A successful WordPress security strategy should include steps to strengthen the WordPress login. In this post, we cover the five simple rules for better WordPress login security.
The great thing about WordPress is how it makes creating a website accessible to just about anyone. But with that accessibility comes predictability. Anyone with experience working with WordPress knows where changes to the site are made: via the wp-admin area. They even know where they need to go to access the wp-admin, the wp-login.php page.By default, the WordPress login URL is the same for every WordPress site, and it doesn’t require any special permissions to access. That’s why the WordPress login page is the most attacked—and potentially vulnerable—part of any WordPress site.
Unfortunately, creating a bot that will roam the internet committing brute force attacks doesn’t require very much skill, and any beginner-level hacker can create one. Because attacks on the WordPress login page have a low barrier of entry, WordPress login security is crucial to secure any WordPress site.
By following these rules and using WordPress security best practices, you can avoid being vulnerable to common user login mistakes.
1. Use Strong Passwords
There is a lot of confusing and contradicting information about password security best practices on the internet. In an effort to clear up that confusion, let’s break down the basics of how using a strong password improves your WordPress security.
Whenever creating a password, the first item that you will want to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a four-core i5 processor.
- 7 characters will take .29 milliseconds to crack.
- 8 characters will take 5 hours to crack.
- 9 characters will take 4 months to crack.
- 10 characters will take 1 decade to crack
- 12 characters will take 2 centuries to crack.
So as you can see, adding a single character to your password can significantly increase the security of your login. A password that it is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack.
Unfortunately, some hackers are leveraging GPUs and stronger CPUs to decrease the amount of time needed to crack passwords. So to strengthen your logins, also be mindful of your password entropy. The higher the password entropy is, the more difficult the password will be to crack.
For example, based on just the length requirement, a password like “abcdefghijkl” is 12 characters, which is great and should take 200 years to crack. However, since the password uses sequential strings of letters, it makes the password much more predictable compared with a password like “rfybolaawtpm” which has randomized characters.
Randomizing characters decreases the predictability and increases the strength of the password. But both of these passwords have one thing in common that ultimately reduces the password entropy. Both are only using lower case letters, limiting the pool of possible characters to 26. That’s why it’s vital to include alphanumeric, upper-case letters and common ASCII characters to increase the pool of characters needed to crack the password to 92.
2. Use a Unique Password For Every Account
Another best practice for online security is using unique passwords for every account and website login you have. This is so important, we’ll say it again: you should be using a different password for every site.
Why does reusing passwords matter so much? If you use the same password for every site and one of those sites is compromised, you are now using a compromised password for every account, on every site. Hackers can use data dumps of compromised passwords paired with your email address or username to gain access to your accounts. It’s best to not even take the risk.
The more users you have that are reusing passwords, the weaker your WordPress login security will be. In a list compiled by Splash Data, the most common password included in all data dumps was 123456. The WordPress login security of your site is only as strong as the weakest link, so be proactive with strong password requirements.
Tip: Protect WordPress from Compromised Passwords
You can protect WordPress from compromised passwords with a plugin like iThemes Security Pro. iThemes Security Pro takes advantage of the HaveIBeenPwned API to detect whether or not a password has appeared in a data breach.
Tip: Encourage users to change passwords frequently
iThemes Security’s Password Requirements features allow you to force all of your users to change their password the next time they log in. Forcing users to create a new password, allows everyone to start fresh with a strong and uncompromised password, which will increase your WordPress login security.
Tip: Use a password manager
Ultimately, using a password manager can help you keep track of your logins and unique passwords. With the help of a password manager, you don’t have to remember your passwords.
3. Limit Login Attempts
By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on the number failed login attempts an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.
Increase your WordPress login security by installing a WordPress security plugin like iThemes Security Pro to limit the number of failed login attempts. The iThemes Security Pro WordPress Brute Force Protection feature gives you the power to set the number of allowed failed login attempts before a username or IP is locked out. A lockout will temporarily disable the attacker’s ability to make login attempts. Once the attackers have been locked out three times, they will be banned from even viewing the site.
4. Limit Outside Authentication Attempts Per Request
There are other ways to log into WordPress besides using a login form. Using XML-RPC, an attacker can make hundreds of username and password attempts in a single HTTP request. The brute force amplification method allows attackers to make thousands of username and password attempts using XML-RPC in just a few HTTP requests. When you know an attacker can use database dumps as a starting point and make thousands of guesses per request, it makes the importance of WordPress login security much clearer.
In addition, when you are developing your WordPress login security plan, it is important to be aware that the WordPress Rest API adds additional ways to authenticate a WordPress user. Cookie authentication is one method authentication when you login WordPress automatically stores a cookie so plugins and themes can perform a function on your behalf. Cookie authentication will benefit from the protections you have added to the wp-login.php.
5. Use Two-Factor Authentication
I saved the best way method to increase WordPress login security for last: WordPress two-factor authentication. Two-factor authentication requires an extra code along with your WordPress username and password to log in.
There are many methods of two-factor authentication, but not all methods are created equal. If you can, avoid using text for two-factor authentication. The National Institute of Standards and Technology no longer recommends using SMS to send and receive authentication codes.
Using a WordPress security plugin, like iThemes Security Pro, you should enable either the email or mobile app method of two-factor.
Just note that many sites require you to use an email address as a username. If an attacker hacks one of these sites, the next step will be to try to log into email accounts using the new email addresses and passwords they stole. If one of your users or clients are reusing compromised passwords on every site, their email account, along with their two-factor email codes, will be compromised.
Recap: A Simple WordPress Login Security Checklist
WordPress login security should be a top priority on every site. Now that you know how to increase the login security on your site, you can take advantage of this effective hack prevention strategy.
- 1. Use Strong Passwords
- 2. Use Unique Passwords for Every Account
- 3. Limit Login Attempts
- 4. Limit Authentication Attempts
- 5. Use Two-Factor Authentication
A WordPress Security Plugin Can Help Secure Your WordPress Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.