Locked out of 13-year blog; can’t reset password. Automattic Support useless.


Hi — this is frustrating, and I want to try and document it all in one place in the hopes of recovering my blog. I’ve had the same URL, on wordpress ([url.wordpress.com](https://url.wordpress.com)) since 2011. I have historically used it for NaPoWriMo — an annual event where participants post one poem a day for a month-long period. That is to say, I use it infrequently, but consistently, every year.

I went to sign in on November 1 to start this year’s poetry event, and was told “Your account has been blocked as a security precaution. To continue, you must reset your password.” I logged in with the correct password, which has been saved on my LastPass for years. No problem, though, I’ll reset my password — but I didn’t receive the password reset email to my email address. I have a rotation of a few email addresses I use for personal and professional correspondence and figured maybe it was registered under one of those, so I checked and attempted to reset based on those aliases, to no avail.

I have received every notification for new comments, new followers, and moderation of comments since 2012 to the email address I initially provided, and in my ticket to Automattic, I sent a screenshot of that search with all of the emails. I reached out to them with a list of the email addresses and possible means of having the password reset resent.

To put it simply, they have been unbearable. They maintain that the account is not associated with the email address, and have told me that none of my email addresses match the account and refuse to provide other information. The screenshots are apparently meaningless, as is the IP address I have been using to log in — they are firm in their assertion that the only way I can prove ownership is through resetting the password to a non-existent email address or proving that I have a payment receipt made towards them, which I don’t have as WordPress is a free blog and I have never paid to use the services there.

I have asked them to provide information as to whether the email address registered to the account was recently changed, and they refused, which is surprising because I would think it was in their best interest in the event that the account has been compromised. I have asked for an anonymized version of the email address associated with the account (i.e., [u…….12@g….l.com](mailto:u…….12@g….l.com)) and they have refused. They have asserted that their only means of assisting is effectively making the blog private, and I am shocked that they would allow that level of autonomy over a blog that they believe isn’t mine to begin with.

I am at a point where I am considering contacting an attorney to push for more information so that I can get back into my account. My poetry is very special to me, and valuable for the purposes of publication, and I am so frustrated and disheartened at the notion that my work can be taken from me in the blink of an eye due to an arbitrary ‘precaution’ on their end. I have been nothing but helpful and polite to the ‘Happiness Engineers’ associated with the ticket and they have treated me like a piece of trash.

Is there anything that can be done at this point, or any further information I could provide, or a way that I could find out where this alleged new alias is? I am so frustrated and sad that I can’t access my blog anymore.

  1. If you got a good case, make a headline post at HackerNews, I’m sure Matt will get notice. Well, it’s common for a folk to down voted my comment for some reason but note that this sub is for wordpress.og, not for wordpress.com.


  2. You sure you didn’t set up an email forwarder at some point? Take a look at the email header and see if there are any clues.

  3. This is a wordpress.com question rather than wordpress.org (self-hosted installations). It sounds to me like your account has been hacked.

    Edit: downvotes? Really? Why?

  4. I can’t help with the wp.com part, but I can recommend you to stop using LastPass. LastPass has been breached numerous times, they are famous for their tradition of reporting a new breach every year.

    Better alternatives to LastPass are Bitwarden, 1Password, and KeePass. Even the password managers built into Chrome/Firefox/Edge are a better option than LastPass.

    Regarding the wp.com issue, I can only wish you luck. Support reps can be pretty robotic and unhelpful, especially for free services where they get a ton of tickets every day.

  5. For the time being I would STRONGLY advise you to locate and copy each post you have made on the blog to a new text document. This way if the blog is deleted or not able to be accessed, you have a backup and can keep going forward. Always keep backups.

    My best advice if you wish to keep using WordPress is to go with a third party host, buy a domain, and run WordPress there. You’ll have vastly more control. Many hosts will have a base shared hosting package that should be more than sufficient for your needs if it’s just writing poetry.

    Unfortunately, you get what you pay for in situations like this. You’ll also want to avoid mentioning anything legal in your correspondence with them as they will likely stop any communication and you’ll have to go through their legal department for future communications.

  6. Well, I’ll probably get downvotes for this. 🫤 I’ve had to help many clients with this sort of thing. That sucks and I really dislike WordPress.com but I think their response seems pretty reasonable.

    You call this an “arbitrary precaution” but they don’t know you’re *you*. Under normal circumstances you wouldn’t want them to reveal private details about you or the account to somebody who could be a violent ex who’s stalking you or a hacker trying to steal your identity or get access to your cell phone or bank account.

    They provided two ways for you to regain access but you don’t know the email associated with the user account and were using their free product. That not on them.

    I’m not sure if this is the case with WP.com but with a self hosted WP.org website the user account email is different from the site owner email. They may be configured with the same info but it doesn’t mean they *have* to be the same. The notifications go to the *owner* email address. If you change the user account email address, the notifications continue to go to the site owner’s email address. If I had to guess, this is the issue you’re dealing with and you’ll have to figure out what that user account email is.

    An attorney may be an option but it seems like the more expeditious and cheaper approach would be to copy/paste your poetry from the site, have them make the site go dark and start up a new site somewhere else.

    ETA: just confirmed that the “administration email address” in WP.com sites *is* separate from the admin user account email.

  7. I guess you have checked all the spam folders. Was there another user account you may have logged in as?

  8. I don’t know .com, but surely possible that notification email address and registration email address are different fields. Might be worth spending more time thinking about a different address that could have been used. Good luck!

  9. I mean this in the most respectful way. Like previously mentioned, copy and paste your work to your new website and consider this a lesson learned.

  10. I was in a similar situation a couple of years back when we lost the login details to my wife’s WP blog. We didn’t reach out to support. Instead I scraped all the pages from the blog and then used that scrapped data to build a new blog.

    Sure, it would take a lot of manual effort but given it’s sentimental value to you it should be worth it.

    Try to find someone on UpWork/Fiverr they might take on your efforts for some $$.


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer