Using the same log-in credentials you use for WordPress.com, you can help safeguard your site against registered users using weak passwords, accidental sharing of user account credentials, and malicious disclosure or leaks of admin passwords.
The benefits of activating Jetpack’s WordPress.com Secure Sign On
- Large User Base: Join millions of WordPress.com users and make it easier for them to explore your site.
- Compatibility: Works alongside your existing sign-in system. Once connected, users have an account on your site.
- Respects Settings: Adheres to your site’s registration settings in your WP Admin settings at Settings → General. If new user registrations are disabled, existing users who use Secure Sign On can still log in.
- Trusted Credentials: Users can log in with the same credentials they use for WordPress.com, simplifying account management.
How to activate Secure Sign On
- Go to Jetpack → Settings → Security in your Jetpack settings.
- Toggle on the Allow users to log in to this site using WordPress.com accounts setting
Once you’ve activated this feature, all authentication requests for your user account use your site’s link to WordPress.com via Jetpack.
Matching accounts by email
If a user on your site uses the same email address on WordPress.com as they do on their account in your WP Admin (their “local” account), our Secure Sign On feature can automatically link these accounts, enabling them to log into your site using their WordPress.com credentials.
By default, automatic account matching is deactivated. To activate automatic account matching, toggle on the Match accounts using email address option under Jetpack → Settings → Security in your Jetpack settings.
If a user tries to sign in with WordPress.com credentials, but they have no linked “local” account in your site’s WP Admin, they will be unable to log in. They will see a “We couldn’t find your account” error message, which prompts them to connect their local account to WordPress.com. They can do this via Jetpack at Jetpack → Dashboard in WP Admin.
Requiring Two-Step Authentication in Secure Sign On
To enhance the security of Secure Sign On, you can choose to force Two-Step Authentication when users log in using their WordPress.com credentials. To do so, toggle the Require accounts to use WordPress.com Two-Step Authentication.
This setting only requires Two-Step Authentication for users who log in with their WordPress.com credentials. Unless you disable your default WP Admin login form, a user could still log into your site that way, bypassing Two-Step Authentication. To enforce Two-Step Authentication for your site, you would also need to bypass the default WP Admin login screen using the jetpack_remove_login_form filter described below, under Disable Default Login Form.
Inviting your users to use Secure Sign On
You can invite your registered users to use Secure Sign On from within your Users list in WP Admin. Under the SSO Status column in your user list, find the Send Invite link.
Additional customizations for Secure Sign On
Secure Sign On is designed to work “out of the box” with little to no configuration. But, for users that would like to further customize Secure Sign On, the filters provided below might be useful. To use these filters, you can add any of the following snippets of code to your theme’s functions.php file, or to a functionality plugin.
As a note, you can mix and match these filters to get the desired functionality that you need.
It is not within our scope of support to be able to assist with implementing these customizations beyond providing them here in our documentation. We also recommend backing up your site before tinkering with your site’s code.
New User Override
- Allows users to register with WordPress.com credentials, even if standard WordPress registrations are disabled.
add_filter( 'jetpack_sso_new_user_override', '__return_true' );Bypass Default Login Form
- This code redirects all users to the WordPress.com Secure Sign On page, bypassing the standard WP Admin login screen.
add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );Disable Default Login Form
- This filter completely disables the default WP Admin login form, forcing users to log in using WordPress.com credentials.
add_filter( 'jetpack_remove_login_form', '__return_true' );Privacy Information
WordPress.com Secure Sign On is deactivated by default. You activate/deactivate it form your WP Admin. To do so:
- Go to Jetpack → Settings.
- Click the Security tab.
- Toggle the Allow users to log in to this site using WordPress.com accounts setting in the WordPress.com login section.
More information about the data usage on your site
| Data Used | |
|---|---|
| Site Owners / Users
This feature requires the usage of the following pieces of data relating to users logging in via this method: user ID (local and WordPress.com), role (e.g. administrator), email address, username and display name. The following pieces of data relating to the site are also used: WordPress.com-connected site ID, Jetpack active/inactive status, Jetpack version, locale/language, title, URL, and icon. Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code. |
Site Visitors
None. |
| Activity Tracked | |
| Site Owners / Users
We track when, and by which user, the feature is activated and deactivated. Additionally, the following usage events are recorded: starting the login process, completing the login process, failing the login process, successfully being redirected after login, and failing to be redirected after login. Several functionality cookies are also set, and these are detailed explicitly in our Cookie documentation. |
Site Visitors
None. |
| Data Synced (Read More) | |
| Site Owners / Users
We sync options that identify whether or not the feature is activated and how its available settings are configured. We also sync the user ID and role of any user who successfully signed in via this feature. |
Site Visitors
None. |