Enable Two-Step Authentication – WordPress.com Support

Your WordPress.com site is a crucial part of your online identity, and safeguarding it should be a top priority. While you’ve likely already secured your account with a unique and robust password, adding an extra layer of protection is always recommended. This guide will walk you through the process of enabling two-step authentication, significantly enhancing the security of your WordPress.com account.

Understanding Two-Step Authentication

Two-step authentication (2FA) is a robust security measure designed to make your online accounts significantly safer. It operates on the principle that to successfully log in, you must provide two distinct forms of verification: something you know (your password) and something you possess (typically your mobile device or a dedicated physical key). This dual requirement means that even if an unauthorized individual manages to discover your password, they cannot access your account without also having physical access to your trusted device or key, thus thwarting potential breaches.

WordPress.com facilitates two-step authentication through two primary methods: using a mobile device for codes (as detailed in this guide) or employing a physical security key. Once activated, every time you attempt to log in with your password, a unique, time-sensitive code will be sent to your registered device. You must then input this code before gaining access to your account. This additional, yet straightforward, step dramatically fortifies your account’s defenses against unauthorized access.

Setting Up Two-Step Authentication

To enable two-step authentication for your WordPress.com account, simply follow the detailed steps outlined below. This process is designed to be user-friendly, guiding you through each stage to secure your account effectively.

1. Begin by navigating to your profile at https://wordpress.com/me.
2. On the left-hand side menu, locate and select the Security option:
3. Click on Two-Step Authentication. Here, you will be presented with two distinct setup options: “Set up using an app” and “Set up using SMS.” Both methods are thoroughly explained in the subsequent sections of this guide.
4. Select your preferred method and then click the “Get Started” button to proceed with the setup process.

Using an Authenticator App

Opting to set up two-step authentication with an app means you will utilize a dedicated application on your smartphone to generate secure, one-time codes required for logging into your WordPress.com account. This method offers a high level of security as codes are generated locally on your device, even without an internet connection.

1. First, download a reputable authenticator application to your mobile phone. Popular and reliable choices include Google Authenticator and Authy.
2. Next, open your chosen authenticator app and use it to scan the QR code displayed on the WordPress.com setup screen.
   • Should you encounter issues scanning the QR code, click the “Can’t scan the code?” link to receive a unique, one-time code that you can manually enter into your authenticator app.
3. A six-digit numerical code will instantly appear within your authenticator app. Carefully type this code into the designated field on the WordPress.com website.
4. Finally, click the “Enable” button to activate two-step authentication with your app:
5. Following this, you will be prompted to print your backup codes. It is imperative not to skip this crucial step; these codes serve as your only means of regaining access to your account without requiring assistance from staff, especially if your device is lost, stolen, or inaccessible.
6. Once you have secured your backup codes, click the “All Finished” button to complete the setup.

With these steps completed, two-step authentication is now successfully enabled for your account. As a vital follow-up, you will have the opportunity to confirm the functionality of your backup codes by entering one of the printed codes, ensuring they are ready for use if ever needed:

Using SMS Codes

If you prefer the convenience of receiving login codes directly to your mobile device, setting up two-step authentication via SMS codes is an excellent option. This method delivers a text message containing a unique code to your registered phone number, which you then use to log into your WordPress.com account.

1. Enter your complete phone number, including the appropriate country code, into the provided field and then click Continue.
2. Allow a few moments for a text message to arrive on your phone, containing a 7-digit numerical code.
3. Input this received code precisely into the box provided on the WordPress.com interface.
4. Click the “Enable” button to activate two-step authentication using SMS:
5. Similar to the app-based method, you will then be prompted to print backup codes. Under no circumstances should you skip this step; these codes are your critical lifeline for accessing your account if you lose your mobile device or encounter any issues receiving SMS codes.
6. Finally, click the “All Finished” button to finalize the setup process.

Understanding and Managing Backup Codes

During the process of enabling two-step authentication, you will be provided with a crucial set of **backup codes**. These codes are designed as a fail-safe, allowing you to access your account if you ever lose access to your primary mobile device (due to loss, theft, a device reset, or any other unavailability).

We strongly advise that you print these ten one-time-use backup codes and store them in a highly secure, physical location, such as a wallet, a secure safe, or a document organizer. It is critical not to save these codes on your computer or any digital device, as this could compromise your account’s security if your machine is accessed by unauthorized individuals.

Should you ever need to utilize a backup code, simply proceed with your usual login process. When prompted for a login code, enter one of your unused backup codes instead. Each backup code is valid for a single use only.

