Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.
To enable this feature, you can do so at any time by toggling the Allow users to log into this site using WordPress.com accounts setting in the WordPress.com log in section from Jetpack — Settings — Security in your dashboard.
- Millions of users: By adding WordPress.com Secure Sign On, you’ll become part of a large family that makes it easy for WordPress.com users to explore new sites.
- Compatible with your existing sign-in system: WordPress.com Secure Sign On is used as a complementary sign-in option to your existing registration system. Once a user connects, they’ll have a user account on your site.
- Respects your Registration Settings: WordPress.com Secure Sign On follow the directives in Settings → General, with respect to whether or not you enable new user registrations. If you don’t, existing users can still use it to log in.
- Trusted relationship: Allow users to sign-in with the same credentials they use every day on WordPress.com. This takes the pain out of having to remember and manage a new log-in for another service.
Setting things up
Once you’ve activated this feature in Jetpack, you’re done! All the back-end authentication requests use your site’s already-established link to WordPress.com.
Secure Sign On is designed to work out of the box with no configuration. But, for users that would like to customize Secure Sign On, these filters may come in handy. To use these filters, you can add any of the following snippets of code to your theme’s
functions.php file, or to a functionality plugin.
As a note, you can mix and match these filters to get the desired functionality that you need.
Match By Email
By default, if there isn’t already a local account linked to the WordPress.com account, Secure Sign On will automatically link the verified WordPress.com account to a new local account with a matching email address, and log the user in. If you’d prefer to disable this functionality, and require your users to log in to their pre-existing local accounts to manually link the accounts, you can use the following line of code:
add_filter( 'jetpack_sso_match_by_email', '__return_false' );
New User Override
The WordPress.com Secure Sign On feature will respect your default settings with regard to New User Registration. If you have registration disabled, then Secure Sign On will not create a new user account if someone is trying to log in with an unrecognized email. If you have registration turned on, though, it will automatically create a new user for them, and log them in. If you would like to allow users to register for your site with a WordPress.com account, even though you disallow normal registrations you can use the following line of code:
add_filter( 'jetpack_sso_new_user_override', '__return_true' );
Bypass Default Login Form
If you’d like all registered users to log in via WordPress.com instead of the account they created on your site, you can use the following line of code. It will forward all users to the WordPress.com SSO page, thus bypassing your local log in screen:
add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
Disable Default Login Form
If you’d like to completely disable and hide the default login form, and force users to log in via WordPress.com, you can use the following line of code:
add_filter( 'jetpack_remove_login_form', '__return_true' );
Require Two-Step Authentication
If you’d like to improve the security of Secure Sign On, you can choose to force Two-Step Authentication when users log in via WordPress.com. Here is the line of code that you’ll need:
add_filter( 'jetpack_sso_require_two_step', '__return_true' );
Note: This filter only requires that logging in via WordPress.com requires Two-Step Authentication. If you only return
true for this filter, then a user could still log in via the default log in form. If you would like to enforce Two-Step Authentication for your site, you could combine the
jetpack_sso_require_two_step filter with the
jetpack_remove_login_form filter to force users to log in with WordPress.com and use an account with Two-Step Authentication.
This feature is deactivated by default. To activate this feature, you can do so at any time by toggling the Allow users to log into this site using WordPress.com accounts setting in the WordPress.com log in section from Jetpack — Settings — Security in your dashboard.
|Site Owners / Users
This feature requires the usage of the following pieces of data relating to users logging in via this method: user ID (local and WordPress.com), role (e.g. administrator), email address, username and display name. The following pieces of data relating to the site are also used: WordPress.com-connected site ID, Jetpack active/inactive status, Jetpack version, locale/language, title, URL, and icon.
Additionally, for activity tracking (detailed below): IP address, WordPress.com user ID, WordPress.com username, WordPress.com-connected site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.
|Site Owners / Users
We track when, and by which user, the feature is activated and deactivated.
Additionally, the following usage events are recorded: starting the login process, completing the login process, failing the login process, successfully being redirected after login, and failing to be redirected after login.
Several functionality cookies are also set, and these are detailed explicitly in our Cookie documentation.
|Data Synced (Read More)|
|Site Owners / Users
We sync options that identify whether or not the feature is activated and how its available settings are configured. We also sync the user ID and role of any user who successfully signed in via this feature.