Written by on

WordPress Password Security: How to Protect Your Site & Your Digital Life

WordPress password security is about more than WordPress. It’s about keeping your digital life safe. And that all comes down to a little password.

In these digital days we’re drowning in passwords. Your financial accounts, your social media life, your business website and your ecommerce shopping binges are all protected by those passwords. And some random hacker wants to crack them.

If all those passwords are the same, you’re in trouble.

If those passwords are too short, too simple, too predictable, you’re in trouble.

If your WordPress password security isn’t up to the job, your WordPress site is in trouble.

Trouble can mean hours of your life wasted, business and work flushed, identity theft, credit trouble and worse.

The bottom line: If you don’t have good password security, your life is in danger.

It sounds dire, and it can be—but we can help.

Understand How Hackers Crack Your Password

Before we get into specific tips and help, you need to understand how hackers can crack your passwords. It’s not as simple as poor passwords like “password” or “12345” (though never, ever use those).

Even if you think you’re smart about your password, hackers have gotten a lot smarter about cracking them:

  • Brute Force: Hackers use brute force techniques to attempt millions of password combinations in short periods of time. There are tools that allow hackers to do this offline, so login limiters are often useless.
  • Password Breaches: Whenever hackers score a bunch of password data, they better understand how people come up with passwords. Not only do they have a whole pile of common passwords to work with, but they start to see patterns they can exploit.
  • Variations: Those brute force programs allow hackers to try all kinds of variations. So sticking a number or character on the end of a password doesn’t necessarily make it more secure.
  • Tricks: Hackers know the same tricks you do for coming up with a password. They know that people will replace certain letters with numbers or symbols (e becomes 3, a becomes @, etc.). They know people will use words, phrases or quotes. Whatever tricks you read about, hackers can also read about and devise rules to mimic and exploit those tricks. Ruh-roh.
  • Predictable: You think your password is completely random, but odds are it’s not. People are way more predictable than we think, and hackers can exploit that. Think a phrase from the Bible or a made up word in literature is safe? Nope. Hackers are not only using dictionaries to find words that might be in passwords, they’re scouring Wikipedia, the Gutenberg Project and YouTube for all kinds of common phrases, quotes, slang and even made up words that might make their way into passwords.

Let’s be honest: the hackers are winning.

Whatever tricks and tips we come up with for more secure passwords, the hackers just respond accordingly and keep on cracking. It’s a losing battle of increasingly complex passwords that become more and more unusable.

But don’t despair. There are ways you can make passwords work.

WordPress Password Security

First things first, you should do everything you can to make WordPress more secure. The Better WP Security plugin will let you do all of these things quickly and easily. We’ve hired the developer, Chris Wiegman, and are rolling that plugin into an updated version that will be out soon.
Using 'admin' is a no-no for WordPress password security.

1. Don’t Use Admin Username

We’ve hammered on this before, but do not ever use “admin” as your username. If that’s your username, change it. Change it now!

2. Hide Your Login Screen

Another tip to shut down the hackers and bots is to hide your login screen. You can give the page a unique URL and keep the bad element from even getting to it.

3. Limit Login Attempts

This might not stop hackers from cracking your password, but it will stop bots from hitting your login page with multiple attempts. Lock it down.

4. Require Strong Passwords

WordPress password security is about more than just your password. If you’re using a 5-star, crazy good password but another admin has a weak password, your whole site is still vulnerable. But you can force all the users on your WordPress installation to use strong passwords. How strong these passwords really are is debatable, but at least no one will have simple five letter passwords that would make hackers weep with joy.

Good WordPress password security requires strong passwords. You can require them in WordPress.

Strong password! That’s what you want to see.

Boost Your WordPress Password Security With Strong Passwords

Once you’ve locked things down in WordPress, the next step is to make your passwords as strong as possible.

Here are some basic tips for strong passwords:

