Chris Wiegman Chris Wiegman

Securing Your WordPress Logins with Jetpack and

Logins can often be a weak point for many WordPress sites. From weak passwords to lack of good 2-factor authentication, many people just don’t seem to take it seriously. On top of that, even for site owners who do their best to lock down their user accounts it can often be trivial to exploit various weaknesses to get into the system through the login page such as dictionary attacks and others.

Given the weaknesses of the login page for small sites why bother using it at all? Why not simply rely on a trusted service such as to authenticate your users for you? We do this all the time with other services we rely on logging in with our Facebook or Google accounts rather than providing our own user name and password. Why not do it for your site to?

If You’re a Jetpack User Secure Sign On Is Built In

Yep, that’s right, if you’re already a Jetpack user you can offload site logins to allowing people to use it as an extra login or, more securely, by forcing users to login with their account. This means you’re no longer responsible for authenticating your own users and, as long as they have a address you can make it available to them with a single option and even require their accounts to use 2-factor authentication.

First, make sure each of your users has an account on, preferably with the same email address as their local account.

To make Secure Sign On available via Jetpack navigate to Jetpack -> Settings -> Security and turn on Allow users to log into this site using accounts (see the screenshot below). You can also set options to automatically match accounts by email address and/or require users to enable two-factor authentication on their accounts. For security I would highly recommend turning on this last option.

Enable Jetpack secure sign on
Go to your Jetpack Security settings and turn on logins and their associated options.

Redirecting Your Login Page to

Turning on Secure Sign On with Jetpack is the first step. To be even more secure we need to redirect our login pages to bypassing local login entirely. To completely disable your local login page you’ll need to add two lines of code to your theme’s functions.php file:

add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );add_filter( 'jetpack_remove_login_form', '__return_true' );Code language: PHP (php)

*Note: there are other options you can set in your functions.php file. For a full list of options see Jetpack’s support page.

Save your functions.php file, logout of your site and try to login again. You should no longer see your own WordPress login page but instead you should be taken to a login page. Once you log into you should be automatically taken back to the dashboard of your own site. Congratulations, your site logins are now much more secure.