Skip to content
escapecreative.io
Archived

WordPress Security: User Accounts & Passwords

Updated

Nov 6, 2023

Written by

Dave Warfel

Reading Time

4 minutes

If you buy something from one of our links, we may earn a commission.

An important part of WordPress security has to do with your user accounts & passwords. We’ll discuss some of the basic guidelines to keep your WordPress site secure, as well as go over some security plugins that can help.

A Quick Note About Brute-force Attacks

Insecure user accounts and/or passwords can lead to what are called brute-force attacks. These are attempts by people (more often, computer programs & robots) to guess the username & password combination of one of your WordPress users. These automated programs seek out your WordPress login & administration pages (/wp-login.php & /wp-admin/), and then try to login using common username & password combinations. If they guess right, they’ll gain access to your WordPress site, and be able to do all kinds of bad things (hijack pages, inject malware, add hidden links).

How Do You Prevent Brute-force Attacks?

Now that you have an idea why you need to secure your WordPress site, let’s take a look at some ways you can achieve this with better security on your user accounts.

Never Use “admin” For Your Username

“Admin” is the default username on new WordPress installations. You should always create a new admin user with a unique username, and delete the “admin” username, as it is the most common in brute-force attacks.

WordPress usernames you should avoid:

  • admin / Admin
  • administrator / Administrator
  • root / Root
  • yourdomainname / yourdomainnamecom (You can use a variation of your domain, but don’t use it in its entirety)

We recommend using something unique—a variation of your name/initials, street address, favorite food, etc.

Selectively Choosing User Roles

If you are building sites for your client, or your organization will have multiple people with access to the site, think about the permissions they need. Do you need to be able to install plugins & edit settings? Create new posts? Edit others posts? Moderate comments? Create drafts, but not publish them live?

Don’t give a user admin privileges if they don’t need them. The WordPress Codex has a table that shows you which functions a user can perform, based on the role they are assigned. If your user only needs to be an “Author,” don’t give them “Administrator” access. If someone should hack into one of these accounts, they will not be able to do the same amount of damage as an Administrator account would.

Talk To Administrators About Security

On the same note, make sure all Administrators understand the importance of security. They should always have unique usernames & maintain a strong password.

Logging Into Admin on an Open Wireless Connection

If you like to work at a local coffee shop, or anywhere you’d be accessing a public (non-secure) wireless network, take extra precaution when logging into the WordPress admin. If your login page is not served up over https, other people on that network could be able to access your login credentials, and use them to login to your site. I’ll be writing a separate article that talks about securing your login & admin pages using an SSL certificate.

To be on the safe side, just don’t do it. Wait until you have access to a secure connection. Or talk to your site administrator about installing an SSL certificate on your server.

Use a Strong Password

This is an obvious one, but everyone should use a strong password. As of version 3.7, WordPress uses a better password strength meter to provide feedback on how secure it is. Please listen to it, and adjust your password accordingly.

Force Strong Passwords Plugin

There’s a great plugin called Force Strong Passwords that will require users to pick a secure password. By default, it only requires one for users who have certain, high-level capabilities (publish posts, upload files, etc.), but you can modify it using a filter to require ALL users to have a strong password. It’s well documented & maintained, and even used by some managed WordPress hosting companies like WP Engine.

Limit Consecutive Login Attempts

When attackers attempt brute-force attacks, they will continually try their username/password combinations on your login page, who knows how many times in a row. Any real user—even one whom is notorious for forgetting his password—shouldn’t need 20+ tries to login to the site. Especially since there’s a simple “Forgot password” form they can use to reset it.

The Limit Login Attempts plugin limits the number of consecutive login attempts that can be made by an IP address. It has some options for you to customize, and will log the IP addresses that get locked out. You can also reset the lockout, in case one of your clients gets amnesia, and really needs to get into their site. You’ll see what username the offender was using, and you have the option to be notified by email.

 

What other login & user-related security measures do you use to protect your WordPress site? Let us know in the comments.

We Recommend

Kinsta – Blazingly Fast WordPress Hosting 🚀
https://kinsta.com › wordpress-hosting
Fast and secure infrastructure, worldwide CDN, edge caching, 35 data centers, and enterprise-level features included in all plans. Free site migrations.
Best WordPress Form Plugin for 2024 – Gravity Forms
https://gravityforms.com › features
Create custom web forms to capture leads, collect payments, automate your workflows, and build your business online. All without ever leaving WordPress.

Dave Warfel

LinkedIn  •  X (Twitter)Dave has been working with WordPress since 2011. He's built 100s of client sites and almost a dozen of his own. He's tested almost every plugin you can think of, hosted with at least 10 different companies, and gone down every SEO rabbit hole you can imagine. When's he's not tinkering with new software, you'll find him in the mountains of Colorado, trail running, summiting peaks, and rippin' downhills on his mountain bike. 🏔️🏃🚴🤸
Generate Leads and Grow Your Business with Gravity Forms

Table of Contents

2 responses to “WordPress Security: User Accounts & Passwords”

  1. Greg Winiarski Avatar
    Greg Winiarski
    Dec 9, 2013

    Great article, small note on the brute force if i may, from the server logs on a couple of server i can tell that aside of wp-login.php bots/hackers are also looking for /wp-admin directory.

    Reply
    1. Dave Warfel Avatar
      Dave Warfel
      Dec 10, 2013

      Thanks Greg. I updated the article to mention the /wp-admin/ page, too.

      Unrelated… Nice plugin over at WPJobBoard. If I ever have a need, I’ll be sure to check it out.

Leave a Comment Cancel reply

Site Update

We're completely rebuilding the site from scratch using only the block editor. There's also a new brand in the works, as well as a slightly different focus.

We'll still cover WordPress (heavily), but we'll be branching out to cover other online software as well. Ecommerce, form builders, automation tools, SEO software, writing/editing software, CRMs, and other no-code platforms.

About

Legal

Escape Creative, LLC © 2013-2025