This notice relates to our customers hosted on WordPress.com VIP. VIP Go sites are not affected.
Keeping your sites secure is one of our top priorities. One of the ways bad actors attempt to compromise sites is to use the credentials of privileged users that may have had passwords leaked as part of a hack on another service.
Using unique passwords is one way to protect against this but another is two factor authentication (2FA). 2FA helps to verify that the person attempting to login is the actual user, and not an attacker.
To help you protect your sites from this type of attack, we’re introducing a policy of forced 2FA for all users with the ability to publish on WordPress.com VIP.
From 6th March any newly created users on a VIP site will be required to have two-factor authentication enabled in order to publish.
From 7th April all users with the ability to publish on a VIP site will be required to have two factor authentication enabled.
The change means that users without 2FA enabled will see a “Two Step Authentication is required to publish to this site” notice at the top of their admin screens.
For these users, instead of a Publish button, they will only see a “Submit for Review” button.
Any users requiring the ability to publish should follow the instructions to enable two factor authentication on their account.
Some users have asked about options for two factor authentication without the use of a mobile device. Authy offers desktop applications that could be used in conjunction with our support for using an authenticator app. You may also be able to set up SMS delivery of two factor codes via VOIP services like Google Voice or Skype, though delivery may not be reliable in all areas and should be tested thoroughly before relying on it.
If you have any questions about this policy, please open a support ticket and we’ll happy to help.
You must be logged in to post a comment.