WordPress 2-step Verification: Warning

This is a short & out of character post from me, to complain about the “2-step verification” process I just embarked upon with WordPress, as a warning to anyone else who decides to upgrade their security.

When I logged in to write a post earlier today, I had a notice on my WordPress account saying that I needed to upgrade security and inviting me to set up “2-step” account verification.  I decided to do it, because at my previous work place, the website, hosted on WordPress, was hacked, so I thought it was probably a good idea to upgrade security. Lots of other online accounts now ask for a phone number as a back up in the case of losing your log in so that is nothing new. As with those online accounts, I thought that the “2 steps” would be required in the case of losing my log in or some unusual security breach – not every single time I log in!

However, after you go through the process and enter the security code that is sent to you, it is explained (when it’s too late to back out), that it’s not just providing a phone number for use in the case of needing to verify your account at some stage, the way you do for your eBay account, your Twitter account and a million other accounts. On WordPress, now that I’ve handed over my phone number it appears that I can no longer log in to my account without having my phone close at hand. I discovered this when I  just tried to log in again now, some hours later, and after entering my user name and password as per usual, a new log in screen popped up, asking for the verification, which instantaneously arrived on my phone at the same time.

Now some people may not care about this extra step or what it implies, but I really, really hate this, for 3 reasons.

1. it adds an extra step to logging in, so now just my user name and password are not enough, I have to type another field in before I can log in. That seems a little bit backward to me. Even my bank is happy for me to log in with just a user name and password, so why the Fort Knox-style security around my blog?

2. I’ve been deliberately forced into needing, not one, but 2 devices with me, even if I’m writing my blog on my laptop, which is where I usually write – or even if I want to do a sneaky edit on the computer at work. Why should I have to do that? As a Generation X-er, I am not surgically attached to my phone, but more to the point, I resent being forced by WordPress to have to have my phone activated when I want to write, or read other people’s blogs and comment on them. This feels a lot like Facebook trying to force us to download its new Messenger App onto our smartphone, which will apparently invade our privacy like nobody’s business. (Currently I have resisted, so if you message me on Facebook, you’ll have to wait until I’m at my laptop before I reply.)

3. is my suspicions about the reason for this ridiculously over-the-top “security”. My blog is not quite as high a security risk as the investment account of a major oil company. I am not writing posts about matters of international security, unless eyeballs and moustaches have taken on a significant role in international espionage that I was not aware of. Why is there a requirement for me to have to enter a uniquely generated security code each time I log in to write a post on my personal blog??

Of course, I could try staying logged in to my blog, I guess, it’s just that because I’m a grump when it comes to being manipulated by the software I’m using, I also resent being forced into doing that!

In my thinking, if a program is set up to manipulate you into staying logged in (eg your Google account where it’s soooooo hard to find where to log off!!), it’s so that someone can build a consumer profile on me based on everything I click on or search while I’m logged in. Unlike most people, I still try to remember to log out of most applications when not using them, just to cut down on the amount of targeted advertising, directly related to sites I’ve look at, that pops up in sidebars on websites and serves to remind me that “free” access to websites and open source software comes at a price.

I guess to some extent if I want to use the internet I have to accept that I’m being profiled and that targeted advertising will happen, but I resent WordPress introducing this extra step required to log in, that comes under the pretence of being required for security, makes it more tedious for me, and sounds likely to create a problem if I lose my phone.

So in brief, assuming I’m not the very last person to do so, I suggest that if you are as protective about your privacy as I am, you should consider holding off on upgrading your security to “2-step verification”. I’d genuinely love to hear from WordPress why that is required, and until I do, I remain unconvinced that it IS actually, or only, about security.

I’d also love to hear from any readers with advice about this 2-step verification process. What do you think? Have you found it a pain? Am I being an obstinate old goat by refusing to just stay logged in on my computer and allow Google to track the fact that every third post I write features the word moustaches?

As Goldfish said in a recent post, I’ve always been pretty happy with WordPress, and recommended WordPress to others for blog hosting until recently. Some of the changes they make to functionality are irritating, but this new 2-step security verification is too over the top for me.  I kinda thought WordPress had a community ethos, but suddenly I feel like a pawn in a deliberate information-gathering ploy which is only for the benefit of WordPress – or possibly some other large multinational business partner – but not me. Dislike.



