Menu

Security, Squared: Introducing Two Step Authentication

We all build our blogs to be accessible and inviting, but we also want to make sure that our account…

We all build our blogs to be accessible and inviting, but we also want to make sure that our account and the information it contains are safe and secure. All WordPress.com blogs are already password-protected (if you’re not sure your password is strong enough, here are some tips). Now, with the introduction of Two Step Authentication, your account can become virtually impenetrable.

Why the extra step?

If an unauthorized person gains access to your account, the damage can be severe: your blog can be deleted, your posts modified or defaced, and whatever personal information your account contains becomes vulnerable. While it’s extremely difficult to crack a robust password, it’s not impossible.

Enter Two Step Authentication, an optional added layer of security. Once activated, you will log in to WordPress.com using not only your password, but also a randomly generated code. This code is highly time-sensitive, valid for thirty seconds only — this way, it’s all but impossible to guess. Imagine a basketball player trying to score a cross-court shot while blindfolded. Now imagine the same player trying to make the same shot, only with a basket that is constantly and rapidly moving: that’s the advantage Two Step Authentication gives your account security.

Activating Two Step Authentication

Taking advantage of this increased security feature is easy and straightforward: the only thing you need, other than a WordPress.com account and password, is a cell phone (no memorization required!). If you have a camera-equipped smartphone (an iPhone, Android, or BlackBerry), you will need to download the Google Authenticator app, which will provide you with the changing code. If you don’t have a smartphone, you can still use Two Step Authentication: the codes will be sent to you via SMS.

First, activate Two Step Authentication in your WordPress.com account. Hover on the WordPress.com logo at the top left corner of your screen and click on Settings. Now, click on the Security tab and enable Two Step Authentication. A setup wizard will guide you through the necessary steps.

2step

Even if you don’t have a smartphone, the wizard will help you activate Two Step Authentication via SMS: just click on the link at the bottom of the box.

Two Step Authentication in action

Once activated, each time you log in to WordPress.com you will be asked to enter the code generated by your smartphone app or sent to you via SMS. enterverificationcode

We must stress two points before you activate Two Step Authentication:

  • Keep the Google Authenticator app on your phone. It’s important to keep the Google Authenticator app on your phone, since it is the app that generates the code required to log in. Deleting the app can lock you out of your WordPress.com account.
  • Print out backup codes. It’s crucial to understand that you will no longer be able to log in to WordPress.com without a code once you activate Two Step Authentication. It’s therefore essential that you follow the setup wizard’s instructions to generate and print out a set of backup codes. Once you’ve printed those out, keep them in a safe place. A backup code will allow you to access your account in the event that your phone is lost, stolen, or in case you’ve mistakenly deleted Google Authenticator from your phone. Without a backup code you risk locking yourself out of your account.

That’s it: with these few short steps your account is now considerably safer. Time to blog!

For additional details on Two Step Authentication, please visit the related support page.

Show Comments

32 Comments

Comments are closed.

Close Comments

Comments

    1. Not 100% sure, but — It looks like it can be verified via SMS if you don’t have a smart phone. And if you don’t have a phone at all, I imagine you could send it to a computer-text service if you get a number at a place like textnow.com.

      Like

    2. Hi Seeker, I’m happy to report you don’t need to have an iPhone (or a smartphone of any kind) to activate Two Step Authentication, as it can work via SMS as well, as mentioned in the post above. You can choose that option once you’ve started the setup wizard (it’s at the bottom of the box – check out the screenshot above).

      Like

  1. I step up the authentication option and really liked the added security. Then I kept reading on the forum about how other users were being locked out because of lost phones, or back-up codes not working, and other difficulties. I kept my app, but disabled the feature on my blog. I may set it up again in the future, once some of these issues are ironed out.

    Like

    1. Hi Tara R., there really isn’t any issue that should stop you from using this feature you’d already enjoyed – as long as you have your backup codes in case your phone is lost or stolen, you’re good to go!

      Like

    1. Happily, not that many. Which is precisely why this is not required. For those who want just an extra bit of peace of mind, though, it is an option worth considering.

