Configuring Two-Factor Authentication

Enabling two-factor authentication (2FA) protects your WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ account from unauthorized access. This guide will show you how to set it up using either a security key or a time-based one-time password (TOTP) and how to print backup codes.

Set up a security key

Security keys utilize biometrics, digital cryptography, or hardware keys to provide an additional layer of security when logging into your WordPress.org account. They’re more secure than the one-time passwords found in many apps because security keys aren’t vulnerable to phishing attacks. Some popular examples are Passkeys and Yubikey devices.

  1. While logged in, visit your profile at https://profiles.wordpress.org/me/profile/edit/.
  2. Click on the Account & Security tab.
  3. Click Two-Factor Security Key
  4. Click Register new key
  5. Input a key name in the Name field and click Register.
  6. Follow the steps specific to your browser to add your security key.

If you want to log in from different devices, it’s a good idea to set up multiple security keys.

Top ↑

Set up a time-based one-time password (TOTP)

Time-Based One-Time Passwords (TOTP) are temporary codes generated by an authentication app installed on your mobile device. These codes change every 30 seconds and are used alongside your password to verify your identity during login. Ensure you have an authentication app installed before starting your TOTP setup. Popular ones include Google Authenticator and Microsoft Authenticator.

  1. While logged in, visit your profile at https://profiles.wordpress.org/me/profile/edit/.
  2. Click on the Account & Security tab.
  3. Click Two-Factor App.
  4. Scan the QR code with your authenticator app.
    1. If you cannot scan the QR code, click the “Can’t scan the QR code?” link to get a one-time code to enter into your authenticator app.
  5. A six-digit number code will appear in your authenticator app. Type the code in the field provided.
  6. Click Enable.

Top ↑

Generate backup codes

Backup codes are one-time-use codes that you can use when you don’t have access to the second-factor security key or app you have configured. Whether you are using security keys or a Time-Based One-Time password, make sure you generate and print backup codes. 

  1. While logged in, visit your profile at https://profiles.wordpress.org/me/profile/edit/.
  2. Click on the Account & Security tab.
  3. Click Two-Factor Backup Codes.
  4. Ten backup codes will be generated.
  5. Print, copy, or save the backup codes.
  6. Click I have printed or saved these codes checkbox.
  7. Click All Finished.

It’s important to note that losing your primary key or device and not having a backup code could permanently prevent you from accessing your account. Keep them safe!

Top ↑

Trouble accessing your two-factor authentication methods

If you lose your device or security key, accidentally remove the authenticator app, or are otherwise locked out of your account, you can regain access by using a backup code.

To use a backup code, enter your login details as usual. When prompted for your security key or authentication app code, click Use a recovery code and enter the backup code instead. Please note that backup codes are single-use only. Be mindful when utilizing them, and generate new codes if you are running low.

If you do not have access to your device or backup codes, email forum-password-resets@wordpress.org for support.

Last updated: