Your WordPress.com site is your home on the internet, and you want to keep that home safe. Hopefully, you’ve already chosen a unique and hard-to-crack password for your account. To add another layer of home security, you can enable two-step authentication by following the steps in this guide.
In this guide
Two-step authentication is a method of making your online accounts safer. Not only does it require that you know something to log in (a password), but you must also possess something (your mobile device or a physical key). The benefit of this approach to security is that even if someone discovers your password, they cannot log in unless they also have access to your possession.
WordPress.com offers two-step authentication via a mobile device (this guide) and also using a physical security key. Once you’ve set up two-step authentication, we send a new code to your device any time you log in with your password, which you must input before logging in. It adds an extra step to the login process, making your account much more secure.
Here, we’ll explain how to enable two-step authentication on your WordPress.com account. Take the following steps:
- Click on your profile at https://wordpress.com/me.
- On the left side, select the Security menu option:
- Click Two-Step Authentication, where you can choose between “Set up using an app” and “Set up using SMS.” Each option is explained in the next sections of this guide.
- Click the Get Started button to continue with your chosen method.
If you set up two-step authentication using an app, you will use an app on your phone to get a code to log in to your WordPress.com account.
- Download an authenticator application to your phone. Common options include Google Authenticator and Authy.
- Scan the QR code with your authenticator app.
- If you cannot scan the QR code, click the “Can’t scan the code?” link to get a one-time code to enter into your authenticator app.
- A six-digit number code will appear in your authenticator app. Type the code in the field provided on WordPress.com.
- Click Enable:
- Next, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance if you lose your device!
- Click All Finished.
At this point, your account is enabled for two-step authentication. A follow-up step lets you confirm that your backup codes work by entering one printed code:
If you set up two-step authentication using SMS codes, you will receive a text message on your phone with a code to log in to your WordPress.com account.
- Enter your phone number (including the country code) and click Continue.
- Wait a few moments to receive a text message with a 7-digit number.
- Enter this number in the box provided on WordPress.com.
- Click Enable:
- Next, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance if you lose your device!
- Click All Finished.
While enabling two-step authentication, you’ll be given a set of backup codes to use if you lose access to your mobile device (such as if it’s lost, stolen, locked, or wiped clean.)
We recommend you print out these ten one-time-use backup codes and keep them in a secure place like a wallet or document safe. Don’t save them on your computer since they would be accessible to anyone using your machine.
If you ever need to use a backup code, log in like you usually would, and when asked for a login code, enter one of your backup codes.
If you lose your list of backup codes or it’s compromised, you can generate a new set of codes from your computer (not from your mobile.) For added security, this will disable any previously generated codes:
We don’t recommend disabling two-step authentication, as it’s much less secure, even if you believe your password is strong. But if you insist, you can disable the feature by taking the following steps:
- Click on your profile at https://wordpress.com/me.
- On the left side, select the Security menu option.
- Click Two-Step Authentication.
- Click the Disable Two-Step Authentication button.
- When prompted, enter a code to confirm that you still have access to the device you initially used to set up two-step authentication:
- If you’re using an authenticator app, open it and provide the code it lists.
- If you’re using SMS, you’ll be sent a code via text message.
- If you cannot access your device, enter one of your backup codes.
- Click Disable after entering the code, and your account will no longer be protected by two-step authentication.
⚠️
A security key cannot be used to disable two-step authentication – this can only be done using a code received via SMS, your authenticator app, or a backup code.
If you plan on switching to a new device and have enabled two-step authentication, take the following steps to avoid being accidentally locked out of your user account.
If you are using SMS to receive authentication codes, you will not need to update your settings unless you also change to a new phone number. In that case, you will want to set up a new recovery number before disconnecting your old SMS number by following the steps here.
If you are using an authenticator app to generate verification codes:
- Print backup codes for your account.
- On your new device, install the authenticator app.
- Disable the two-step authentication link with your old device by following the steps here.
- Link your new device by following the steps here.
- If prompted to enter your verification code, use an unused code from your list of backup codes.
- You can now uninstall the authenticator app from your old device.
If you are using the Jetpack mobile app to manage and publish to your site:
- Create a new application-specific password by following the steps here.
- Enter your new application password when using this app on your new device.
If you lose your device or security key, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back into your account is by using a backup code.
To use a backup code, fill in your login details like you normally would. When asked about the login code, enter the backup code instead. Remember: backup codes are only valid for one time each, so be careful when using them and generate new codes if you are close to running out.
If you do not have access to your device or backup codes, please see our Account Recovery guide for other options to regain access to your account.