      Like

  2. I set it up on my iPhone, and then I immediately got messages that I had “exceeded log-in limit”. I could no longer get into my WordPress account. It kept telling me to come back later. I disabled two-step authentication, and I got back in right away. It’s my blog. I don’t want a feature that tells me I can’t access it and to come back another time. Maybe I will try it again some day.

    Like

    1. Hi Dflorack, I’m sorry to hear your experience with Two Step Authentication didn’t go as smoothly as it should. If you choose to try it again and for some reason encounter an issue, don’t hesitate to ask for support.

      Like

  3. ah; i haven’t had a telephone in a dozen years, so this option will not work for me, will it?!!! sounds like a great option, since last year i did have someone find their way into my account and delete some posts AND empty the trash.

    from a rural area in ecuador, z

    Like

    1. Hi Playamart, I’m afraid a mobile phone — regular or smartphone — is required for Two Step Authentication at this point. I’m sorry to hear about your experience last year — I hope you found the password tips helpful.

      Like

  4. I do not have a texting package on my cell phone. My cell phone is as an emergency tool for AAA or 911 calls on the road. I won’t base any form of securitysecurity on a cell phone. It’s stupid, sorry. It’s transient, fragile, easily stolen, frequently lost, broken and changed. That’s not security — that’s a bandaid over an open sore.

    YOU need to find ways to protect against hackers … like encrypting YOUR servers which are at greatest risk, not my home computer. If I were to lose my blog, I would be upset, for sure … but the odds of my being personally targeted are far smaller than the odds of WordPress getting hacked — as it has in the past. Making life more complicated for users is not going to deal with the underlying vulnerability of your own infrastructure. Before you make my life more expensive and complex, please address the real issues of vulnerability on own equipment, services, and system.

    Like

    1. Well, they do have backups — if you run and download them on your own computer if you’re feeling more secure about your own computer and concerned about hacking.

      I’m sure services like this are for the many travelers and open-access computer users on WP. They’re logged in so many places on so many computers that their phone may be, if not a safe space, then at least a nice double check. That’s probably why it’s optional. Homebodies like me don’t need it.

      Like

    2. Hi Teepee12 — you’re absolutely right that the responsibility of keeping WordPress.com safe from attack is ours. We take that responsibility extremely seriously. I want to stress that the extra step described in this post does not (in any way) take away from this responsibility. It does let users who feel so inclined an extra measure of safety on their end of things.

      As Rarasaur mentioned here, it might make more sense for some types of users than for others, which is why it’s an optional feature (the other reason is that it requires a mobile phone, so it isn’t suitable for those lucky people who manage to survive without one…).

      Like

      1. Ok, but don’t try to log into my account before I change my password. Give me like, ten minutes and then you can try.

        Wait, what about “password”? What’s the security strength on that one?

        Like

      2. I have just put my bank account number and pin on my blog so where ever I am I can just go to the post and get it but don’t tell anyone please

        Like

  5. i am a little confused about the thirty seconds. i live in the Philippines and it can take hours for a text message to get through. this doesn’t sound as if it will work for me.

    Like

  6. Passwords are the bane of my internet life. I can definitely see me locking myself out of my blog on this one. Especially since it is timed. I used to get stomach aches when we had timed tests in arithmetic class! But it’s a good thing to provide it, as well as a reminder that I should probably back up my writing…

    Like

  7. For several months I’ve been posting comments on The Atheist Experience Freethought blog when for some reason my comments were blocked due to “possible imposter detected”. I emailed this blogsite and was told the problem might be with wordpress. They were otherwise at a loss to explain why this was happening, as am i. This happened after i attempted to download my profile picture. I barely know what’s going on with my comp. at the best of times. i need this resolved, or i’m forever blocked from this site

    Like

  8. So my problem is when it ask for the code on my phone jumping out and over to the code by the time I get back and type it in it has expired. I am dyslexic with numbers so it has been frustrating and is there a way to uninstall the two step- security as I was just getting comfortable using the mobile app. I can use the reader and see comments but cannot reply as 30 seconds I lack the ninja skills of getting the code and typing it in. I like the idea of the security but I am frustrated. Tips or tricks? Help

    Like