5 simple rules for WordPress login security

A successful WordPress security strategy should include steps to strengthen the WordPress login. In this post, we cover the five simple rules for better WordPress login security.

The great thing about WordPress is how it makes building a website accessible to almost anyone. But with that accessibility comes predictability. Anyone experienced with WordPress knows where changes to the site are made: via the wp-admin area. They even know where to go to access wp-admin, the wp-login.php page.

By default, the WordPress login URL is the same for every WordPress site and does not require any special access permissions. Because of this, the WordPress login page is the most attacked — and potentially vulnerable — part of any WordPress site.

Unfortunately, creating a bot that roams the internet and performs brute force attacks doesn’t require very much skill, and any entry-level hacker can create one. Because WordPress login page attacks have a low barrier to entry, WordPress login security is vital to protect any WordPress site.

By following these rules and using WordPress security best practices, you can avoid being vulnerable to common user login errors.

1. Use strong passwords

There is a lot of confusing and conflicting information about password security best practices on the Internet. To clear up this confusion, let’s break down the basics of how using a strong password improves your WordPress security.

When creating a password, the first thing to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a quad-core i5 processor.

  • 7 characters take 0.29 milliseconds to crack.
  • 8 characters take 5 hours to crack.
  • 9 characters take 4 months to crack.
  • 10 characters take 1 decade to crack
  • 12 characters will take 2 centuries to crack.

As you can see, adding a single character to your password can significantly increase the security of your login. A password that is at least 12 characters long, random, and contains a large number of characters like ” ISt8XXa!28X3 ” will make it very difficult to crack.

Unfortunately, some hackers use GPUs and more powerful CPUs to reduce password cracking time. So, to strengthen your logins, also watch your password entropy. The higher the password entropy, the harder it is to crack the password.

For example, a password like “abcdefghijkl” is 12 characters just because of the length requirement, which is awesome and should take 200 years to crack. However, because the password uses sequential strings of letters, it makes the password much more predictable compared to a password like ” rfybolaawtpm ” that contains random characters.

Randomizing characters reduces predictability and increases password strength. But both passwords have one thing in common that ultimately reduces password entropy. Both use only lowercase letters, which limits the pool of possible characters to 26. Because of this, it’s important to include alphanumeric, uppercase, and common ASCII characters to increase the character pool required to crack the password to 92.

Tip: Use a password manager like LastPass to easily generate and securely store passwords.

Tip: At a minimum, you should require users who can make changes to WordPress to use strong passwords. Using a WordPress security plugin like iThemes Security Pro to force privileged users to use strong passwords helps increase WordPress login security.

2. Use a unique password for each account

Another online security best practice is to use unique passwords for every account and website login you have. This is so important we’ll say it again: you should use a different password for each site.

Why is password reuse so important? If you use the same password for every site and one of those sites is compromised, now use a compromised password for every account on every site. Hackers can use data dumps of compromised passwords in conjunction with your email address or username to gain access to your accounts. It’s best not to even take the risk.

The more users you have who reuse passwords, the weaker your WordPress login security is. In a list compiled by Splash Data, the most used password across all data dumps was 123456. Your site’s WordPress login security is only as strong as its weakest link, so be proactive with strong password requirements.

Tip: Protect WordPress from compromised passwords

You can protect WordPress from compromised passwords with a plugin like iThemes Security Pro. iThemes Security Pro uses the HaveIBeenPwned API to detect whether or not a password has been leaked in a data breach.

Tip: Encourage users to change passwords frequently

With iThemes Security password requirements, you can force all your users to change their password at next login. Forcing users to create a new password allows everyone to start fresh with a strong and uncompromising password, increasing your WordPress login security.

Tip: Use a password manager

Finally, using a password manager can help you keep track of your logins and unique passwords. With the help of a password manager, you don’t have to remember your passwords.

3. Limit login attempts

By default, WordPress has nothing built in to limit the number of failed login attempts. With no limit to the number of failed login attempts an attacker can make, they can try endless usernames and passwords before succeeding.

Increase your WordPress login security by installing a WordPress security plugin like iThemes Security Pro to limit the number of failed login attempts. iThemes Security Pro’s WordPress Brute Force Protection feature allows you to set the number of failed login attempts allowed before a username or IP is banned. A lockout temporarily prevents the attacker from attempting to log in. Once the attackers have been locked out three times, they will even be banned from accessing the site.

Note: When deciding how strict your failed login attempt rules should be, consider the actual users of your site. If you make the blocking rules too unforgiving, you run the risk of accidentally blocking real users.

4. Limit external authentication attempts per request

Besides using a login form, there are other ways to login to WordPress. Using XML-RPC, an attacker can perform hundreds of username and password attempts in a single HTTP request. The brute force amplification method allows attackers to perform thousands of username and password attempts with XML-RPC in just a few HTTP requests. When you know that an attacker can use database dumps as a starting point and make thousands of guesses per request, the importance of WordPress login security becomes much clearer.

iThemes Security Pro’s WordPress Tweaks settings allow you to block multiple authentication attempts per XML-RPC request. Limiting the number of username and password attempts to one for each request will go a long way towards securing your WordPress login.

Additionally, when developing your WordPress login security plan, it’s important to know that the WordPress Rest API provides additional ways to authenticate a WordPress user. Cookie authentication is a method of authenticating when you log in. WordPress automatically saves a cookie to allow plugins and themes to perform a function on your behalf. Cookie authentication benefits from the protections you added to wp-login.php.

5. Use two-factor authentication

I saved the best method for increasing WordPress login security for last: WordPress two-factor authentication. Two-factor authentication requires an additional code along with your WordPress username and password to log in.

There are many methods of two-factor authentication, but not all methods are created equal. If possible, avoid using text for two-factor authentication. The National Institute of Standards and Technology no longer recommends using SMS to send and receive authentication codes.

If you use a WordPress security plugin like iThemes Security Pro, you should enable either the email or mobile app method of two-factor.

Just be aware that many websites require you to use an email address as your username. If an attacker hacks one of these websites, the next step is to log into email accounts using the new email addresses and passwords they stole. If any of your users or customers reuse compromised passwords on every site, their email account will be compromised along with their two-factor email codes.

The two-factor mobile app method will do the most to increase WordPress login security. The additional authentication code required for login is sent to the user’s phone. Even if an attacker has access to the WordPress and email credentials, they still won’t be able to log in.

Summary: A simple WordPress login security checklist

WordPress login security should be a top priority on any website. Now that you know how to increase login security on your website, you can use this effective hack prevention strategy.

  • 1. Use strong passwords
  • 2. Use unique passwords for each account
  • 3. Limit login attempts
  • 4. Limit authentication attempts
  • 5. Use two-factor authentication

WordPress security plugin

A WordPress security plugin can help protect your WordPress website

iThemes Security Pro, our WordPress security plugin, offers over 30 ways to secure your website and protect against common WordPress security vulnerabilities. Add an extra layer of security to your website with WordPress two-factor authentication, brute force protection, strong password enforcement and more.

Get iThemes Security now

Michael Moore

Every week, Michael creates the WordPress vulnerability report to ensure the security of your websites. As a product manager at iThemes, he helps us to further improve the iThemes product range. He’s a huge nerd and loves to learn all about tech, old and new. You can meet Michael with his wife and daughter, read or listen to music when he is not working.

Previous post WordPress login and dashboard
WP Plugin: Access Wordpress Login only with valid IP or GETpass function Next post WP Plugin: Access WordPress Login only with valid IP or GETpass function