factor authentication on one of my sites using google authenticator. I had some updating done to my phone and all the apps went to the cloud. Since re installing the authenticator app it doesn’t work like I remember it working and I have not been able to access my site. Is there anyway I can get back into my site without having to go through this.Just to post this I tried to use my wordpress account but that Authentication code thing stopped me in my tracks.
LikeLiked by 3 people
Hey Miriam,
It sounds like you may have either deleted the Authenticator app or got a new phone. If that’s the case, you will likely need to use a backup code to get into your account.
If you can not find a backup code, please contact support and we’ll help you further.
LikeLiked by 1 person
Dear sir(s)
Can I retrieve an account that was hacked and deleted?
The account was
ahmadyelt.wordpress.com
It belongs to me
And i created it back in 2011
Sent from my iPhone
>
LikeLiked by 2 people
Hello Sallamm,
Would you please contact support at https://wordpress.com/support/contact/
Our happiness engineers may be able to help you after you create a ticket.
LikeLiked by 1 person
Many people hate this feature… But it is best for security purpose.
LikeLiked by 2 people
Hi Hazel,
If you do not have a mobile device, including an iOS or Android tablet, then I don’t believe that you will be able to use two factor authentication at the moment.
The extra security provided by two factor is due to the fact that a second device is required.
LikeLiked by 1 person
Thank you.
LikeLiked by 3 people
Glad to see this as a topic of conversation, I have been using 2-step for both my gmail accounts (never been hacked & fingers still crossed) and for my WordPress blog. I will reblog this today. In my experience Google Authenticator is slow and once you change or upgrade phones you are sunk, locked out, etc. None of the backup codes worked for me, both times I really needed them too.
So I used 2-step with my mobile SMS alerts. Do not rely on this for international travel. I’m switching my 2-step safe login to Authy on my laptop (which requires no mobile phone number change when traveling outside USA).
I am reblogging this post now.
LikeLiked by 2 people
Thanks for the update. Good to know.
LikeLiked by 3 people