Enable two-step authentication

Two-step authentication is an added level of security you can set up to keep your WordPress.com account safe. In this guide you will learn how to enable two-step authentication for your account.

Two-step authentication is a method that enhances the security of your online accounts. It requires you to know something (your password) and to possess something (your mobile device or a physical security key) to log in. This approach ensures that even if someone discovers your password, they cannot access your account without also having access to your mobile device or physical security key.

Using two-step authentication significantly increases your account’s security. Once you set it up, WordPress.com will send a new code to your device each time you log in with your password. You must input this code before gaining access to your account. This additional step in the login process helps protect your account from unauthorized access.

Follow these steps to enable two-step authentication on your WordPress.com account:

1. Log into WordPress.com and hover over your profile icon in the top-right of your dashboard.
2. Click the “My WordPress.com Account” button to visit your account profile.
3. On the left side, select the Security menu option.

3. Click Two-Step Authentication, where you can choose between “Set up using an app” and “Set up using SMS.”
4. Click the option you want to set up.

If you set up two-step authentication using an app, you will use an authenticator app on your phone to get a code to log in to your WordPress.com account.

1. Download an authenticator application to your phone. Common options include Google Authenticator and Authy.
2. In Security → Two-Step Authentication in your WordPress.com account, click “Set up using an app”.
3. Scan the QR code with your authenticator app, or enter the one-time code in your app.

4. A six-digit number code will appear in your authenticator app. Type the code in the field provided on the two-step authentication screen.
5. Click the Enable button.
6. Next, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance if you lose your device!

6. Click the “All Finished” button.

At this point, your account is enabled for two-step authentication.

If you set up two-step authentication using SMS codes, you will receive a text message on your phone with a code to log in to your WordPress.com account.

1. In Security → Two-Step Authentication in your WordPress.com account, click “Set up using SMS”.
2. Enter your phone number (including the country code) and click Continue.
3. Wait a few moments to receive a text message with a 7-digit number.
4. Enter this number in the box provided on the two-step authentication page.

5. Click the Enable button.
6. Next, you’ll be prompted to print backup codes. Don’t skip this step; it’ll be your only way to log back into your account without staff assistance if you lose your device!
7. Click the “All Finished” button.

While enabling two-step authentication, you’ll be given a set of backup codes to use if you lose access to your mobile device (such as if it’s lost, stolen, locked, or wiped clean.)

You have the option to copy to clipboard, print, or download the backup codes using the icons at the bottom of the list. Store them in a safe place like a wallet, document safe, or secure password application. Don’t save them on your computer since they would be accessible to anyone using your machine.

If you ever need to use a backup code, log in like you usually would, and when asked for a login code, enter one of your backup codes.

If you lose your list of backup codes or it’s compromised, you can generate a new set of codes from your computer (not from your mobile).

Follow these steps to generate new backup codes:

1. Log into WordPress.com and hover over your profile icon in the top-right of your dashboard.
2. Click the “My WordPress.com Account” button to visit your account profile.
3. Navigate to Security → Two-Step Backup Codes.
4. Under the Backup codes section, click the “Generate new backup codes” button.
5. Download and store your new backup codes in a secure location.

For added security, generating new backup codes will disable any previously generated codes.

We don’t recommend disabling two-step authentication, as it’s much less secure, even if you believe your password is strong. But if you insist, you can disable the feature by taking the following steps:

1. Log into WordPress.com and hover over your profile icon in the top-right of your dashboard.
2. Click the “My WordPress.com Account” button to visit your account profile.
3. On the left side, select the Security menu option.
4. Click Two-Step Authentication.
5. Click the “Disable Two-Step Authentication” button.
6. When prompted, enter a code to confirm that you still have access to the device you initially used to set up two-step authentication:
   • If you’re using an authenticator app, open it and provide the code it lists.
   • If you’re using SMS, you’ll be sent a code via text message.
   • If you cannot access your device, enter one of your backup codes.
7. Click “Disable” after entering the code, and your account will no longer be protected by two-step authentication.

If you intend to switch to a new device and have enabled two-step authentication, take the following steps to avoid being accidentally locked out of your user account.

If you are using SMS to receive authentication codes, you will not need to update your settings unless you also change to a new phone number. In that case, you will want to set up a new recovery number before disconnecting your old SMS number.

If you are using an authenticator app to generate verification codes:

1. Print backup codes for your account.
2. On your new device, install the authenticator app.
3. Disable the two-step authentication link with your old device.
4. Link your new device.
5. If prompted to enter your verification code, use an unused code from your list of backup codes.
6. You can now uninstall the authenticator app from your old device.

If you are using the Jetpack mobile app to manage and publish to your site:

1. Create a new application-specific password.
2. Enter your new application password when using this app on your new device.

If you lose your device or security key, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back into your account is by using a backup code.

To use a backup code, follow these steps:

1. Fill in your login details like you normally would.
2. When asked about the login code, enter the backup code instead.

Remember: backup codes are only valid for one time each, so be careful when using them and generate new codes if you are close to running out.

If you do not have access to your device or backup codes, follow these steps to contact us for help with recovering your account.

If you’re having trouble receiving the text message notification with the code to log into your WordPress.com account, try the following troubleshooting steps:

1. Use a backup code: Enter one of the backup codes you received when setting up two-step authentication.
2. Check signal strength: Ensure your phone has a strong cellular signal. If the signal is weak or inconsistent, try moving to a location with better reception.
3. Wait for delays: Sometimes, SMS delivery is delayed due to network issues. Waiting a few minutes and trying again can help.
4. Disable “Do Not Disturb” mode: Ensure “Do Not Disturb” or other settings like flight mode that might block notifications are disabled.
5. Restart the phone: Rebooting the phone can refresh its connection to the network and resolve any temporary glitches.
6. Verify phone number: Double-check that the correct phone number is associated with your account.
7. Check for message filtering or blocking: Some SMS services or apps might filter or block messages from unknown senders. Make sure the login code messages are not being blocked by these settings.