  • Different Passwords: The first rule of password security is to use different passwords for different sites. People are lazy and they use the same password over and over again. That’s easy, but all it takes is one breach and all your logins are compromised. Oops. It’s tough, but you need to use a different password for every site.
  • Tip: One way to use different passwords you can actually remember is to have a base password that you can remember and then tack on something different for each site. You might add on the first few letters of the specific site. So if your password is pEan%t, then for Google your password might be pEan%tGOOG and for WordPress it might be pEan%tWORD. That’s simple and fairly predictable, so you might want something more complicated.
  • Don’t Be Predictable: That’s the second rule of password security—don’t do anything predictable. And you’re more predictable than you think. If you follow the rules for devising passwords in any article about creating passwords (including this one), know that hackers can read that article too.
  • Long Passwords: You want your password to be long. You don’t have to be crazy with it, but six characters is unacceptable. You want at least eight. Probably more. WordPress accepts spaces in the password field, so you can even make it a phrase.
  • Don’t Use Real Words or Phrases: Just don’t just an actual phrase. Hackers scour real world text (whether it’s proper English or not—and don’t think foreign languages are safe either) and use it to crack passwords. So if you’ve got a really long password that’s your favorite quote, it’s not nearly as secure as you think.
  • Use Weird Characters: Use upper and lower case letters, numbers and symbols in your password. Add some complication. Make it weird.

So truly strong passwords are ridiculously long, full of numbers, symbols and random capitalization. They don’t contain any real words or phrases. And you have a different one for every single site.

So they’re basically impossible to memorize

That’s no good.

Unless you get some help.

Use a Password Service

The solution to WordPress password security—and password security everywhere—is to use a password service such as 1Password or LastPass. This is software you install on your computer that creates crazy good passwords—we’re talking up to 50 characters of truly random gibberish—and then memorizes them for you. It uses browser plugins to auto-populate those impossible to memorize passwords. There are also apps so you can do the same thing on your phone or tablet.

So what keeps all these ridiculous passwords secure? You have a master password for the service that needs to be something you can remember. It locks down all these passwords on your computer, so even if it’s stolen hackers would need your master password to get at all your other passwords.

It’s a complicated security approach, but it works. It’s a solid way to keep your WordPress site safe, as well as the rest of your digital life.

Some tips for your password service:

Good Master Password

The strength of your master password is crucial. This needs to be a strong password. It should follow as many of the rules above as you can manage (check out more master password tips). You’ll probably need to work at memorizing it, but it should be one of the last passwords you’ll ever need (woohoo!).

Passwords You Need to Type

Unfortunately, your master password isn’t the only one you’ll need to memorize. A password service won’t work very well on the password you use to get into your computer or have to type into your TV. An Apple password is another one you might be forced to enter fairly often and a password service might not always be there to help.

You should still use a password service to store and remember these passwords (so you don’t forget), but don’t use a crazy gibberish password you can’t remember. Come up with something that’s still strong but easy to remember.

Ideally this list of passwords you need to remember can be counted on one hand. That sure beats the dozens and dozens of passwords you have for various financial, social and business sites.

It Takes Time

Transitioning your entire online life to a password service is going to take some time. You need to enter every account into the system and change a lot of passwords. Think of every site you have a login for. It’s a little overwhelming. So getting the system up and running will take some time. But start with your important sites and power through. You’ll get there eventually.

Buy for Mobile & Desktop

You want your password service everywhere you go in the digital world, so that means buying the app for your mobile and desktop devices. In some cases that means two separate purchases. It’s a pain, but it’s just the cost of using the service where you want to use it.

Two-Factor Authorization

To really boost WordPress password security you don’t want to rely on a password alone. You want to use what’s called two-factor authorization. This is where logins require two pieces of information—something you know (your password) and something you have. Something you have can be accomplished with an app such as Authy that verifies who you are using your phone.

It adds an extra layer of security to your accounts. Google, Dropbox, Apple, Twitter and Facebook all support it, so this isn’t fringe paranoia. You can even get a WordPress plugin to add Authy to your site. We’re planning to include two-factor authorization in our forthcoming iThemes Security plugin.

Boost Your WordPress Password Security

WordPress security has been a big issue in the past year and we’re taking it seriously. But one of the most important things you can do has little to do with WordPress. It’s all about your password. If you want your site to be safe, worry about your WordPress password security.

Strong, safe, unique passwords will protect not only your WordPress site, but the rest of your digital life as well.


  1. Wow, Kevin that’s a very thorough article and interesting to read even for those of us who are supposed to know about these things. I have been intending to try out one of those password management systems and you may have just pusrsuaded me to gahead . Thanks for the read. Garry

  2. Very well written and sound advice indeed! At a recent workshop we ran, a security expert frightened everyone describing the extent of the threats out there. I think he said there were in excess of 5m pieces of malware in active circulation right now.

    One thing he did mention that you’ve not touched on – the importance of keeping everything up to date. Your desktop OS, browser, anti-virus, WordPress installs, plugins and themes [all of it]!

    Can wholeheartedly recommend 1Password by the way. Well worth the time and effort to set it up.

