A successful WordPress security strategy should include steps to strengthen the WordPress login. In this post, we cover the five simple rules for better WordPress login security.
The great thing about WordPress is how it makes creating a website accessible to just about anyone. But with that accessibility comes predictability. Anyone with experience working with WordPress knows where changes to the site are made: via the wp-admin area. They even know where they need to go to access the wp-admin, the wp-login.php page.
By default, the WordPress login URL is the same for every WordPress site, and it doesn’t require any special permissions to access. That’s why the WordPress login page is the most attacked—and potentially vulnerable—part of any WordPress site.
Unfortunately, creating a bot that will roam the internet committing brute force attacks doesn’t require very much skill, and any beginner-level hacker can create one. Because attacks on the WordPress login page have a low barrier of entry, WordPress login security is crucial to secure any WordPress site.By following these rules and uses WordPress security best practices, you can avoid being vulnerable to common user login mistakes.
1. Use Strong Passwords
There is a lot of confusing and contradicting information about password security best practices on the internet. In an effort to clear up that confusion, let’s break down the basics of how using a strong password improves your WordPress security. Whenever creating a password, the first item that you will want to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a four-core i5 processor.
7 characters will take .29 milliseconds to crack.
8 characters will take 5 hours to crack.
9 characters will take 4 months to crack.
10 characters will take 1 decade to crack
12 characters will take 2 centuries to crack.
So as you can see, adding a single character to your password can significantly increase the security of your login. A password that it is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack. Unfortunately, some hackers are leveraging GPUs and stronger CPUs to decrease the amount of time needed to crack passwords. So to strengthen your logins, also be mindful of your password entropy. The higher the password entropy is, the more difficult the password will be to crack.
For example, based on just the length requirement, a password like “abcdefghijkl” is 12 characters, which is great and should take 200 years to crack. However, since the password uses sequential strings of letters, it makes the password much more predictable compared with a password like “rfybolaawtpm” which has randomized characters. Randomizing characters decreases the predictability and increases the strength of the password. But both of these passwords have one thing in common that ultimately reduces the password entropy. Both are only using lower case letters, limiting the pool of possible characters to 26. That’s why it’s vital to include alphanumeric, upper-case letters and common ASCII characters to increase the pool of characters needed to crack the password to 92.