WordPress Password Security: A Complete Guide

When your WordPress site gets hacked, one of the most common culprits is your password. 

While no site is completely hack-proof, your WordPress password security makes a big difference when it comes to securing your website. 

The two most common mistakes people make when it comes to their passwords are to rely on something they can easily remember and to reuse their passwords for multiple sites and accounts. Want to hear something incredible? The most common password used in 2020 was the word ‘password’ or some variation of it. 

Even if you aren’t using passwords that are this obvious, using birthdays, pets’ names, hometowns or even the names of your family members is a huge security risk. Sure, it makes it easy to remember them, but it also becomes insanely easy to hack into your website because this information is easily available in profiles across different services such as social media.

Passwords exist as a key to your website, quite literally. And good security doesn’t end at having a strong password either. If you want to secure your website, you need to ensure that you take strong measures.

TL;DR: WordPress password security is crucial for your website, it keeps out attackers and bots looking for low-hanging fruit. Use MalCare to fortify your password security and keep out attackers who may use other means to hack into your WordPress site. 

WordPress Password Security Basics

While having strong WordPress passwords is important, there are several practices that can still harm your WordPress site. These are often overlooked because having one password for multiple accounts or not changing your passwords is very convenient. But if your WordPress site is important, there are certain practices that you must bid adieu to. 

We have created this list for you to be able to increase your WordPress password security in one go. 

1. Use a plugin for login security

Hackers employ a type of attack known as the brute force attack, wherein they use bots to try thousands of password combinations to gain access to your site. If you are facing a brute force attack, your best defense is a strong firewall. Nothing can replace the security that a plugin with a strong firewall can provide. 

We recommend MalCare for several reasons. The first is that MalCare has an intelligent firewall that can detect brute force attacks within minutes. If an IP address sends 10 incorrect login requests within a span of 30 minutes, MalCare makes sure that a reCaptcha is needed to be able to make another request. Additionally, If there are 100+ invalid login attempts in a short duration of time, MalCare adds reCaptcha for every login request, irrespective of the IP, to safeguard the site. MalCare also blocks suspicious IPs and allows you to manually block any IPs individually or by geographic location.

In addition to protecting your site from brute force attacks, MalCare alerts you of any suspicious activity and vulnerabilities in time so that you aren’t caught off guard by an attack.

MalCare also lets you schedule automated scans, offers one-click cleanups, and has unparalleled support channels for any requirements you may have. These strong measures protect your website against the biggest culprit for malware—vulnerabilities.

2. Follow WordPress password requirements

We are stating the obvious—use strong passwords! But what even qualifies for a strong password? 

When you create an account, whether for your web host, wp-admin, or elsewhere, you will be given a recommendation for password requirements. It could be a certain length, a mix of characters, or more. Follow these general WordPress password rules to a T. 

  • Use small and capital case letters, numbers, and special characters in your password(@, #, *, etc.).
  • Make your password more than six characters in length(10 characters – minimum; 50 characters – ideal)
  • Ensure that your password is not personal information such as your birthday or a pet’s name.
  • Avoid single words and opt for phrases instead.
WordPress password security strength

These requirements are not merely a suggestion, they ensure that you have a password that is not easily penetrable by any attacker.

3. Use a password manager

Now we understand why people use weak passwords; it’s not because they want to get hacked, it’s because they are easy to remember. For instance, mypetname1234 is a lot easier to remember than $%484hdfilpsofga. But guess which password stands the chance of surviving a bot attack? 

Thanks to password managers though, you don’t have to remember these indecipherable passwords. There are several free and premium password managers available, but we recommend using credible password managers that ensure security and backup for your data.

If you shy away from using password managers because you worry that if a hacker gets their hands on it, all your passwords will be compromised, let us explain how they work. Password managers encrypt your passwords so that even in the unlikely event that they are hacked, your passwords are not decipherable. Moreover, most password managers use zero-knowledge architecture, which means that the passwords are hidden even from the provider of the tool.

Your password manager is way more secure than memory, with the possible exception of Sherlock’s mind palace. 

4. Update passwords frequently

Brute force attacks take time, and the more complex your password, the longer it takes. If you’ve followed all the WordPress password requirements, it can take hackers days or even months to crack your password. Unfortunately, hackers tend to use other methods like phishing to gain access, and if your password gets stolen, your site is in trouble.

The simplest countermeasure to this problem is to make sure that you update your password regularly and refrain from reusing old passwords. While remembering new passwords can be annoying, the security benefits are worth it.