    Cheers, Ken

  3. Great article Kevin and some extremely valid points that anyone who needs to use multiple passwords across various services. I have been a long time user of 1Password and highly recommend it as it saves a lot of hard work generating and remembering all those extra long secure passwords.

    I have been using Clef (getclef.com) for 2 factor authentication on WordPress (and other) sites, it would be awesome if you were going to build Clef into the forthcoming security plugin… but I bet you are going to come up with your own awesome system. Looking forward to it either way.

    Thanks again for the article.

  4. This is a great writeup on password security!

    One other important piece of the puzzle is dealing with our service providers. Password security does not stop hackers from calling a service provider and social engineering them into changing the password (which has happened on many high profile hacks in the past few years).

    You need to call providers like your hosting companies and make sure they put a note in your file not to reset passwords over the phone. Email resets are the only acceptable form of verification. Or they need to call you back on a certain phone number to verify you are who you say you are before modifications are made over the phone.

    It is not hard for a hacker to pretend to be you and dupe a service agent who just wants to help into updating your password, email address, or phone number to their own false version.

    The final step in security is in the hands of our service providers.

  5. I’ve been using LastPass for awhile now but with recent stories about major companies (Target only one example) be compromised I’ve wondered… What if LastPass is compromised? Now, Every Password I use has been compromised through access to one place? Can you comment on this?

    • I don’t use LastPass so I can’t comment on how that works, but I do use 1Password. As I understand it, you don’t save any login data with them, it’s all in your hands in software on your devices and shared through various secure services (Dropbox, etc.). So even if someone hacked into 1Password, they don’t have my master password or any of my login data.

      Someone would have to steal your device and then break your master password to get your login info. And if you picked a solid master password, they shouldn’t be able to do that.

      • Guys,

        One issue with lastpass is the fact its browser based rather than a program on your PC.

        Some hackers have the capability of using software to inject and interrogate your browser and recover or steal the lastpass details and hijack your password stream.

        I prefer and actively use 1password for mac. There is also other options such as Roboform or SplashID for example.


  6. “Gary says:
    February 21, 2014 at 10:06 am
    Kevin, can you say more, please, about how to move your admin screen? I’ve never heard to do this before.”

    me too, I too would like to see an article describing ways of acheiving this, preferably without touching .htaccess

  7. Well written and solid advice.

    As a wordpress Security service provider, passwords are amongst my biggest challenge when working with clients. You would be surprised just how many use ONE password for everything including thier online banking, its scary.

    That is why I prefer 2 step authentication for wordpress over obfuscating the admin login by hiding the admin page. despite all your hard work, Google will still index that page somewhere so it can be found by those with enough knowledge.

    I ALWAYS recommend 2 step authentication by mobile phone as the default process for two very distinct reasons.

    You receive a push notification from the security system directly to your cell phone telling you that an active login is in progress AND you know its not you or your assistant then you automatically know that someone has cracked your user name/ password combination which is clear indication that these need to be changed ASAP and that a full security check is required to establish if there was any malicious code injected into your site that allowed the login to proceed to the 2 step auth stage.

    Just my two cents worth, but just another reason to consider alternatives and the reasons they are affective.

  8. A few things: first, I do not use cloud-based password software, so I feel more comfortable with that. I use SplashSafe ID for mac and Iphone.

    second: I will make some sites with SSL certificates: does anyone know if that helps with overall WordPress security?


    • Gary,

      All that an SSL certificate does is protect your internet connection between the computer and the end URL. It does nothing for the actual security of the wordpress installation.

      That being said, if you ALWAYS connect your computer via an SSL AND you also only connect your ftp to the cpanel via SFTP or FTPSSL then the connection is secure and this prevents hackers from intercepting the login or upload and scraping any login data.

      hope that clarifies it for you.


      • Who and how could somebody intercept my traffic when I’m logging into my webhost if I’m using fiber, adsl modem or a 4G modem not using any wifi in between the modem/router and my computer?

        It would have to be somebody working within the networking companies or my webhost or?

        • WOW Ben,

          you live in the dark ages and in more ways than one. Using a cable to connect to an ADSL or other hard wired modem is not a safeguard against hackers. Just because you are hard wired does not stop someone from uploading a trojan to your computer and using this to intercept the incoming and outgoing signal on your computers port that connects to the ADSL etc.

          Hackers are inventive if nothing else and thats why Banks and other financial institutions spend 100’s of Millions of dollars annually to try and stay ahead of this type of intercept.

