The WordPress.com Blog

The WordPress.com Blog

Enable Two-Factor Authentication on Your Account

Please enable two-factor authentication for your WordPress.com account.

Because we want to make WordPress.com accounts as secure as we can, we’ve made it easier for you to set up two-factor authentication for your account, so you can take advantage of the top-of-the-line security standard.

WordPress.com has supported two-factor authentication (2FA) since 2013. Also known as two-step verification, two-factor authentication allows you to protect your WordPress.com account with both a password and a time-sensitive code you get from your mobile device.

To enable two-step authentication, tap your profile picture to jump into the “Me” section and hit the Security tab. Click on “Two-Step Authentication,” and initiate the setup wizard. You can opt to use an independent mobile app, like Google Authenticator or Authy, that will generate access codes for you, or you can get codes texted to your phone via SMS. 

 

Once two-factor authentication is set up, when logging into your WordPress.com account, you’ll use both your account password in addition to the unique code you receive, ensuring that nobody but you can access your information.

Our teams work around the clock to ensure that WordPress.com is the most secure place to host your website and blog content. We encourage our wonderful users to leverage all of the security measures out there, and hope that two-factor authentication will become a part of your daily blogging routine. For extra help, check out our support documentation.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 31,787,759 other followers

49 Comments

Comments are closed.

  1. Barbara

    What percentage of your users use two factor authorization?

    Liked by 4 people

    • Eric Binnion

      That’s not public info at the moment, but we hope the percentage will go up now that the setup process is more intuitive!

      Liked by 6 people

      • Barbara

        I think it’s the implementation on a daily basis across multiple devices for people with multiple sites. Maybe we’re imagining that it would be cumbersome to easily work on our sites with that process. I think users need to know more about that. Do I have to login to each of my sites? Do I have to login every time I close and reopen a device?

        Liked by 4 people

        • Eric Binnion

          Good questions Barbara,

          You should only need to login once to have access to all of your sites on WordPress.com.

          In regards to your second question, when you enter your two factor authentication code, you are able to select a checkbox that says, “Remember me for 30 days”, which minimizes how often you will have to login on each device.

          On a completely unrelated note – I saw that you have a PhD in American Literature (from your Gravatar profile). I’ve recently been reading some Frost and found “Home Burial” to be very touching personally.

          Liked by 12 people

    • Eric Binnion

      Hello again Barbara,

      I was able to get a number for you. We currently have about 123,000 users that have enabled two factor authentication, and we are looking to greatly improve that.

      Liked by 5 people

  2. Author Unpublished

    Two-factor authentication is great…but it’d be even greater if the only way to do it wasn’t with a mobile phone. Not everyone has one. Thank you, at least, for not making it mandatory for those of us who are not mobile users.

    Liked by 8 people

  3. గెల్లి ఫణీంద్ర విశ్వనాధ ప్రసాదు

    I don’t get the two step key to Indian Mobiles, How to work?

    Liked by 3 people

  4. ianchisholm

    What can you do if you don’t have reliable cellphone reception? Lots of people are doing something like this – Google for one – and it can be very difficult if you can’t get a signal.

    Liked by 3 people

    • Eric Binnion

      Hello there,

      If you don’t have reliable cellphone reception, I would suggest using either Google Authenticator or Authy which do not require cell reception to work.

      Liked by 4 people

  5. Paul Handover

    Eric, and if one doesn’t use a mobile device?? I’m assuming you aren’t including tablets? In other words, I use a Nexus Android tablet but choose not to use a cell phone.

    Liked by 2 people

  6. KokkieH

    While the idea is great in principle, the number of users that come to the forums daily for help after being locked out of their accounts by this very feature (usually due to lost backup codes or backup codes not working, usually after getting a new phone) has made me very unlikely to ever use it. And while one can’t blame the system if users don’t follow the instructions to save the backup codes, the fact that they at times don’t work is rather disconcerting.

    I’ll rather stick with a very secure and regularly updated password, and add my voice to Author Unpublished in saying thanks that this feature isn’t mandatory. I hope it remains optional.

    Would it perhaps be possible, though, to add an option for account recovery via a one-time password sent by SMS, like Facebook and Twitter, and I think Google also does? If we can add our cell phone numbers for this purpose without activating two-step authentication it would be great.

    Liked by 3 people

    • Eric Binnion

      Hello KokkieH,

      Thanks for asking about a one-time SMS recovery code. We do currently support sending a backup code via SMS when logging into WordPress.com.

      Part of setting up two factor requires entering a cell phone number for this purpose.

      Liked by 4 people

      • KokkieH

        I get that, Eric, thanks, but I was wondering if it’s possible to register your cellphone number for recovery purposes without setting up two-step. The way I read the instructions on the security settings page make it seem that one is not possible without the other. Not a big deal if it’s not possible, but it would be nice.

