Security: Protecting WordPress Site
-
Does wordpress have security settings to enable 2FA verification and passkeys etc. I currently login with password and receive a six digit code to login. Is this method secure. I also heard passkeys are secure as well. The only thing i hate about this is that once I receive the code to my phone I don’t know if its encrypted or not cuz sms messages are usually not encrypted. And I don’t want anybody else having access to the verification code like scammers hackers etc. Is having my phone number connected to my site also secure
But does wordpress.com have security measures already in place to protect your site as well or is security only on us
I just wanna make sure my site is protected 💯. God for bid if my site was to ever get hacked how would I know. I don’t know anything about hacking
The blog I need help with is: (visible only to logged in users)
-
Hey, I hear you—keeping your site and account secure is really important, and it’s great that you’re already using two-step authentication with SMS. Just keep in mind that SMS can sometimes be intercepted (through SIM swapping, phone theft, and similar risks). A stronger and more modern option is using passkeys. While having your phone number connected is useful, it also means that if someone gains access to your phone or SIM, they could receive your codes. And if backup codes aren’t saved (or you lose access to your authenticator device), recovering your account can be difficult.
Here are some options you have on WordPress.com:
- Two-Step Authentication (2FA): Already enabled on your account. Along with SMS codes, you can use an authenticator app (more secure than SMS) or add a passkey/physical security key for the strongest protection.
Learn more:
https://wordpress.com/support/security/two-step-authentication/
https://wordpress.com/support/security/two-step-authentication/security-key-authentication/ - Backup codes: These are one-time codes you can keep somewhere safe. They’re a lifesaver if you lose access to your phone.
- Passkeys / Security Keys: These use your device’s biometrics (like fingerprint or face ID) or a USB key. Unlike SMS, they can’t be intercepted and are resistant to phishing.
Setup guide: https://wordpress.com/support/security/two-step-authentication/security-key-authentication/ - Account & site monitoring: WordPress.com handles server-level security (SSL, automatic updates, and suspicious login monitoring). If anything unusual happens, you’ll get alerts right away.
Signs something might be wrong: You’d notice strange login notifications, changes to your account info you didn’t make, missing content, or unexpected login failures.
You’re already on the right path with 2FA — switching from SMS to a passkey or authenticator app will give you even stronger peace of mind.
If you’d like to discuss these options in more detail, please do let me know. - Two-Step Authentication (2FA): Already enabled on your account. Along with SMS codes, you can use an authenticator app (more secure than SMS) or add a passkey/physical security key for the strongest protection.
-
OK. I heard passkeys are more secure than passwords etc but are there downsides to using passkeys
Is having my phone number connected to my account required? I assume so to revceive verification codes. How can I unlink my phone number to my wordpress account
Does wordpress itself backup and secure your site or is security all on us
- The topic ‘Security: Protecting WordPress Site’ is closed to new replies.
WordPress.com Forums 