          I very much doubt your security budget is anywhere near as large!!

          • That’s true, a trojan can probably get into my system some way. But I think hacking something on my sites is way more likely. I’m also using a non-mainstream OS (Linux) which probably has less trojans.

  9. Will the two factor authentication be like the Wordfence security plugin where u get the second password through text message? I use backup buddy n sync so it would b nice to also have an Ithemes security plugin that could do the two factor through text.

    • Luis,

      2 Step authentication can usually deliver either a push notification which is an instant message essentially or it can send a code via text or email.

      Different services offer different options.

      I use Duo-security which is a stand alone system that has a really good free option. I am not affiliated with them so there is no benefit to me suggesting these as a provider, I just like the platform and its capabilities.


  10. Excellent article Kevin. I have Limit Logins on all my sites and my clients. As well as assigning strong passwords and usernames. This past month though something hit me as I saw the bots getting so much smarter. They began sing my creative username to try and get in. I realized I had not been changing my “nickname” in the user settings. By doing that, your actual login username is NEVER seen on site anywhere. It will be something I now do for myself when creating sites and also my clients users will all have different login usernames then their actual ‘Nickname’ that shows on site.

    Looking forward to implementing the iThemes Better WP Security. I have used ‘Keeper’ for all my passwords since they came out. With all the hacks on such major platforms in the past few months I went rogue and totally did the entire new passwords for every login, everywhere. I used the ‘generate password’ for each place and of course I have to contantly look them up when I need them except for stored ones. But it was worth it. It’s a whole new ball game out there & it doesn’t take 3 strikes to be out.

    • Noelle, Ive been using chris’s plugin for 2 years now, even though its gaining more popularity from the Itheme takeover. I would say it is one of the better security plugins out there for wordpress, If you are using a password manager, then you can change some settings in this plugin, There is absolutely no need for 3 attempts at a wrong password, there should only be 1, (your using a password manager, the only person that should be on your site is you.) I set my sites to 1 attempt, and blacklist, and instead of 15min time out ad the number 9 untill you can ad no more time, ie 999999999999 (its approx 40 years blockage), Then I manually add the blocked user into the ban list. If they are persisten, then I wildcard block them across their network something like this 255.255.*.*
      With regards to nickname, its a common way to get your username, particularly at install, make sure you delete the hello user post, and any demo content, because it will keep the original authors nickname. There are some htaccess rules to block author scans, You should implement them. Stops them in their tracks.

  11. I’ve been using LastPass for awhile. It is stored in the cloud but is always encrypted – in transit and on their servers. Thus there is not a lot of point in hacking them as no passwords would be easily accessible. Of course, you want a strong Master password.

    Yes, there are doorways into any of the software mentioned if your PC is compromised, so you also want to be using good anti-virus and practice safe computing.

    I used to use locally installed encrypted software for storing my passwords until the software hiccuped and couldn’t decrypt.

  12. One thing the article didn’t mention was how fast password cracking works. A short, simple password can be hacked in a few minutes. But only if they have the chance to keep trying. Limiting attempts is a great idea and I’m surprised it’s not more widely implemented.

  13. Really helpful, just went to workshop on WordPress security that covered some of this and opened my eyes to the level of hacking that is going on out there. I think most people have no idea. Especially small mom and pop business owners with simple sites.
    I’ll definatly put this info into use and with clients too.

  14. Hey Kevin,

    Good post, there are some things this plugin still needs work on, Hiding the login screen only works some of the time, what needs to be integrated is htaccess password protect from wp-admin folder, This will cut down on excessive load and requests on our database.

    Here is a simple circumvent for your login screen, that i have and many other users mentioned in the WordPress forums of the original plugins home.


    What this does is say wordpress i want to log out, it then gives up the secret key on logout screen regardless if you were logged in, it would be smarter in the htaccess code you have, to say upon logout, redirect to home page, so you are not giving away the secret login key page. Or give us a choice on where the redirect sends us, (say a membership thankyou page).

    Looking forward for Google auth built in, that will save some terrible conflicts that happen at the moment, with time delays, not syncing. From running to many security plugins, You may also want to look at iQ Block Country (worpress plugin). Knowing what country you are in and limiting the login page to your country only can stop a lot of bad traffic. (Also like a function in another security plugin ban by referer (domain name), Have you ever been a target of russian spammer, blocking sites directly can help cut down on thousands of 404 errors.)



Save 40% off site-wide through December 31! Get the coupon