WordPress Usernames and Passwords: How to Resist Brute Force Attacks

What Happens When Your Website is Hacked?

​The most obvious result is that visitors to your website will be met with a big red screen that tells them to beware because the site ahead is malicious – like this:
Chrome blacklisted website ahead warning

That does not help your brand reputation..!

But worse, if they somehow get through to your site, perhaps before the search engines have discovered the hack and blocked access to your site, their computer may be infected with viruses or malware, they may be redirected to a porn site or their computer may be ‘recruited’ as an ‘asset’ of the hacker, to be used as they perpetuate their crimes in the future.

None of those are good for your website or blog!

The growth of hacking and cyber-crime makes it imperative that we all take care to make our websites as secure as possible.

Usernames and Passwords – Two simple ways to make your WordPress website more secure

​Here, then, are two simple steps you can take to make your WordPress website more secure.

But first an important note:

No website can ever be 100% secure. If a hacker is determined to access it, they will. But in no way does that remove the need for you to take every precaution you can. It’s part of being a good net citizen.

First Step: Create a long, complex username

​Long ago, WordPress stopped assigning the default username ‘admin’ on installation, with one possible exception: if your WordPress site is installed using a script provided by your hosting provider.

Today when you install WordPress manually (that is, without using your hosting provider’s script) it invites you to choose a username. You should choose a long and complex one, and here’s why:

One of the ways hackers access your site is by using computer programs (bots) that attempt to guess your username and password combination. These are called Brute Force attacks.

For these to be successful the bots need to guess two pieces of information: your username and your password. If you make either of them obvious that makes the job of the bot very much easier.

If you make both of them obvious you can be pretty sure that your site will be brute force hacked at some point.

WordPress enables you to create usernames that contain letters (upper and lowercase), numbers, spaces and some symbols. And you should use all of those. Here’s an example:

Example of a long complex username

Using your name, the company name or the website name as the username for your website login, while easy for you to remember, is a gift to the bots. They will try those options first and when they find what you’ve used they’re halfway to getting into your site. Don’t make it easy for them!

There is no limit to the number of characters you can use in your username, and this is important – here’s why:

There are 88 different characters that can be used in passwords (letters (upper and lower case), numbers and symbols) and a bit less that can be used in WordPress usernames, because not all the symbols can be used.

Therefore, with 88 characters available to use, if you have a 1 character username the bots can get it within 88 guesses – in a fraction of a second.

But if you have a 2 character username they will need 7,744 guesses to get the correct combination of those two characters – 88 X 88 (and still in a fraction of a second).

So you can see that by adding just one character to your username (or password) you are exponentially strengthening your website’s security.

An 8 character username will require 3,596,354,248,055,296 guesses – now we’re getting somewhere. I use a minimum of 13 characters in my usernames and passwords.

Key take-away:

So, the message is this: use a long and complicated username to help protect your WordPress site from brute force attacks. Don’t use your name, the site name, the company/business name or anything that is easily obtained.

Changing the ‘admin’ username

If your WordPress instance is installed by a script which automatically generates the user name ‘admin’, then you need to eliminate that account. Creating a new one is not enough – the ‘admin’ username account must be deleted so the bots can’t use it. And, because you cannot change a WordPress username, here is the process you can go through to fix that:

  • Set up a new user account with Administrator level access, using long complex usernames and the WordPress generated password.
  • Log out of the site
  • Log in again using the credentials for the new account you’ve just set up.
  • As long as you had no problems logging in with the new login details you can delete the original Administrator account with the username ‘admin’

​While WordPress encourages you to use a random username it also allows you to use the email address associated with your user account as the login username. There are plugins (which I’ll write about separately) that enable you to stop WordPress from accepting the registered email address as the username and I strongly recommend you do that. I’ll discuss how in a later article.​

Second step: use the WordPress generated password

When a new user account is set up WordPress now generates a 12 character password for you. Again, this is made up of letters (upper and lower case), numbers and symbols – and it is long and complex.
WordPress password generation screenBut I have known people to over-write the WordPress generated password with their own ‘easy-to-remember’ password.

The problem with that is that there is a huge database of the most commonly used passwords that our friends the bots have full access to – so the chances of them correctly guessing the password that was used to replace the WordPress generated one are pretty good.

The 25 most commonly used passwords in each of the past 7 years are set out here. Keep in mind: those are only the 25 most commonly used passwords. The bots have access to thousands of commonly used passwords – and they are adding more to their databases every day.

But, to make matters worse, people who choose ‘easy-to-remember’ passwords very often use the same password on all their accounts. Almost everyone I have ever worked with does that.

And that, of course, means that once the bots have discovered your password on one of your accounts they will try the same password on all your other accounts – email, Dropbox, WordPress, Facebook, Yahoo, your hosting cPanel – everywhere.

In many cases accounts that you set up online use your email address as the username. So now you can see that if the bots have correctly guessed your ‘easy-to-remember’ password, and they know your email address, your online presence is just waiting to be plundered.

Separately from my advice on WordPress, if you have online accounts that use your email address as the username then I would strongly recommend you make sure the passwords on each of those accounts are 13 characters long, unique to each site and utilise multiples of each character type (letters, symbols and numbers).

Key take-away:

So the message is this: use the WordPress generated password!

But I can’t remember all these usernames and passwords

​Yes – this can be a problem, but one that’s easily solved.

With every new account I set up I create my username and password in a text or Notepad file and then copy each into the appropriate fields on the account setup page. I then save the text file on my ocmputer, so I always have a record of them

But I also use a password manager, into which I add the username and password combination I’ve just set up.

Password managers generate random passwords for you, encrypt and store them along with the login URL of each account it’s managing and log you in with one click.

I cannot recommend strongly enough that you look into installing and using a Password Manager, and I’ve reviewed one of the better ones in this article.


​So the message again:

  • Use long, complex usernames
  • Do not use the email address option for logging in to your WordPress site
  • Use the WordPress generated password
  • Install a security plugin that offers strong protection against brute force attacks. Here’s some information on the plugin I use.

Those simple steps will greatly stengthen your WordPress website against brute force attacks.

If you have any comments or questions do leave me a comment below.


P.S. Is your WordPress website as secure as it could be? Take a look at the WordPress security products I have reviewed (I use all of them and I’d be happy to answer any questions you may have):