Your WordPress.com site is your home on the internet, and you want to keep that home safe. Hopefully, you’ve already chosen a unique and hard-to-crack password for your account. To add another layer of home security, you can enable two-step authentication.
In this guide
Two-step authentication is a method of securing accounts requiring that you know something (a password) to log in and possess something (your mobile device or a physical key). The benefit of this approach to security is that even if someone guesses your password, they must also have stolen your possession to break into your account.
At WordPress.com, we offer two-step authentication via a mobile device and a physical security key. We first verify your mobile device by sending a code via one of a couple of methods. Once you’ve verified your mobile device, you can also add authentication that uses a physical key instead.
Once you’ve set up two-step authentication, we send a new code to your device any time you log in with your password, which you must input or plug in your physical key before logging in. It adds a small extra step to the login process but makes your account much more secure.
First, go to your Two-Step Authentication settings page at WordPress.com.
- Click the Profile icon at the top of your WordPress.com dashboard.
- Click the Security menu option on your Profile.
- Last, click Two-Step Authentication to get started.
- You’ll be able to choose between Set up using an app and Set up using SMS.
You’ll need to start in a desktop browser to set up two-step authentication via an authenticator application like Google Authenticator, Authy, or Duo on your device.
Click the Set up using an app option, and click Get Started.
Next, scan the QR code presented with your authenticator app. A six-digit number will appear in the authenticator app. Enter it in the field provided and click Enable.
💡
If you’re unable to scan the QR code, click the Can’t scan the code? link to get a one time code to enter into your authenticator app.
Lastly, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance should your device go missing!
Please Note: If your web browser is set to block pop-up windows, you may need to temporarily disable this feature, as it will prevent the window with your backup codes from opening.
Click All Finished.
At this point, your site is enabled for two-step authentication. A follow-up step lets you confirm that your backup codes work by entering one printed code.
If you cannot set up two-step authentication using an authenticator app, you can also set it up to work via SMS messages.
Select the option to Set up using SMS and click Get Started.
On the following screen, enter your country code and phone number and click Continue. You should receive a text message with a 7-digit number within a few moments. Enter this number in the blank provided and click Enable.
Lastly, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance should your device go missing!
⚠️
Smartphone apps that block automated calls might also block our messages.
WordPress.com supports login verification with physical security keys using the WebAuthn standard.
Instead of typing in a code you get via SMS or an app like Google Authenticator after entering your password, you plug in a physical key. You then press a button on that key to complete verification and log in. No one can log into your account without that physical key, even if they know the password.
- Have a computer with a USB port and the latest compatible browser version like Chrome, Firefox, Opera, or Edge.
(Note: Currently, Chrome and Firefox have the best overall support for this, so we recommend using these browsers for the most consistent experience.) - Have a key that plugs into a USB port and works with FIDO2, like Yubico’s YubiKey or Google’s Titan Key. Please check your specific key’s support documentation for more information on the types of devices and browsers your key supports.
First, set up two-step authentication with SMS or an authenticator app, as outlined above.
After setting up two-step authentication with an app or SMS, you’ll see the option to add a security key. Click on Register key.
We allow you to register multiple keys so you can name your key to distinguish it from others you might add later. Type in a unique name and click Register key.
At this point, plug your key into a USB port on your computer and, depending on the type of key, either press the button or tap the gold disc on the key.
If you’re successful, you will see a message on the screen and the key will now be listed in the Security Key section.
Once this is set up, you won’t be able to access your account without your key, so treat it the same way you would the keys to your home or your car – keep it safe!
Also, consider adding a second key as a backup option and keep it somewhere you can find it should something happen to your primary key. To add additional keys, just click Register Key again.
Should you want to remove a security key you added before (for example, if a key was lost or no longer works), you can disconnect that key from your account.
Go to the Two-Step Authentication page in your profile settings, click the Trash icon next to the key, and click Remove Key in the confirmation message that will appear.
The login process varies slightly from the usual once you have enabled two-step authentication. Whether using the Google Authenticator or the SMS method to enable two-step authentication, you’ll start by logging in with your username and password as usual.
Next, you’ll be prompted to enter the verification code sent to your device.
If you set up two-step authentication with an authenticator app, open the app on your device and provide the six-digit number listed for the account. If you’re using SMS for two-step authentication, we’ll send you a text message with a six-digit number. Once you’ve entered the code, you’ll be logged in and ready to blog.