If your list of backup codes is lost or compromised, you have the option to generate a brand-new set of codes from your computer (this action cannot be performed from your mobile device). For enhanced security, generating new codes will automatically invalidate and disable any previously generated codes, ensuring only the most current set is active:

Disabling Two-Step Authentication

We strongly caution against disabling two-step authentication. Doing so significantly reduces your account’s security, even if you believe you have an exceptionally strong password. Two-step authentication provides a vital layer of protection that is difficult to replicate through password strength alone. However, if you must disable this feature, follow these steps:

1. Navigate to your profile at https://wordpress.com/me.
2. From the left-hand menu, select the Security option.
3. Click on Two-Step Authentication.
4. Locate and click the “Disable Two-Step Authentication” button.
5. When prompted, you will need to enter a verification code to confirm that you still have authorized access to the device you initially used for setting up two-step authentication:
   • If you are using an authenticator app, open it and provide the current code displayed.
   • If you are using SMS, a code will be sent to your registered phone number via text message.
   • If you are unable to access your device, you may use one of your backup codes.
6. After successfully entering the code, click “Disable,” and your account will no longer benefit from the enhanced security of two-step authentication.

A security key cannot be used to disable two-step authentication. This action can only be completed using a code received via SMS, your authenticator app, or a valid backup code.

Moving to a New Device

If you plan to switch to a new mobile device while two-step authentication is active on your account, it’s crucial to follow specific procedures to prevent being inadvertently locked out. Careful preparation ensures a smooth transition.

For users relying on SMS to receive authentication codes, you generally won’t need to update your settings unless you are also changing your phone number. In such a scenario, it is highly recommended to set up a new recovery number before deactivating or disconnecting your old SMS number.

If you utilize an authenticator app to generate your verification codes, follow these precise steps to transition to a new device:

1. Begin by printing out a fresh set of backup codes for your account.
2. Install your preferred authenticator app on your new device.
3. Proceed to disable the existing two-step authentication link associated with your old device.
4. Now, link your new device to your WordPress.com account using the authenticator app.
5. If prompted to enter a verification code during this process, use one of the unused codes from your recently printed list of backup codes.
6. Once your new device is successfully linked and verified, you can safely uninstall the authenticator app from your old device.

For those who use the Jetpack mobile app to manage and publish content to their site, an additional step is required due to how application passwords function:

1. Generate a new application-specific password. These passwords provide secure access for third-party applications without exposing your main account password.
2. Enter this new application password when configuring or logging into the Jetpack app on your new device.

If You Lose Your Device

Losing your device, a security key, accidentally removing your authenticator app, or any other situation that prevents you from accessing your primary authentication method can be concerning. In such critical moments, the only reliable way to regain access to your account is by using a backup code.

To use a backup code, simply proceed with your standard login details. When the system requests a login code, input one of your unique backup codes instead. It is crucial to remember that each backup code is designed for a single, one-time use. Therefore, exercise caution when using them and promptly generate a new set of codes if you find yourself running low.

Should you find yourself without access to your device or your backup codes, you can still seek assistance from WordPress.com support to verify your identity and restore access to your account. Please follow these specific steps to contact us for help with recovering your account by undergoing a thorough ownership verification process.

Troubleshooting: If You Don’t Receive an SMS Code

If you are encountering difficulties receiving the text message notification with the required code to log into your WordPress.com account, please try the following troubleshooting steps to resolve the issue:

1. Utilize a Backup Code: The quickest solution is often to enter one of the backup codes that you received and ideally printed when you initially set up two-step authentication.
2. Check Your Signal Strength: Ensure your mobile phone has a strong and stable cellular signal. If the signal is weak or inconsistent, try moving to a different location with better network reception.
3. Be Patient for Delays: Occasionally, SMS message delivery can experience delays due to network congestion or other issues. Waiting a few minutes and then attempting to log in again can often resolve the problem.
4. Disable “Do Not Disturb” Mode: Verify that “Do Not Disturb” mode, airplane mode, or any other settings that might suppress or block incoming notifications are currently disabled on your phone.
5. Restart Your Phone: A simple reboot of your phone can often refresh its connection to the cellular network and clear any temporary software glitches that might be preventing SMS delivery.
6. Verify Your Phone Number: Double-check to ensure that the correct and current phone number is accurately associated with your WordPress.com account.
7. Check for Message Filtering or Blocking: Some SMS services or third-party messaging apps include features that filter or block messages from unknown or unverified senders. Confirm that messages containing login codes are not being inadvertently blocked by these settings.