Using the same log-in credentials you use for WordPress.com, you’ll now be able to register for and sign in to self-hosted WordPress.org sites quickly and securely.
Benefits
- Millions of users: By adding WordPress.com Secure Sign On, you’ll become part of a large family that makes it easy for WordPress.com users to explore new sites.
- Compatible with your existing sign-in system: WordPress.com Secure Sign On is used as a complementary sign-in option to your existing registration system. Once a user connects, they’ll have a user account on your site.
- Respects your Registration Settings: WordPress.com Secure Sign On follow the directives in Settings → General, with respect to whether or not you enable new user registrations. If you don’t, existing users can still use it to log in.
- Trusted relationship: Allow users to sign-in with the same credentials they use every day on WordPress.com. This takes the pain out of having to remember and manage a new log-in for another service.
Setting things up
Once you’ve activated the module in Jetpack, you’re done! All the back-end authentication requests use your site’s already-established link to WordPress.com.
Custom Settings
Secure Sign On is designed to work out of the box with no configuration. But, for users that would like to customize Secure Sign On, these filters may come in handy. To use these filters, you can add any of the following snippets of code to your theme’s functions.php file, or to a functionality plugin.
As a note, you can mix and match these filters to get the desired functionality that you need.
Match By Email
By default, if there isn’t already a local account linked to the WordPress.com account, Secure Sign On will automatically link the verified WordPress.com account to a new local account with a matching email address, and log the user in. If you’d prefer to disable this functionality, and require your users to log in to their pre-existing local accounts to manually link the accounts, you can use the following line of code:
add_filter( 'jetpack_sso_match_by_email', '__return_false' );
New User Override
The WordPress.com Secure Sign On module will respect your default settings with regard to New User Registration. If you have registration disabled, then Secure Sign On will not create a new user account if someone is trying to log in with an unrecognized email. If you have registration turned on, though, it will automatically create a new user for them, and log them in. If you would like to allow users to register for your site with a WordPress.com account, even though you disallow normal registrations you can use the following line of code:
add_filter( 'jetpack_sso_new_user_override', '__return_true' );
Bypass Default Login Form
If you’d like all registered users to log in via WordPress.com instead of the account they created on your site, you can use the following line of code. It will forward all users to the WordPress.com SSO page, thus bypassing your local log in screen:
add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
Disable Default Login Form
If you’d like to completely disable and hide the default login form, and force users to log in via WordPress.com, you can use the following line of code:
add_filter( 'jetpack_remove_login_form', '__return_true' );
Require Two-Step Authentication
If you’d like to improve the security of Secure Sign On, you can choose to force Two-Step Authentication when users log in via WordPress.com. Here is the line of code that you’ll need:
add_filter( 'jetpack_sso_require_two_step', '__return_true' );
Note: This filter only requires that logging in via WordPress.com requires Two-Step Authentication. If you only return true for this filter, then a user could still log in via the default log in form. If you would like to enforce Two-Step Authentication for your site, you could combine the jetpack_sso_require_two_step filter with the jetpack_remove_login_form filter to force users to log in with WordPress.com and use an account with Two-Step Authentication.
