At WordPress.com VIP, we recommend that you enable two-step authentication for your WordPress account.
Passwords are the de-facto standard for logging in on the web, but they’re relatively easy to break. Even if you create strong passwords and change them regularly, a data breach can leak them. Two-step authentication is a method of securing accounts that requires you not only know something (a password) to login, but that you also possess something (a mobile device).
The benefit of this approach to security is that even if someone guesses or obtains your password, they need to have also stolen your mobile device in order to break into your account. Two-step authentication makes it dramatically more difficult for accounts to be compromised.
On WordPress.com VIP, we require that all site administrators use two-step authentication, but we strongly encourage its use for all users. We offer two-step authentication via mobile device, and it’s very simple to setup and use. Once you’ve verified your device, we send a new code to your device any time you login, which you must input before logging in. It’s a small step in the login process that immediately makes your account far more secure.
In addition, consider having us force-enable two-step authentication for all of your users. This way, users are treated as contributors (meaning they can’t publish anything or change options) unless they have two-step authentication enabled.
View our support documentation for more information on enabling two-step authentication for your account.