A successful WordPress security strategy should include steps to strengthen the WordPress login. In this post, we cover the five simple rules for better WordPress login security.
The great thing about WordPress is how it makes creating a website accessible to just about anyone. But with that accessibility comes predictability. Anyone with experience working with WordPress knows where changes to the site are made: via the wp-admin area. They even know where they need to go to access the wp-admin, the wp-login.php page.
By default, the WordPress login URL is the same for every WordPress site, and it doesn’t require any special permissions to access. That’s why the WordPress login page is the most attacked—and potentially vulnerable—part of any WordPress site.
Unfortunately, creating a bot that will roam the internet committing brute force attacks doesn’t require very much skill, and any beginner-level hacker can create one. Because attacks on the WordPress login page have a low barrier of entry, WordPress login security is crucial to secure any WordPress site.
By following these rules and using WordPress security best practices, you can avoid being vulnerable to common user login mistakes.
1. Use Strong Passwords
There is a lot of confusing and contradicting information about password security best practices on the internet. In an effort to clear up that confusion, let’s break down the basics of how using a strong password improves your WordPress security.
Whenever creating a password, the first item that you will want to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a four-core i5 processor.
- 7 characters will take .29 milliseconds to crack.
- 8 characters will take 5 hours to crack.
- 9 characters will take 5 days to crack.
- 10 characters will take 4 months to crack
- 11 characters will take 1 decade to crack
- 12 characters will take 2 centuries to crack.
So as you can see, adding a single character to your password can significantly increase the security of your login.
A password that it is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack.
Unfortunately, some hackers are leveraging GPUs and stronger CPUs to decrease the amount of time needed to crack passwords. So to strengthen your logins, also be mindful of your password entropy. The higher the password entropy is, the more difficult the password will be to crack.
For example, based on just the length requirement, a password like “abcdefghijkl” is 12 characters, which is great and should take 200 years to crack. However, since the password uses sequential strings of letters, it makes the password much more predictable compared with a password like “rfybolaawtpm” which has randomized characters.
Randomizing characters decreases the predictability and increases the strength of the password. But both of these passwords have one thing in common that ultimately reduces the password entropy. Both are only using lower case letters, limiting the pool of possible characters to 26. That’s why it’s vital to include alphanumeric, upper-case letters, and common ASCII characters to increase the pool of characters needed to crack the password to 92.
2. Use a Unique Password For Every Account
Another best practice for online security is using unique passwords for every account and website login you have. This is so important, we’ll say it again: you should be using a different password for every site.
Why does reusing passwords matter so much? If you use the same password for every site and one of those sites is compromised, you are now using a compromised password for every account, on every site. Hackers can use data dumps of compromised passwords paired with your email address or username to gain access to your accounts. It’s best to not even take the risk.
The more users you have that are reusing passwords, the weaker your WordPress login security will be.
In a list compiled by Cybernews, the most common password in 2022 was 123456. The WordPress login security of your site is only as strong as the weakest link, so be proactive with strong password requirements.
Tip: Protect WordPress from Compromised Passwords
You can protect WordPress from compromised passwords with a plugin like iThemes Security Pro. iThemes Security Pro takes advantage of the HaveIBeenPwned API to detect whether or not a password has appeared in a data breach.
Tip: Encourage users to change passwords frequently
iThemes Security’s Password Requirements features allow you to force all of your users to change their password the next time they log in. Forcing users to create a new password, allows everyone to start fresh with a strong and uncompromised password, which will increase your WordPress login security.
Tip: Use a password manager
Ultimately, using a password manager can help you keep track of your logins and unique passwords. With the help of a password manager, you don’t have to remember your passwords.
3. Limit Login Attempts
By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on the number of failed login attempts an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.
Increase your WordPress login security by installing a WordPress security plugin like iThemes Security Pro to limit the number of failed login attempts. The iThemes Security Pro WordPress Brute Force Protection feature gives you the power to set the number of allowed failed login attempts before a username or IP is locked out. A lockout will temporarily disable the attacker’s ability to make login attempts. Once the attackers have been locked out three times, they will be banned from even viewing the site. Note: When deciding how strict you want your rules for failed login attempts to be, keep the actual users of your site in mind. If you make the lockout rules too unforgiving, you run the risk of inadvertently locking out real users.
4. Limit Outside Authentication Attempts Per Request
There are other ways to log into WordPress besides using a login form. Using XML-RPC, an attacker can make hundreds of username and password attempts in a single HTTP request. The brute force amplification method allows attackers to make thousands of username and password attempts using XML-RPC in just a few HTTP requests. When you know an attacker can use database dumps as a starting point and make thousands of guesses per request, it makes the importance of WordPress login security much clearer. Using iThemes Security Pro’s WordPress Tweaks settings, you can block multiple authentication attempts per XML-RPC request. Limiting the number of username and password attempts to one for every request will go a long way in securing your WordPress login.
In addition, when you are developing your WordPress login security plan, it is important to be aware that the WordPress Rest API adds additional ways to authenticate a WordPress user. Cookie authentication is one method of authentication when you log in WordPress automatically stores a cookie so plugins and themes can perform a function on your behalf. Cookie authentication will benefit from the protections you have added to the wp-login.php.
5. Use Two-Factor Authentication
I saved the best way method to increase WordPress login security for last: WordPress two-factor authentication. Two-factor authentication requires an extra code along with your WordPress username and password to log in.
There are many methods of two-factor authentication, but not all methods are created equal. If you can, avoid using SMS for two-factor authentication. The National Institute of Standards and Technology no longer recommends using SMS to send and receive authentication codes.
Using a WordPress security plugin, like iThemes Security Pro, you should enable either the email or mobile app method of two-factor.
Just note that many sites require you to use an email address as a username. If an attacker hacks one of these sites, the next step will be to try to log into email accounts using the new email addresses and passwords they stole. If one of your users or clients is reusing compromised passwords on every site, their email account, along with their two-factor email codes, will be compromised. The mobile app method of two-factor will do the most to increase WordPress login security. The extra authentication code that is required to log in will be sent to the user’s phone. So, even if an attacker has access to the WordPress and email credentials, there will still be no way for them to log in.
Recap: A Simple WordPress Login Security Checklist
WordPress login security should be a top priority on every site. Now that you know how to increase the login security on your site, you can take advantage of this effective hack prevention strategy.
- 1. Use Strong Passwords
- 2. Use Unique Passwords for Every Account
- 3. Limit Login Attempts
- 4. Limit Authentication Attempts
- 5. Use Two-Factor Authentication
Get the bonus content: A Guide to WordPress Security
Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes, she’s dedicated to helping you find the best ways to build, manage, and maintain effective WordPress websites. Kristen also enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.