        Liked by 4 people

  7. Niket Raja

    Have you considered adding support for Clef? (http://www.getclef.com)

    Liked by 4 people

  8. gogi6666

    In my opinion this will be useful, but i think it could be time consuming. Could there be any not so elaborated or sophisticated method in favour of account authentication? Just a thought btw.🙂
    Thank you for sharing it with us.😉

    Liked by 3 people

    • Eric Binnion

      I agree that it may feel a bit time consuming to set up two factor for the first time. But, after the initial setup, it should only add a few extra seconds once or twice a month.

      Thanks for reading the post and leaving a comment!

      Liked by 2 people

  9. Freedom ARC

    I tried it when it was first offered, but received a stream of SMS messages which I did not instigate. Was there someone out there trying to hack into the blog and being foiled by the new protection? If so, he’s been strangely inactive since I deactivated two step authentication in frustration. Willing to try again, but suspect I’ll be deluged with unnecessary texts this time too…

    Liked by 2 people

    • Eric Binnion

      Hello there,

      I am not sure why you received so many SMS messages before, and I apologize for that.

      I do personally use two factor on all of my WordPress.com accounts, using SMS for one and Google Authenticator for the others, and I have not had the same issue.

      I would suggest trying two factor out again. If you have another issue, please do create a support ticket and mention me in the ticket. I will personally look into that for you 👍

      Liked by 2 people

  10. trythisoneforsize

    Don’t ever make 2-step authentication mandatory – you will shut me out completely!

    Liked by 8 people

  11. The Preacher

    I have no mobile phone, only a land line. Is there any way I can stiil use the 2 step?

    Liked by 2 people

  12. Mary Jane

    I am one of those “old” people who do not use a cell phone except in emergencies, and do not TEXT. So is there a way for us to have 2 step authentication?

    Liked by 1 person

  13. ilmondoinbellezza

    thanks

    Liked by 2 people

  14. Faye Elizabeth

    I’m not a fan myself. I went to try it and it took me to google authenticator app. I hate having apps on my phone, taking up valuable space. Yes I understand that I could do it via sms but I agree with the first commenter, it adds time. Personally, I don’t want to have to faff around with a second code each time I need to log in. With that said, I am very skeptical so I think that changes my perception of it. Maybe if it were better explained, even more so in laymans terms?

    Liked by 2 people

    • Eric Binnion

      Hi Faye,

      Thanks you for commenting with your concerns and for requesting more explanation.

      Two factor authentication greatly improves the security of your accounts on the Internet by requiring that a code be generated by a handheld device you have access to.

      This means that a potential attacker would need to have your password AS WELL AS access to your mobile device in order to gain access to your account.

      It will likely take you a few minutes to setup two factor for the first time. But, after that, it should only take a few extra seconds to login, a bit more perhaps if you use SMS.

      Also, you only have to login once for ALL of your WordPress.com sites, and you can check the “Remember me for 30 days” option when logging in so that you only have to login about once a month.

      Hopefully that explanation helps?

      Liked by 2 people

  15. Ateek Sheikh

    I hate this feature sometimes as I’ve my cell phone on charger which not close to my PC then I have to go there and make this work.
    Otherwise this feature is great.

    Liked by 2 people

  16. Miriam Walcott

    I’m so glad to see this post. I have two factor authentication on one of my sites using google authenticator. I had some updating done to my phone and all the apps went to the cloud. Since re installing the authenticator app it doesn’t work like I remember it working and I have not been able to access my site. Is there anyway I can get back into my site without having to go through this.Just to post this I tried to use my wordpress account but that Authentication code thing stopped me in my tracks.

    Liked by 3 people

    • Eric Binnion

      Hey Miriam,

      It sounds like you may have either deleted the Authenticator app or got a new phone. If that’s the case, you will likely need to use a backup code to get into your account.

      If you can not find a backup code, please contact support and we’ll help you further.

      Liked by 1 person

  17. sallamm

    Dear sir(s)
    Can I retrieve an account that was hacked and deleted?
    The account was
    ahmadyelt.wordpress.com
    It belongs to me
    And i created it back in 2011

    Sent from my iPhone

    >

    Liked by 2 people

  18. TopInteresting

    Many people hate this feature… But it is best for security purpose.

    Liked by 2 people

  19. Eric Binnion

    Hi Hazel,

    If you do not have a mobile device, including an iOS or Android tablet, then I don’t believe that you will be able to use two factor authentication at the moment.

    The extra security provided by two factor is due to the fact that a second device is required.

    Liked by 1 person

  20. Grow Nimbly

    Thank you.

    Liked by 3 people

  21. dogleadermysteries

    Glad to see this as a topic of conversation, I have been using 2-step for both my gmail accounts (never been hacked & fingers still crossed) and for my WordPress blog. I will reblog this today. In my experience Google Authenticator is slow and once you change or upgrade phones you are sunk, locked out, etc. None of the backup codes worked for me, both times I really needed them too.

    So I used 2-step with my mobile SMS alerts. Do not rely on this for international travel. I’m switching my 2-step safe login to Authy on my laptop (which requires no mobile phone number change when traveling outside USA).

    I am reblogging this post now.

    Liked by 2 people

  22. Fotocopy Rawamangun

    Thanks for the update. Good to know.

    Liked by 3 people

%d bloggers like this: