Security »Two Step Authentication
Your WordPress.com site is your home on the internet, and you want to keep that home safe. Hopefully, you’ve already chosen a unique and hard-to-crack password for your account. To add another layer of home security, you can now enable Two Step Authentication, also known as Two-Factor Authentication—a second step to the log-in process that no one but you can access.
Two-factor authentication is a method of securing accounts requiring that you not only know something (a password) to log in but also that you possess something. The benefit of this approach to security is that even if someone guesses your password, they have to have stolen your possession in order to break into your account.
At WordPress.com, we offer two-factor authentication via mobile phone. We first verify that you have access to the phone associated with the phone number you specify by sending a code to the phone via one of a couple of methods. Once you’ve verified possession, then any time you log in with your password, we send a new code to your phone, which you must specify before logging in. It adds a small extra step to the login process but makes your account much more secure.
Adding two-factor authentication to your account and thus verifying that you have access to the phone also gives us a way to verify WordPress.com account ownership should you ever forget your password and need assistance logging back in.
Setup with Google Authenticator
To set up two-factor authentication via the Google Authenticator application on your phone, you’ll need to start in a desktop browser.
First, go to the Settings page at WordPress.com. If you’re logged into WordPress.com, you’ll find a link under the WordPress logo in the admin bar:
Or, you can reach Settings off of your Gravatar image from the WordPress.com home page:
Next, click the “Security” link in the navigation on the right-hand side of the screen:
Here you’ll be prompted to select your country and to provide your mobile phone number (without country code and spaces or dashes). Click Next Step.
Next, you’ll select your phone type and follow the instructions to get the Google Authenticator app, which will let us verify access to the phone and pair it with your WordPress.com account.
Once you’ve installed the Google Authenticator app, click Verify the code now. A QR code will appear on screen. Open the Google Authenticator app on your phone and add a new entry by scanning the barcode. A six-digit number will appear in the Google Authenticator app. Enter it in the blank below the barcode on your settings screen.
Next you’ll be prompted to print backup codes. Don’t skip this step, as it’ll be your only way to log back into your account without staff assistance should your phone go missing!
Please Note: If your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.
Click Next Step.
At this point, your site is enabled for two-factor auth, and we have your phone number on record for account verification purposes. A follow-up step allows you to confirm that your backup codes work by entering one of the printed codes.
Setup with SMS Codes
If you’re unable to set up two-factor authentication using the Google Authenticator app, you can also set it up to work via SMS messages. To do so, go to your Settings page as described above, but then click use Two Step Authentication via SMS.
On the next screen, click Send SMS. Within a few moments, you should receive a text message that includes a 7-digit number. Enter this number in the blank provided and click Verify Code.
From this point forward, you can print and verify backup codes as documented above. Your account is now protected by two-factor authentication, and we have your mobile phone number on file to assist with any account access issues that may arise in the future.
The login process varies slightly from the usual process once you have two-factor authentication enabled. Regardless of whether you used the Google Authenticator method or the SMS method to enable two-factor authentication, you’ll start by logging in as usual with your username and password.
Next, if you’re using SMS for two-factor authentication, you’ll be prompted to enter the verification code that was sent to your phone. Once you’ve entered it, you’ll be logged in and ready to blog.
If you set up two-factor authentication with the Google Authenticator app, the process is similar. First you must provide a correct username and password, and then you’ll be presented with a form. Open the Google Authenticator app on your phone and provide the six-digit number listed for the account.
We definitely don’t want access to your WordPress.com account to be totally dependent on your phone or tablet—you’ll still need to be able to log in if it’s is lost, stolen, you’re locked out for any reason, or your phone needs to be wiped clean (which will delete Google Authenticator). To make sure you’re never locked out of your blog, you can generate a set of ten, one-time-use backup codes. We recommend that you print the backup codes out and keep them in a secure place like a wallet or document safe rather than saving them on your computer, where they’d be accessible to anyone using your machine. Generating backup codes is essential and must be done. If you ever need to use a backup code, just log in like you normally would, and when asked about the login code enter the backup code instead.
At the end of the setup process for Two Step Authorization, you’ll be given the option to generate backup codes:
Just click “Generate Backup Codes,” print the screen containing the codes—don’t save it—and then close the screen.
If you lose your list of backups or it’s compromised, you can generate a new set of codes. For added security, this will disable any previously-generated codes.
Important Note: You can only generate the backup codes from a desktop browser. For example, Safari on iOS will not display the backup codes. Additionally, if your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.
There may be some apps that connect to your WordPress.com account that don’t yet fully support Two Step Authentication; the most common are the WordPress mobile apps or Jabber apps used to subscribe to WordPress.com blogs. For these apps, you can generate unique passwords for each (e.g., you can have a different password on your phone and your tablet). This way, your account is secure across all your devices, and if your device ever goes missing, you can disable its password and lock it out of your account to prevent others from accessing your sites.
To generate application-specific passwords, head back to the Security tab your settings and scroll down to “Application Passwords”:
Give the application a name—you’re the only one who will see this name, so call it whatever you’d like—and click “Generate Password.” WordPress.com will create a unique 16-character password that you can copy and paste the next time you log in to your account on that device. The application will remember this password, so you don’t need to.
Your Security page will maintain a list of all the applications for which you’ve generated passwords. If any of your devices are lost or stolen, or you simply wish to revoke access for a particular application, you can visit this page at any time and click “Remove” to disable the password and prevent the app from accessing your account:
Disabling Two Step Authentication
We don’t recommend disabling Two Step Authentication, as it’s much less secure, even if you believe your password is very strong. But if you insist, you can disable the feature by going to your Settings again as instructed above.
The Security screen will show that the feature is enabled, and you can click the Disable button. This will prompt you to enter a code to confirm that you still have access to the device you originally used to set two-factor authentication up. If you’re using the Google Authenticator app, open it and provide the code it lists. If you’re using SMS, you’ll be sent a code to use. (This code is different from the code you used to log in to your account. You can also use one of your backup codes for this step.)
Click Disable after entering the code and your account will no longer be protected by Two Step Authentication.
Moving to a New Device
If you are planning on switching to a new device, and you have enabled Two Step Authentication, you will want to be sure to take the following steps to avoid being accidentally locked out of your user account.
If you are using the Google Authenticator app to generate verification codes:
- Print a set of backup codes for your user account by following the steps here. DO NOT SKIP THIS STEP.
- Uninstall Google Authenticator from your old device.
- On your new device, install the Google Authenticator app.
- Disable the Two Step Authentication link with your old device by following the steps here.
- Set up your user account to link to your new device by following the steps here.
- If you are prompted to enter your verification code, use a code from your list of backup codes. Backup codes are “one use” only.
If you are using the WordPress.com mobile app to manage and publish to your blog:
- Create a new application-specific password by following the steps here.
- Enter your new application password when using this app on your new device.
Note: If you are using SMS to receive authentication codes, you will not need to update your settings unless you are also changing to a new phone number. In that case, you will want to set up a new recovery number prior to disconnecting your old SMS number by following the steps here.
If You Lose Your Device
If you lose your device, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back in to your account is by using a Backup Code.
To use a backup code, fill in your login details like you normally would. When asked about the login code enter the backup code instead. Remember: backup codes are only valid for one time each so be careful when using them.