A chain is only as strong as its weakest link, and when you don’t have your password policies in order, your password security is that weakest link.
WordPress password security is about meeting and exceeding password requirement best practices, ensuring your site is protected against unauthorized access.
But it also involves other login security best practices, like hiding the WordPress login page, forcing password policy compliance, and implementing additional security controls like 2FA.
This may sound complicated and difficult to implement on your site, but it’s actually pretty easy.
Follow along as we delve into the world of WordPress password security and teach you how to define and implement strong password policies.
Contents
What are password policies?
Password policies are rules that encourage or force website users to use strong passwords.
This can include things like forcing users to use a password of a certain length or to regularly change their password.
When combined with other important login security controls, including limiting login attempts and automatically resetting an account’s password if it’s compromised, they help improve website security.
In WordPress, password policies are generally implemented using a login security plugin, which is by far the easiest method of implementing them on your site.
The importance of strong passwords & password policies
Although the importance of using strong passwords is pretty evident and is understood by most, compromised passwords remain one of the most common causes of security breaches.
In 2022, over 24 billion passwords were exposed by hackers.
Yep, you read that right.
Billion – with a B.
Just let that sink in for a moment.
That’s nearly 5 passwords for every internet user on earth.
Worst of all, more than 80% of confirmed breaches are related to stolen, reused or weak passwords – something that can be easily prevented by implementing strong login security and password policies.
Strong password policies can help protect your WordPress site and users by forcing them to use strong passwords, limiting login attempts, automatically locking inactive user accounts and restricting user login times.
So, if you don’t want your site/accounts to end up a statistic, you’d better get your login security up to scratch!
Password security basics
Before diving into password policies and the various technical security controls that can be used to improve your login security, it’s important to understand the basics of password security.
These are…
Using strong passwords
Using complex, unique passwords of adequate length is one of the most important first steps when it comes to password security.
A strong password:
- Doesn’t consist of dictionary words (ie, “hello hi” or “password time”)
- Contains both capitalized and non-capitalized letters, numbers and special symbols
- Is at least 8 characters long, ideally 12 or more, and up to 64 characters long
- Doesn’t consist of easy-to-guess (personal) information (birthdays, pet names etc.)
- Is unique to each account
Using a password manager where possible
Long, complex passwords are great for security but they’re also notoriously difficult to remember.
A password manager allows you to automatically store passwords in an online vault, which can only be opened using a master password. This ensures you only have to remember a single password, allowing you to make your passwords as long and complex as you want without having to remember them all.
When you want to log in, you simply enter your master password and the password manager will automatically fill in the correct password for the account.
Update passwords when necessary
Regularly updating passwords reduces the time that compromised passwords can be used by bad actors. However, NIST recently stopped recommending random regular password changes as it may encourage people to select less secure passwords.
So, it’s important to have a good reason to change your password before doing so.
Some good reasons to change your password include:
- You’re using the same password for multiple accounts
- You (accidentally) disclosed your password to someone else
- You have reason to believe your password is insecure
- You suspect the account has been hacked or compromised in any way
Use a login security plugin
When it comes to login security in WordPress, nothing beats a login security plugin. These plugins allow you to enforce strong passwords and force other login and password policies on your WordPress website, leaving nothing to chance.
By preventing the use of weak passwords entirely, you can ensure the use of strong WordPress passwords across all accounts.
Implementing strong password policies using a login security plugin
As a website owner or manager who manages websites with many user accounts and roles, implementing password policies site-wide with role-based flexibility is paramount.
Luckily for you, this is easily achieved using a login security plugin and can be set up in just a few clicks.
First, you need to install a login security plugin.
For this example, I’ll use the MelaPress Login Security plugin.
It’s one of the best login security plugins on the market, if I may so myself.
It’s a complete login security and password policy manager that offers one-click 3rd party plugin support, covering WooCommerce, LearnDash, and many others.
Other features include one-click password resets, limiting failed login attempts, forcing your users to use strong passwords, automatically locking inactive users, and restricting user login times.
How to implement strong WordPress password security
First, head over to the Melapress Login Security pricing page and select a plan that’s right for you.
After purchasing a plan, you’ll receive an email with a license key and installation instructions you can follow to install the plugin on your site.
After uploading and activating the plugin, you’ll be redirected to the login security policies page.
Now it’s time to start implementing some login security controls.
Hide the login page
When it comes to login security, one of the first steps you should take is to hide the login page.
In the left sidebar, click on “Hide login page”.
On this page, you can change the login URL.
Simply add the new login URL to the first input field on the page, labeled “Login page URL” and you’re all set!
Next, let’s create our first user password and login security policy.