Changing passwords regularly has another advantage too. In case you have been hacked without your knowledge, changing your password logs you out from all devices, kicking out anyone who has unauthorized access.

5. Ditch the dictionary

Very often, even if you follow all the password guidelines, you may end up using a word or a name to help you remember it. But unfortunately, if your password has words that can be found in a dictionary, they are not very secure.

Hackers use dictionary attacks to break passwords often, wherein they program bots to use all the dictionary words on your WordPress site until they can gain access to your site. The best way to avoid it, is to not use any dictionary words at all. Gibberish will serve you better than the name of your favorite singer. You can even use phrases in your password with a mix of numbers and special characters, but avoid single words at all costs.

6. Use unique passwords

If you’re handling a high-value website, it is very important to not reuse your passwords for multiple accounts or websites. Using the same password for multiple sites is an extremely common security flaw, and should be avoided at all costs. Often after a hack, passwords are compromised in data leaks, and hackers get their hands on these password databanks. If you reuse your passwords, even if the password you’re using is strong, it becomes irrelevant if it is stolen from another site and used to log into your WordPress admin account. 

Also read: How to change WordPress username

7. Don’t share your passwords

Don’t share your passwords with anyone. It may seem like an unnecessary thing to advice, but way too many people casually share their credentials with peers or colleagues. While the people you may share them with may not misuse it (although it is not unheard of), sharing passwords in itself is a security risk. If your communication is intercepted, hackers can use that data to gain access to your account.

How to enforce strong passwords in WordPress (for all users)

In order to have strong security practices, you need to make sure that all your users also employ strong password practices. Hackers don’t necessarily need to access the admin account to infect your site, they can also do it from other accounts with fewer privileges. You can force all the accounts on your site to have strong passwords by following these steps:

  • Install a plugin like Password Policy Manager
  • Go to the Password Policy Settings
  • Select the password requirements you want to enforce
  • Add in details like password length and expiry time
  • Click on Save.

Why Enforce Strong Passwords in WordPress

We discussed how passwords act like a key to your website. Now imagine if you lost your home keys and a burglar found them. Even if you have a security guard, the simple fact that the burglar has a key, improves their chances of robbing you a hundredfold. Similarly, even if you take other security measures, weak passwords can still give hackers access to your WordPress site. 

Hackers often employ a type of attack known as brute force attack, wherein they use bots to try several variations of passwords in order to log in to your website. These bots use several thousand combinations in a minute, and often have access to leaked passwords through the dark web. If your password is common, or weak, it becomes that much easier for the bots to crack it.

It is also important to secure your WordPress site from brute force attacks with a strong firewall. Even if a brute force attack is unable to find your password, several login requests to your website server in a short span of time can overwhelm the server and slow down your site or even break it.

Which is why it is extremely important to make sure that your passwords are strong, lengthy, unique, and regularly updated.

Final Thoughts

All of these measures are extremely important when it comes to your WordPress password security, but keeping a track of all the passwords can get tedious. You can work around this by using MalCare to secure your WordPress site and WordPress login page for you. MalCare offers regular scans, a strong firewall, flawless cleanups, and a whole host of other security measures that ensure that your website is secure. 

If you want to improve your site login security overall, you may want to take a look at this guide. But the easiest way to stay on top of everything is to let MalCare do the heavy lifting for you. 


How do I make my WordPress password strong?

The easiest way to strengthen your WordPress password is to use a password manager to generate and store your passwords. Using a premium password manager will allow you to backup your passwords too. 

Alternatively, if you are strengthening your WordPress password manually, use a mix of capital and small letters, numbers, and special characters in your password. Also, try to avoid common words or names in your password.

How do I force a strong password in WordPress?

You can use a password security plugin to ensure that anyone creating a new password fulfills all the requirements. By enforcing the use of a mixture of capital letters, small letters, numbers, symbols, and punctuation, you can make sure that all accounts on your site are protected.

How often should you change your WordPress password?

Ideally speaking, you should change your WordPress password every 60-90 days. Changing your password regularly makes your account significantly harder to hack, and you can enforce password changes via security plugins.

How do I change my password strength in WordPress?

You can change your WordPress password strength by adjusting its complexity. The weakest passwords are those with minimal complexity, usually comprising a few letters, while the strongest passwords are those using a mix of letters, numbers, and symbols. The length of the password also influences its strength, with longer passwords being harder to crack. 


Preeti is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Preeti distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap