Security »Two Step Authentication
Your WordPress.com site is your home on the internet, and you want to keep that home safe. Hopefully, you’ve already chosen a unique and hard-to-crack password for your account. To add another layer of home security, you can enable Two Step Authentication, also known as Two-Factor Authentication.
What is Two Step Authentication?
Two step authentication is a method of securing accounts requiring that you not only know something (a password) to log in but also that you possess something (your mobile device). The benefit of this approach to security is that even if someone guesses your password, they need to have also stolen your possession in order to break into your account.
At WordPress.com, we offer two step authentication via mobile device. We first verify your mobile device by sending a code via one of a couple of methods. Once you’ve verified your device, any time you log in with your password, we send a new code to your device, which you must input before logging in. It adds a small extra step to the login process but makes your account much more secure.
Setup with Google Authenticator
To set up two step authentication via the Google Authenticator application on your device, you’ll need to start in a desktop browser.
First, go to the Settings page at WordPress.com. If you’re logged into WordPress.com, you’ll find a link under the WordPress logo in the admin bar:
Or, you can reach Settings off of your Gravatar image from the WordPress.com home page:
Next, click the “Security” link in the navigation on the right-hand side of the screen:
Here you’ll be prompted to select your country and to provide your mobile phone number (without country code and spaces or dashes). Click Next Step.
Next, you’ll select your device type and follow the instructions to get the Google Authenticator app, which will let us verify access to the device and pair it with your WordPress.com account.
Once you’ve installed the Google Authenticator app, click Verify the code now. A QR code will appear on screen. Open the Google Authenticator app on your device and add a new entry by scanning the barcode. A six-digit number will appear in the Google Authenticator app. Enter it in the blank below the barcode on your settings screen.
Next you’ll be prompted to print backup codes. Don’t skip this step, as it’ll be your only way to log back into your account without staff assistance should your device go missing!
Please Note: If your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.
Click Next Step.
At this point, your site is enabled for two step authentication. A follow-up step allows you to confirm that your backup codes work by entering one of the printed codes.
Setup with SMS Codes
If you’re unable to set up two step authentication using the Google Authenticator app, you can also set it up to work via SMS messages. To do so, go to your Settings page as described above, but then click use Two Step Authentication via SMS.
On the next screen, click Send SMS. Within a few moments, you should receive a text message that includes a 7-digit number. Enter this number in the blank provided and click Verify Code.
From this point forward, you can print and verify backup codes as documented above. Your account is now protected by two step authentication.
The login process varies slightly from the usual process once you have two step authentication enabled. Regardless of whether you used the Google Authenticator method or the SMS method to enable two step authentication, you’ll start by logging in as usual with your username and password.
Next, you’ll be prompted to enter the verification code that was sent to your device.
If you’re using SMS for two step authentication, we’ll send you a text message with a six-digit number. If you set up two step authentication with the Google Authenticator app, open the Google Authenticator app on your device and provide the six-digit number listed for the account. Once you’ve entered the code, you’ll be logged in and ready to blog.
We don’t want you to lose access to your WordPress.com account—you’ll still need to be able to log in if it’s is lost, stolen, you’re locked out for any reason, or your device needs to be wiped clean (which will delete Google Authenticator). To make sure you’re never locked out of your blog, you can generate a set of ten, one-time-use backup codes. We recommend that you print the backup codes out and keep them in a secure place like a wallet or document safe. (Don’t save them on your computer. They’d be accessible to anyone using your machine.) Generating backup codes is essential and must be done. If you ever need to use a backup code, just log in like you normally would, and when asked about the login code enter the backup code instead.
At the end of the setup process for Two Step Authorization, you’ll be given the option to generate backup codes:
Just click “Generate Backup Codes,” print the screen containing the codes—don’t save it—and then close the screen.
If you lose your list of backups or it’s compromised, you can generate a new set of codes. For added security, this will disable any previously-generated codes.
Important Note: You can only generate the backup codes from a desktop browser. For example, Safari on iOS will not display the backup codes. Additionally, if your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.
There may be some apps that connect to your WordPress.com account that don’t yet fully support Two Step Authentication; the most common are the WordPress mobile apps or Jabber apps used to subscribe to WordPress.com blogs. For these apps, you can generate unique passwords for each application (e.g., you can have a different password on your phone and your tablet). You can then disable individual passwords and lock applications out of your account to prevent others from accessing your sites.
To generate application-specific passwords, head back to the Security tab your settings and scroll down to “Application Passwords”:
Give the application a name—you’re the only one who will see this name, so call it whatever you’d like—and click “Generate Password.” WordPress.com will create a unique 16-character password that you can copy and paste the next time you log in to your account on that device. The application will remember this password, so you don’t need to.
Your Security page will maintain a list of all the applications for which you’ve generated passwords. If any of your devices are lost or stolen, or you simply wish to revoke access for a particular application, you can visit this page at any time and click “Remove” to disable the password and prevent the app from accessing your account:
Disabling Two Step Authentication
We don’t recommend disabling Two Step Authentication, as it’s much less secure, even if you believe your password is very strong. But if you insist, you can disable the feature by going to your Settings again as instructed above.
The Security screen will show that the feature is enabled, and you can click the Disable button. This will prompt you to enter a code to confirm that you still have access to the device you originally used to set two step authentication up. If you’re using the Google Authenticator app, open it and provide the code it lists. If you’re using SMS, you’ll be sent a code to use. (This code is different from the code you used to log in to your account. You can also use one of your backup codes for this step.)
Click Disable after entering the code and your account will no longer be protected by Two Step Authentication.
Moving to a New Device
If you are planning on switching to a new device, and you have enabled Two Step Authentication, you will want to take the following steps to avoid being accidentally locked out of your user account.
If you are using the Google Authenticator app to generate verification codes:
- Print a set of backup codes for your user account by following the steps here. DO NOT SKIP THIS STEP.
- Uninstall Google Authenticator from your old device.
- On your new device, install the Google Authenticator app.
- Disable the Two Step Authentication link with your old device by following the steps here.
- Set up your user account to link to your new device by following the steps here.
- If you are prompted to enter your verification code, use a code from your list of backup codes. Backup codes are one-time use only.
If you are using the WordPress.com mobile app to manage and publish to your blog:
- Create a new application-specific password by following the steps here.
- Enter your new application password when using this app on your new device.
Note: If you are using SMS to receive authentication codes, you will not need to update your settings unless you are also changing to a new phone number. In that case, you will want to set up a new recovery number prior to disconnecting your old SMS number by following the steps here.
If You Lose Your Device
If you lose your device, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back in to your account is by using a Backup Code.
To use a backup code, fill in your login details like you normally would. When asked about the login code enter the backup code instead. Remember: backup codes are only valid for one time each so be careful when using them.