User password & login policies
Head over to the Login Security Policy tab and check the “Enable login security policies”-box.
On this page, you can configure your password policies and change the password policy settings.
The standard settings are generally a good place to start and meet most standard login security policy best practices.
However, you can customize the policy to fit your needs.
In the example above, I’ve raised the minimum number of characters from 8 to 10 and disallowed the last 2 passwords on password reset.
Limit login attempts
You can also set user account policies on this page, including limiting the number of login attempts.
In the example above, I limited the number of failed login attempts to 5, with a 1440-minute (24-hour) time period to wait before they can attempt to log into the account again.
Next, scroll down to the timed login policies.
Setting timed login policies
The timed login policies feature allows you to restrict the times between which users can log in, as well as prevent users from logging in on certain days. This is a useful security control as it makes your site less vulnerable to attacks during the times when logging in is restricted.
After making the necessary changes to these policies, don’t forget to hit “Save Changes”.
Setting role-based policies
If you want something more granular, MelaPress Login Security also allows you to implement role-based policies for various roles.
Role-based policies allow you to create different security policies for different roles. For example, you could have very broad security policies for editor accounts with limited permissions, but very strict policies for admin accounts.
Configuring forms and placement
If you’re using popular third-party plugins like WooCommerce or BuddyPress, you can activate login security on third-party forms in the “Forms & Placement” tab.
Simply check the boxes relevant to you and click save once you’re done.
It’s as simple as that!
You’ve now implemented a range of login and password security policies.
Next, let’s take a look at some other steps you can take to improve your login security.
Additional login security steps for your WordPress site
By following the steps detailed above, your login security is already very strong.
That being said, there are still some things you can do to improve it.
This might not be necessary for personal blogs or other smaller sites, but in the case of e-commerce stores or other larger sites, some additional steps might be worth taking.
The first is implementing two-factor authentication.
2FA
Two-factor authentication, also called 2FA, is an additional layer of security for your website’s authentication process.
2FA sends users a code or password via email, SMS message or through an authenticator app. Users then use this code to log in.
This adds a second layer of defence, as a compromised password alone cannot give an attacker access to the site. They would also need to have access to their email account or mobile phone, making it far more difficult to gain unauthorized access to an account.
WP 2FA, a two-factor authentication (2FA) plugin for WordPress, is a great option for implementing two-factor authentication on your WordPress site.
It not only allows you to implement 2FA using multiple different methods, but it also has various third-party service integrations and allows you to fully customize your 2FA policies.
Backup methods can be used to ensure users can still log in if their primary method is unavailable and it boasts extensive white labelling options.
Best of all, it’s super easy to set up.
In this post on two-factor authentication for WordPress, you can learn how to install the WP 2FA plugin and set it up on your site.
CAPTCHA
Although CAPTCHA isn’t generally seen as a login security control, it can help prevent bots from trying to log in to accounts on your site.
There are a number of reasons why you might use CAPTCHA on your WordPress site, but the most important for login security is that it can help prevent brute force attacks like password spraying and dictionary attacks.
CAPTCHA 4WP is a great WordPress CAPTCHA plugin that can help you implement CAPTCHA on your site.
After purchasing a license, simply follow the installation instructions and setup wizard, select the pages you want to implement CAPTCHA on and you’re all set!
FAQs
How do I make my WordPress login secure?
There are a number of steps you should take to secure your site’s login and user passwords, all of which are detailed in this post. These include hiding the login page, implementing strong password policies and using two-factor authentication. You can also automatically lock inactive users, force users to change their passwords and, of course, force your WordPress users to create strong passwords.
All of this can be achieved using a login security plugin or a password policy manager plugin
What is the maximum length of a password in WordPress?
The maximum password length in WordPress is currently 4096 characters. That being said, your password doesn’t have to be this long in order to be secure. NIST recommends a minimum of 8 characters and a maximum of 64.
What is the default password for WordPress installation?
If you don’t provide a password at installation, a default password will be generated automatically. It’s best to save this password in a password manager to ensure you don’t lose it. If you’ve forgotten your WordPress password, you can often log in via your cPanel account provided by your hosting provider.
What is the recommended password length?
NIST recommends passwords with a minimum length of 8 characters and up to 64 characters. Passwords should contain numbers, letters, capitalized letters and symbols, with longer passwords being more secure than shorter alternatives.
Are longer passwords more secure?
All else being equal, longer passwords are considered more secure than their shorter counterparts. However, it’s just as important that your password contains a mix of letters, numbers and special characters and doesn’t consist of plain dictionary words. Certain long passwords can be pretty easy to crack if other password policies aren’t followed, so it’s important to keep this in mind when choosing your next password.