 **Update: (about an hour after writing this post). Yes! Just what I was hoping for  – the lovely Draliman responded almost immediately with advice on how to turn the 2-step verification off – something that I couldn’t find by searching the WordPress Support page or help forums. I knew it would take days to get a response from WordPress if I posted a question on the support page, so in the heat of the moment, I thought I’d try my luck with putting it out to all you lovely readers. For anyone else who doesn’t like 2-step verification, check out Draliman’s comment below to find out how to turn the pesky thing off.  

Leave a comment


  1. I’ve actually been using 2-factor authentication for a while now. It actually hardly ever asks, I guess because I ticked the “keep me logged in” button on the computers I use the most. It makes me feel happier that no-one can get in on another machine – it’s impossible without the one-time code or one of the backup codes.
    I don’t think the Google app (which I use – “Google Authenticator”) has an ulterior motive. I use it for WordPress, GMail and an Amazon cloud thing we use at work (it’s used by a large number of different companies). Of course, I’m used to this extra step as I need security codes from different phone apps for various work stuff. I also need a one-time code if I want to do any banking online which involves moving money or making payments.

    If you want to switch off 2-step auth, hover over the little WP logo top left, select settings, then security. There is a “Disable” button.


    • Thank you Draliman, you are a legend! Part of the reason that I wrote that post was in the hope that some clever reader would have a solution – I’ve now turned the whole silly thing off. And yes, I did first check the WordPress Support page and Forums – as is often the case (on any help forum, not just WordPress) – the search fields bring up a lot of only vaguely related topics and I couldn’t find anything helpful. I couldn’t easily find any information from WordPress about the 2-step verification or the reasoning behind it, and I suspected that if there was any solution to switching it off, it would be quicker to post and see if anyone responded, than ask a question on a forum!

      It’s interesting to hear you didn’t have a problem with it – I was aware that some people would find my reaction a bit over the top. I can understand needing 2-step verification for business banking and I know some banks here in Australia have it for personal banking, but I just don’t see the need for it on a personal blog. But I also resent being forced into having to have 2 devices in operation before I can log in (I never use my phone to write posts). Isn’t that a step backwards in itself? Shouldn’t modern technology be moving in the opposite direction rather than adding the need for more devices, to achieve a simple function like logging into your blog? I’m looking forward to the day when there is a chip implanted in my arm and there are NO devices needed before I can log in! 😉


      • An arm chip would be just the thing, and not too far off, I reckon 🙂

        I think with so many websites getting hacked these days a lot of sites are offering 2-factor auth so that they can say they’ve done all they can. Even if it’s only a blog site, many people will use the same password as that for their bank, so it’s like a back door in.
        Also, of course, we’re responsible for everything on our blog, so if someone steals the password and posts something illegal…

        Still, I’m a worrier (can you tell?)! It is annoying to need the phone as well to log in. Come on, arm chips.


  2. Renard Moreau

     /  August 18, 2014

    [ Smiles ] I have no intentions of using that cumbersome two-step verification.

    If a hacker really wants to hack you they can do it with or without that.

    Great post!


    • Hmm, may as well leave it off then. Apparently though, it’s not as cumbersome as I found it, if you’re happy to be continuously logged in. Which I’m not. Thanks for reading.

      Liked by 1 person

  3. My blog is of no commercial value, and nobody on earth would bother to hack it. (Except the government of China. They’ve hacked Obama’s personal phone five thousand times already.)

    Two-step verification probably is a device by WordPress to limit their liability in case they get sued for a security breach, but there’s a benign side to it, in that people who do have a reason for keeping their blog extra secure have a way to detect hacking attempts on their blog. That’s the real beauty of two-step–whenever _anyone_, including a hacker, tries to get in, even if they get the right password, you get notified on your phone that they did so and can take the appropriate steps. So it’s rather a cool option for people who have something to lose by having their blog hacked. The only thing I could lose is having someone do something illegal on my WordPress account, but, here in Canada, prosecutors would have a very hard time succeeding at the technicalistic argument that I should go to prison because _technically_ it’s my website. We Canadians leave that kind of crap to the imprisonment-maximizing American authorities.


    • Wow, thanks, that is also an interesting piece of information – that “warning” system hadn’t occurred to me. I guess if you had genuine fears of being hacked, it would indeed be worth putting up with the extra step & extra device required. It’s great hearing from others what the pros & cons of the system are. Thanks for reading!

      Liked by 1 person


Blather away!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: