Your password is the key to your WordPress.com account. Whether you know your current password or not, this guide will help you change the password you use to log in to WordPress.com.
In this guide
If you are already logged in and wish to change your password, take the following steps:
- Visit your profile at https://wordpress.com/me.
- Click on “Security” on the left side.
- Click on the “Password” option.
- Type your new password in the box or click the “Generate strong password” button to create a random strong password. (Don’t worry, we don’t save these and don’t have any way of seeing what they are.)
- Then, click on the “Save Password” button to update your password.
The weakest point in any security for your online accounts is usually your password. While we go to great lengths to protect this, if someone else knows your password and you haven’t enabled two-step authentication, they would be able to access your account and make changes to your website.
To avoid this scenario, create strong passwords that are hard to guess or crack. Read through the following tips and double-check your own password. If you feel your password isn’t secure enough, we strongly recommend changing it.
- Don’t use the same password twice. Many popular websites fail to adequately secure your password in their systems, and hackers routinely break into them and access hundreds of millions of accounts. If you reuse passwords from site to site, someone who hacks into one site can log in to your account on other sites. At the very least, make sure that you have unique passwords for all sites that store financial or other sensitive data or ones that could be used to hurt your reputation.
- Make sure your email password is also strong. With many online services like WordPress.com, your email address is your identification. If a malicious actor gains access to your email, they can easily reset your passwords and log in to your account.
- Don’t share your passwords. Even if you trust the person, it’s possible an attacker could intercept or eavesdrop on the transmission or hack that person’s computer. You should change your password immediately if you suspect someone else knows it.
- Don’t send your password to anyone in an email. Emails are rarely encrypted, making them relatively easy for attackers to read. WordPress.com staff will never ask you for your password. If you must share a password, use a secure method of transmission like pwpush.com and set the link to expire after the first view.
- Don’t save your passwords in a web browser. They often fail to store the passwords securely, so use a password manager instead. See the section on password managers above for more information.
- Don’t save passwords or use “Remember Me” options on a public computer. If you do, the next person to use the computer will be able to access your account. Also, log out or close your browser when you are done.
- Don’t write down your password. If it’s written down somewhere and someone can find it, it’s not secure. Store passwords in a password manager instead, so they’ll be encrypted. The exception to this rule is storing unrecoverable passwords (like the master password for a password manager or your operating system account) securely. One good way to secure them is to keep them in a safe deposit box or locked in a safe.
There are many approaches to generating a strong password, but password managers and passphrases are the best. Choose the one that works for you, and then read its corresponding section below to learn how to get set up:
A password manager is a software application on your computer or mobile device that generates strong passwords and stores them in a secure database. You use a single passphrase to access the database, and then the manager will automatically enter your username and password into a website’s login form for you. If you only have to remember one password, you can make it random and hard to guess.
You never have to worry about choosing a good password, remembering it, or typing it again. This is the easiest and most secure method available today, and we strongly recommend using it.
There are many different manager applications, so you’ll want to pick which one you’d like to use and then install it on your computer. These are the general steps, but you may want to check your application’s documentation for more details.
- Choose a password manager. Some popular ones are:
- 1Password (closed-source, commercial)
- Install it on your computer.
- Install any extensions or plugins for the web browser(s) you use.
- Create a strong master password to open the password database. See this guide’s Passphrase section for advice on how to do that.
- (optional) Write down the master password and store it in a secure location, like a safe deposit box or a locked safe. It’s important to have a backup if you ever forget it.
Now that your password manager is set up, you can generate strong passwords. Find your password manager’s built-in password-generation tool and configure it to create 30-50 random characters with a mixture of upper- and lower-case letters, numbers, and symbols.
You want to end up with something that looks like this: N9}>K!A8$6a23jk%sdf23)4Q[uRa~ds{234]sa+f423@.
That may look intimidating, but remember that you’ll never need to remember it or type it in; your password manager will handle that for you automatically.
A passphrase is similar to a password, except it’s based on a random collection of words rather than just one. For example: copy indicate trap bright.
Because the length of a password is one of the primary factors in its strength, passphrases are much more secure than traditional passwords. At the same time, they are also much easier to remember and type.
They’re not as strong as the passwords generated by password managers, but they’re still a good option if you don’t want to use a password manager. They’re also the best way to generate the master password for a password manager or your operating system account since the password manager can’t automatically fill those in.
Creating a passphrase follows similar rules to creating a traditional password, but it doesn’t need to be as complex because the length of the phrase will provide enough security to outweigh the simplicity.
- Choose 4 random words. You can use the xkcd Passphrase Generator if you’d like, but it’s better to make up your own.
- Add spaces between the words if you prefer.
At this point, you should have something that looks like this: copy indicate trap bright
You can stop there if you’d like, or you can add some extra strength by following these steps:
- Make a few of the letters upper-case.
- Add in a few numbers and symbols.
After applying those rules, it will look something like this: Copy indicate 48 Trap (#) bright
Things to avoid:
- Don’t place the words in a predictable pattern or form a proper sentence; that would make it much easier to guess.
- Don’t use song lyrics, quotes, or anything else that’s been published. Attackers have massive databases of published works to build possible passwords from.
- Don’t use any personal information. Even when combined with letters and numbers, someone who knows you or can research you online can easily guess a password with this information.
It’s very important to keep your password secure and to remember it, but there might come a time when you forget it. Follow these steps if you need to reset a forgotten password:
- Visit WordPress.com and click the “Log in” button.
- Attempt to log in using any possible combinations of email addresses, usernames, and passwords you may have used.
- If you cannot log in successfully, click the “Lost your password?” link at the bottom of the screen. You can also click this link to access the Lost Password page directly.
- Enter your WordPress.com username or email into the text box and click the “Get New Password” button:
- In a few moments, we’ll send an email to your account’s email address and a text message to your recovery SMS number (if you specified one):
- Check your email inbox and click the “Reset password” button to create a new password for your account:
- If you provided an SMS recovery number, check your phone for a text message with a code from WordPress.com. Enter this code on WordPress.com, then create a new password for your account when prompted.
- Check your email inbox and click the “Reset password” button to create a new password for your account:
- You can now log in to your account using your new password.
If you are still unable to log in, visit our Account Recovery guide for steps you can take to recover access to your account.
We provide login links for an easy-to-use and secure method to sign in to WordPress.com without needing to type in your password:
- Visit WordPress.com and click the “Log in” button.
- Scroll down and click on the “Email me a login link” option.
- Enter your email address or account username in the box provided.
- Click the “Get Link” button.
- Wait a moment for an email to arrive in your inbox with a magic login link to click.
- Click the link, and you will be logged into your WordPress.com account.
You can protect your WordPress.com account by signing out each time you’ve finished working. To log out of your WordPress.com account:
- Visit your profile at https://wordpress.com/me.
- Click on the “Log Out” button:
