Account Security


Why does my blog keep posting spam or sending out spam messages?

It happens to the best of us. Some things that might have occurred:

  • A malicious application has been given access to your account. Go ahead and revoke that access.
  • You've entered your Tumblr account credentials into a fake login page. What’d you go and do that for? Now you have to change your password.

How do I revoke an application's access to my account?

  1. Click "Settings" under the Account menu at the top of the Dashboard.
  2. Click Apps on the right side of the page.
  3. Click the “x” next to any application you want to remove.

How do I change the password for my account?

Learn how to do that and more on under account management.

How do I remove existing spam posts from my blog?

Same way you’d delete any other posts on your blog. Here’s a basic refresher, but stick around for a cool tip.

  1. Choose the affected blog from the Account menu at the top of the Dashboard.
  2. Click the gear icon at the bottom of the post you want to remove, then choose "Delete.” If you want to remove a large number of posts, we recommend using the Mass Post Editor, which you can access on the right side of the page or via

How do I keep tabs on my account activity?

The easiest way is to make sure you have “Email me about account activity” turned on in account settings so you’ll get an email when someone logs into your account, your password is changed, or a new app is authorized. 

If you want a more hands-on approach, scroll to “Active Sessions” a little further down on the account settings screen. It shows a list of browsers and locations that have accessed your account over the past 30 days. If you see anything you don’t recognize, you can end that session immediately by clicking the gray X next to it.

Note that Active Sessions shows mobile activity when it’s coming from a mobile web browser, but not when you’re using the app. You can always view and manage your authorized mobile apps on the apps settings page.

How can I protect my Tumblr account?

  • Choose a totally unique password for Tumblr. It’s a good practice to avoid repeating passwords for any of your accounts, and to choose passwords that are a mix of letters, numbers, and symbols. We know, it’s mildly annoying, but the price of freedom is eternal annoyance.
  • Make your password long - the longer the better. We recommend passwords over 12 characters in length.
  • Always look for the reassuring lock emblem in your browser's address bar at login.
  • Never enter your Tumblr credentials on any site other than
  • Never give an application access to your Tumblr account unless it is from a source you trust.
  • Never share your account credentials or mobile publishing email address with anyone. Not even your butler.
  • Set up two-factor authentication in your account settings, which makes it really difficult for impostors to access your dashboard.
  • Set up the passcode lock in your account settings on mobile (if available -- it's still in the process of rolling out). This'll let you require a passcode or Touch ID to enter the Tumblr app on your phone.
  • Make sure you have “Email me about account activity” turned on in your account settings.
  • If you use Tumblr on a public computer, always log out of your session by clicking on the account menu at the top of the dashboard and then clicking “Log Out” at the top of the menu.

What is SSL/TLS and why should I enable it?

SSL ( is used to create an encrypted link between a browser and web server. This prevents eavesdroppers from snooping on the traffic between the two. Think of it as a tasty tortilla keeping the inner ingredients of your burrito a mystery. Is it chicken or three bean? Only the chef and customer can know for sure. 

You already have SSL enabled on your dashboard. This new feature allows you to use it on your blog as well. 

How do I enable SSL for my blog?

We’ve already got you covered, like a warm blanket of data security. Whenever you are using Tumblr, your data is transmitted over SSL. You should see an option like this:

Simply flip the switch to turn it on. That’s it!

Why does my blog look weird after I turn SSL on?

Enabling the option for a theme that wasn’t developed to support SSL may cause “mixed content” errors. When this occurs, some resources that the theme needs to render itself may not get loaded. See below for more information on how this can be fixed by the theme designer. In the meantime, you can try out some of the other lovely themes in our Theme Garden.

I’m a theme developer. How can I ensure my themes support SSL?

If your theme uses externally hosted resources such as Cascading Style Sheets (CSS) or Javascript files, ensure they are served either using HTTPS or a protocol-relative URL. If these files aren’t available over HTTPS, consider uploading them at the Theme Customization page (In your blog settings, click “Edit HTML” and then “Theme assets”).

I have a custom domain name. Why can’t I enable SSL for my blog?

Unfortunately, because SSL relies on certificates that are associated with the site’s domain, we don’t currently support it for custom domains.

How do I report spam on Tumblr?

There are several ways:

  • From posts on the web: From the dashboard or a search results page, click the share menu (paper airplane) at the bottom of the post, and click “Report.”
  • From blogs on the web: Report an entire blog by hovering over the blog's avatar, clicking the little person silhouette, and clicking “Flag this blog.”
  • From messages in the app or on the web: Tap or click "Mark as spam" under the spammer's first message. Note that "Mark as spam" won't appear if it's somebody you follow, or somebody you've already had a conversation with.
  • From fan mail on the web: From the inbox, click the three dots at the bottom of a spammy message and choose “Report.”

If you don’t have access to a computer at the moment, you can use a mobile browser’s desktop view to report spam following the steps listed above. To get to the desktop view in iOS, open Safari and visit, log in, tap the share icon (little box with an arrow) at the bottom of the screen, and tap the gray “Request Desktop Site” button. On Android, open Internet or Chrome and visit, log in, tap the three dots icon in the top right-hand corner of the screen, and check the “Desktop View” box.


Two-Factor Authentication

What is two-factor authentication and how does it work?

TFA makes it especially difficult for anyone other than you (e.g., hackers, exes, et al) to access your Tumblr account. Aside from your regular login info, you'll need a couple extra things to get to your Dashboard:

  • Your phone (which you've hopefully password-protected)
  • A unique, single-use code (sent via text or generated by an authenticator app)

How do I set up two-factor authentication? 

  1. Click "Settings" under the Account menu at the top of the Dashboard.
  2. In the Security section, enable “Two-factor authentication.”
  3. Enter your phone number.
  4. Now decide whether you'd like to receive the code via text or through an authenticator app (we’re into Google Authenticator). We recommend both in case you need to use one as a backup.
  5. Follow the steps laid out in the Settings page.

How will two-factor authentication work when I log in on the web?

If you've enabled TFA, it should work like this:

  1. Log in to your Tumblr account.
  2. Once you've received the unique code (either via SMS or through an authenticator app), enter the code in the specified field.
  3. Voila! You're in!

How will two-factor authentication work when I log in through iOS or Android apps?

When you have two-factor authentication turned on, you'll need to generate a special one-time-use password in order to log in through your mobile apps. Using either app, you should receive the code via text or through an authenticator app, depending on which method you chose during setup. Don't worry about memorizing that password, by the way. You'll only need it once, and it's really stupid-looking anyway.

What if I disable two-factor authentication?

Well, we strongly advise against this. Your account is far less likely to get compromised if you've enabled two-factor authentication. But if you must, we'll ask you to enter your account password to make sure it's really you. You'll then be able to log in to your account without the extra verification step. If you would like to re-enable it at any point, you'll have to go through the setup process again.

Which authenticator apps do you recommend?

We recommend Google Authenticator, which you can download for iOS and Android.