Account Security


Why does my blog keep posting spam or sending out spam messages?

It happens to the best of us. Some things that might have occurred:

  • A malicious application has been given access to your account. Go ahead and revoke that access.
  • You've entered your Tumblr account credentials into a fake login page. What’d you go and do that for? Now you have to change your password.
  • Your blog's mobile publishing email address is being used by a spammer. Thwarting them is as simple as changing that address.

How do I revoke an application's access to my account?

  1. Click "Settings" under the Account menu at the top of the Dashboard.
  2. Click Apps on the right side of the page.
  3. Click the “x” next to any application you want to remove.

How do I change the password for my account?

Learn how to do that and more on under account management.

How do I reset my blog’s mobile publishing email address?

Whoa, you’re using your mobile publishing email address? Rad.

  1. Click "Settings" under the Account menu at the top of the Dashboard.
  2. Choose the blog you’d like to manage on the right side of the page.
  3. In the Post by Email section, click “Reset address.”

How do I remove existing spam posts from my blog?

Same way you’d delete any other posts on your blog. Here’s a basic refresher, but stick around for a cool tip.

  1. Choose the affected blog from the Account menu at the top of the Dashboard.
  2. Click the gear icon at the bottom of the post you want to remove, then choose "Delete.” If you want to remove a large number of posts, we recommend using the Mass Post Editor, which you can access on the right side of the page or via

How can I protect my Tumblr account?

  • Choose a totally unique password for Tumblr. It’s a good practice to avoid repeating passwords for any of your accounts, and to choose passwords that are a mix of letters, numbers, and symbols. We know, it’s mildly annoying, but the price of freedom is eternal annoyance.
  • Always look for the reassuring green “Tumblr, Inc.” emblem in your browser's address bar at login.
  • Never enter your Tumblr credentials on any site other than
  • Never give an application access to your Tumblr account unless it is from a source you trust.
  • Never share your account credentials or mobile publishing email address with anyone. Not even your butler.
  • Set up Two-Factor Authentication in your account settings, which makes it really difficult for impostors to access your Dashboard.
  • If you use Tumblr on a public computer, always log out of your session by clicking on the Account menu at the top of the Dashboard and then clicking “Log Out” at the top of the menu.

How do I enable SSL for Tumblr?

We’ve already got you covered, like a warm blanket of data security. Whenever you are using Tumblr, your data is transmitted over SSL.

How can I report spam to Tumblr?

Send us a note! Please be as detailed as possible and include the following:

  • Which application has been posting the spam
  • The specific post URLs
  • The content of the spam posts


Two-Factor Authentication

What is two-factor authentication and how does it work?

TFA makes it especially difficult for anyone other than you (e.g., hackers, exes, et al) to access your Tumblr account. Aside from your regular login info, you'll need a couple extra things to get to your Dashboard:

  • Your phone (which you've hopefully password-protected)
  • A unique, single-use code (sent via text or generated by an authenticator app)

How do I set up two-factor authentication? 

  1. Click "Settings" under the Account menu at the top of the Dashboard.
  2. In the Security section, enable “Two-factor authentication.”
  3. Enter your phone number.
  4. Now decide whether you'd like to receive the code via text or through an authenticator app (we’re into Google Authenticator). We recommend both in case you need to use one as a backup.
  5. Follow the steps laid out in the Settings page.

How will two-factor authentication work when I log in on the web?

If you've enabled TFA, it should work like this:

  1. Log in to your Tumblr account.
  2. Once you've received the unique code (either via SMS or through an authenticator app), enter the code in the specified field.
  3. Voila! You're in!

How will two-factor authentication work when I log in through iOS or Android apps?

When you have two-factor authentication turned on, you'll need to generate a special one-time-use password in order to log in through your mobile apps. Using either app, you should receive the code via text or through an authenticator app, depending on which method you chose during setup. Don't worry about memorizing that password, by the way. You'll only need it once, and it's really stupid-looking anyway.

What if I disable two-factor authentication?

Well, we strongly advise against this. Your account is far less likely to get compromised if you've enabled two-factor authentication. But if you must, we'll ask you to enter your account password to make sure it's really you. You'll then be able to log in to your account without the extra verification step. If you would like to re-enable it at any point, you'll have to go through the setup process again.

Which authenticator apps do you recommend?

We recommend Google Authenticator, which you can download for iOS and Android.