If you’re using WordPress.com, or Jetpack with your WordPress.com account, protect yourself by setting up WordPress Two Step Authentication.
In fact, you should use Two Step Authentication (also known as Two Factor Authentication) for every website that supports it, especially your social media accounts, your Gmail account, financial websites like your bank, and any other website where losing control of your account would be a disaster.
Here’s how it works:
- You set up your WordPress.com account using a strong password or passphrase.
- You tell WordPress.com about another device you control, (usually your smartphone), and use that device to receive a second authentication code.
- You enter this second code after you enter your user name and password.
It’s this second step of entering the second code that dramatically increases the security of your login. It turns out that passwords are pretty easy to guess, especially if you use a computer to help guess it. This is called a “brute force” attack. Because the additional, second code is generated right when you need it, and isn’t saved, there’s no way to guess the code. Also, you presumably control your smartphone, and that’s not something that a hacker on the other side of the planet has easy access to, either.
If you’re using your smartphone as an authentication device — and that’s really the best choice, because you probably carry it with you everywhere — you’ll want to secure your smartphone, too. At the very least, set up a password on your phone, and use Touch ID or Face ID to unlock your phone. If you want to secure your smartphone to the highest degree possible, use only a password to unlock it (not Touch ID or Face ID) and use the longest password you can stand to type in each time you unlock your phone. Also, set up your phone to automatically erase itself if there are too many attempts to unlock it unsuccessfully.
So, your smartphone is secure and you want to use Two Step Authentication. Here’s what you do:
- Install the Google Authenticator app (Apple or Android). If you can’t install or run the Google Authenticator app, you can still use SMS (texts) to receive authentication codes, but this option is not as secure.
- Install the WordPress app (Apple or Android). Once Two-Step Authentication is set up, you can also use the WordPress app to authenticate, without having to type in an additional code.
- Visit the Two Step Authentication settings page for your WordPress.com account. Note that you may need to log in to your WordPress.com account to view this page.
Set up Two-Step Authentication
Once you’ve opened the Two Step Authentication settings page you can set it up using Google Authenticator:
- Click Two-Step Authentication then Get Started]
- Select your Country Code and enter your Phone Number for the mobile device you want to use to authenticate your account.
- Click Verify via App (or, if you can’t use Google Authenticator, click Verify via SMS and follow the instructions below for SMS authentication).
- Open the Google Authenticator app on your phone.
- Tap the “+” symbol and then tap Scan barcode
- Use the barcode scanner to scan the QR code that WordPress.com displays. If this works, Google Authenticator displays a new six-digit code for WordPress.com
- Enter the six-digit code on WordPress.com and click Enable.
Now, WordPress.com will display a list of backup codes and ask you to print them. I prefer to copy them and paste them into the Notes field of my password manager. Either way, save your backup codes! You’ll need them if anything happens to your phone.
Click [All Finished] after you’ve printed your backup codes, or pasted them into your password manager.
If for any reason you didn’t save your backup codes in your password manager, or print them out, it’s not too late!
On the the Two Step Authentication settings page, scroll down and click the [Generate New Backup Codes] and print them or save them in your password manager.
Copy one of the backup codes and paste it into the Type a Backup Code field. Click [Verify].
Use SMS Codes
If you can’t use the Google Authenticator or another app like Authy, you can use SMS (text) authentication instead. When you’re setting up Two-Step Authentication, click Verify via SMS instead of Verify via App. You won’t see the QR code appear. Instead, WordPress.com will ask you to Enter the code you receive via SMS. Once you’ve typed or pasted the code into this field, click [Enable] and follow the same steps (above) to save your backup codes.
What’s the difference with SMS codes?
The biggest risk with using SMS codes instead of an authenticator app (like Google Authenticator) is that SMS (text) messages aren’t encrypted. This means someone could possibly steal your authentication codes when they are sent to your phone. This is highly unlikely, but not impossible. It’s also possible to SIM-swap your phone to redirect your texts to another device. Again, this isn’t common, but it’s not impossible. To prevent SIM swapping, ask your mobile provider to add a PIN to your account.
Also, your mobile provider might block these authentication text messages, because they come from automated systems. If this is the case, you can call your mobile provider’s support line and ask them to allow these types of messages (don’t forget to set up that PIN, too).
Finally, even if your SMS messages aren’t hacked, it can take some time to get the authorization code via SMS. The authenticator apps, on the other hand, display the codes as soon as you open the app. There’s no delay.
Using Two Step Authentication
Once you’ve set it up, using Two Step Authentication to log in to WordPress.com is the same as before, except for one new step: after you type in your username and password, and click Sign In, you’ll be asked to enter the Verification Code, and click Log In. Enter the code you retrieve from your authenticator app, or SMS, depending on which option you selected when you set up Two Step Authentication.
Remember to click the Remember Me checkbox so you won’t have to re-enter a new authentication code every time you log in. But, keep in mind, only the browser you’re using will remember you. If you switch to another browser, or to another device, you’ll have to re-enter a new authentication code.
From WordPress.com Support: