Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.
Benefits
- Large User Base: Join millions of WordPress.com users and make it easier for them to explore your site.
- Compatibility: Works alongside your existing sign-in system. Once connected, users have an account on your site.
- Respects Settings: Adheres to your site’s registration settings in Settings → General. If new user registrations are disabled, existing users can still log in.
- Trusted Credentials: Users can log in with the same credentials they use for WordPress.com, simplifying account management.
Enabling Secure Sign On
- Go to Jetpack → Settings → Security in your dashboard.
- Toggle the Allow users to log in to this site using WordPress.com accounts setting
Once you’ve activated this feature in Jetpack, you’re done! All the back-end authentication requests use your site’s already-established link to WordPress.com.
Matching Accounts by Email
If a user tries to sign in with their WordPress.com account and there’s no matching account on your site, the Secure Sign On feature can automatically link their WordPress.com account to an existing local account with the same email address. A few notes on this:
- By default, this automatic linking is turned off.
- Users without linked accounts must manually link them by signing in with their local account credentials.
- If someone tries to sign in with their WordPress.com account and there’s no linked local account, they can’t log in, and they’ll see an error message.
Enabling Automatic Matching:
- To turn on automatic matching and linking with email addresses of pre-existing local accounts, toggle the Match accounts using email addresses option.
Requiring Two-Step Authentication in Secure Sign On
To enhance the security of Secure Sign On, you can choose to force Two-Step Authentication when users log in via WordPress.com. To do so, toggle the Require accounts to use WordPress.com Two-Step Authentication to turn it on.
Note: This setting only requires that logging in via WordPress.com requires Two-Step Authentication. If you turn it on without disabling the default login form, then a user could still log in via the default form. If you would like to enforce Two-Step Authentication for your site, you could combine turning this on with the jetpack_remove_login_form filter described below to force users to log in with WordPress.com and use an account with Two-Step Authentication.
Additional Custom Settings for Secure Sign On
Secure Sign On is designed to work out of the box with little to no configuration. But, for users that would like to further customize Secure Sign On, these filters may come in handy. To use these filters, you can add any of the following snippets of code to your theme’s functions.php file, or to a functionality plugin.
As a note, you can mix and match these filters to get the desired functionality that you need.
New User Override
- Allows registration with WordPress.com even if normal registrations are disabled.
add_filter( 'jetpack_sso_new_user_override', '__return_true' );Bypass Default Login Form
- This code redirects all users to the WordPress.com SSO page, bypassing the local login screen.
add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );Disable Default Login Form
- This filter completely disables the default login form, forcing users to log in via WordPress.com.
add_filter( 'jetpack_remove_login_form', '__return_true' );Please be aware that code snippets are provided as a courtesy and our support team is unable to offer assistance customizing them further.
Privacy Information
WordPress.com Secure Sign On is deactivated by default. You activate/deactivate it form your WP Admin. To do so:
- Go to Jetpack → Settings.
- Click the Security tab.
- Toggle the Allow users to log in to this site using WordPress.com accounts setting in the WordPress.com login section.
More information about the data usage on your site
| Data Used | |
|---|---|
| Site Owners / Users
This feature requires the usage of the following pieces of data relating to users logging in via this method: user ID (local and WordPress.com), role (e.g. administrator), email address, username and display name. The following pieces of data relating to the site are also used: WordPress.com-connected site ID, Jetpack active/inactive status, Jetpack version, locale/language, title, URL, and icon. Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code. |
Site Visitors
None. |
| Activity Tracked | |
| Site Owners / Users
We track when, and by which user, the feature is activated and deactivated. Additionally, the following usage events are recorded: starting the login process, completing the login process, failing the login process, successfully being redirected after login, and failing to be redirected after login. Several functionality cookies are also set, and these are detailed explicitly in our Cookie documentation. |
Site Visitors
None. |
| Data Synced (Read More) | |
| Site Owners / Users
We sync options that identify whether or not the feature is activated and how its available settings are configured. We also sync the user ID and role of any user who successfully signed in via this feature. |
Site Visitors
None. |
Jetpack 