If you have a security key configured, you’ll see a prompt asking whether you want to verify using your key, or your authenticator app/SMS. To verify using your key, click Continue with security key.
Next, you’ll see a prompt to connect your key. Plug the key into a USB port on your computer and, depending on the key type, either press the button or tap the gold disc on the key to finish logging in.
💡
If you take too long to verify, the verification request will be cancelled and an error message will appear. Just click Continue with security key again to restart the verification.
We don’t want you to lose access to your WordPress.com account—you’ll still need to be able to log in if it’s lost, stolen, locked out for any reason, or your device needs to be wiped clean (which will delete Google Authenticator).
To ensure you’re never locked out of your account, you can generate a set of ten one-time-use backup codes. We recommend you print out the backup codes and keep them in a secure place like a wallet or document safe. (Don’t save them on your computer. They’d be accessible to anyone using your machine.)
Generating backup codes is essential and must be done. If you ever need to use a backup code, just log in like you usually would, and when asked about the login code, enter the backup code instead.
At the end of the setup process for Two-Step Authorization, you’ll be given the option to generate backup codes:
Print out the codes—don’t just save them—and confirm that you’ve done that. Then click All Finished! to close that screen.
If you lose your list of backups or it’s compromised, you can generate a new set of codes. For added security, this will disable any previously-generated codes.
You can only generate the backup codes from a desktop browser. For example, Safari on iOS will not display the backup codes. Additionally, if your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.
There may be some apps that connect to your WordPress.com account that don’t yet fully support two-step authentication. The most common are Jabber apps used to subscribe to WordPress.com blogs. You can generate unique passwords for these apps (e.g., you can have a different password on your phone and tablet). You can then disable individual passwords and lock applications out of your account to prevent others from accessing your sites.
To generate application-specific passwords, head back to Two-Step Authentication and then down to “Application Passwords”:
Give the application a name—you’re the only one who will see this name, so call it whatever you’d like—and click “Generate Password.” WordPress.com will create a unique 16-character password that you can copy and paste the next time you log in to your account on that device. The application will remember this password so you don’t need to.
Your Security page will maintain a list of all the applications for which you’ve generated passwords. If any of your devices are lost or stolen, or you simply wish to revoke access for a particular application, you can visit this page at any time and click “X” to disable the password and prevent the app from accessing your account:
We don’t recommend disabling two-step authentication, as it’s much less secure, even if you believe your password is robust. But if you insist, you can disable the feature by going to your Two-Step Authentication page.
The page will show that the feature is enabled, and you can click the Disable Two-Step Authentication button. This will prompt you to enter a code to confirm that you still have access to the device you initially used to set up two-step authentication. If you’re using an authenticator app, open it and provide the code it lists. If you’re using SMS, you’ll be sent a code to use. (This code differs from the code you used to log in to your account. You can also use one of your backup codes for this step.)
Click Disable after entering the code, and your account will no longer be protected by two-step authentication.
⚠️
A security key cannot be used to disable two-step authentication – this can only be done using a code received via SMS, your authenticator app, or a backup code.
If you plan on switching to a new device and have enabled two-step authentication, you will want to take the following steps to avoid being accidentally locked out of your user account.
If you are using an authenticator app to generate verification codes:
- Print backup codes for your user account by following the steps here. DO NOT SKIP THIS STEP.
- On your new device, install the authenticator app.
- Disable the two-step authentication link with your old device by following the steps here.
- Set up your user account to link to your new device by following the steps here.
- If you are prompted to enter your verification code, use a code from your list of backup codes. Backup codes are for one-time use only.
- You can now uninstall the authenticator app from your old device.
If you are using the WordPress.com mobile app to manage and publish to your site:
- Create a new application-specific password by following the steps here.
- Enter your new application password when using this app on your new device.
💡
If you are using SMS to receive authentication codes, you will not need to update your settings unless you are also changing to a new phone number. In that case, you will want to set up a new recovery number prior to disconnecting your old SMS number by following the steps here.
If you lose your device or security key, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back in to your account is by using a Backup Code.
To use a backup code, fill in your login details like you normally would. When asked about the login code enter the backup code instead. Remember: backup codes are only valid for one time each so be careful when using them.
