WordPress Security: How to Lock Down Passwords, Logins, and Admin Access

Why WordPress Sites Are Attacked So Often — And What Attackers Target

WordPress powers over 40% of all websites on the internet, making it the most targeted platform for automated attacks. Bots scan the web continuously, probing for known vulnerabilities, weak admin passwords, and outdated plugins. When they find a site running default credentials or an unpatched plugin, exploitation is often fully automated — no human attacker required.

The two biggest entry points by a wide margin are: (1) weak or reused admin passwords, and (2) compromised credentials from data breaches used in credential stuffing attacks. A WordPress admin account with a password reused from a breached service can be taken over within hours. This guide covers exactly how to lock down your WordPress site's credentials and access controls so you're not an easy target.

Step 1: Use a Strong, Unique Password for Every WordPress Account

The most common reason WordPress sites get compromised is embarrassingly preventable: weak or reused passwords. A 2024 Wordfence analysis found that brute force and credential stuffing attacks accounted for over 60% of all WordPress site compromises. Attackers run lists of email/password combinations leaked in previous data breaches against your wp-login.php URL — if your WordPress password matches any of those leaked credentials, the attack succeeds immediately.

Every user account on your WordPress site — admin, editor, author, contributor — needs a unique password that isn't used anywhere else. Use our free password generator to create passwords of at least 20 characters. Store them in a password manager like NordPass or 1Password — you'll never need to memorize these.

In WordPress, go to Users → Your Profile → Account Management → Generate Password to update your own password. For other users, go to Users → All Users → click the user → scroll to Account Management. Require all users with admin or editor access to update their passwords if you're not sure when they last changed them.

Step 2: Rename or Protect the wp-admin URL

Every WordPress site's admin login is at /wp-admin or /wp-login.php by default. Attackers know this. Brute force bots target these exact URLs, running thousands of login attempts per hour. You can't change this URL natively in WordPress, but you can do several things to dramatically reduce exposure:

Add HTTP basic authentication to /wp-admin: This puts a second authentication layer in front of the login page at the web server level (nginx or Apache). An attacker has to pass HTTP auth before even reaching the WordPress login form. This stops virtually all automated bots cold, since they're not designed to handle double authentication.

IP allowlisting: If you manage your WordPress site from a consistent IP address, configure your server or hosting panel to allow access to /wp-admin only from your IP. Most managed WordPress hosts (WP Engine, Kinsta, Cloudways) offer this in their control panels.

Security plugins: Wordfence and Sucuri both offer login URL obfuscation (moving the login page to a custom URL like /my-site-login) and rate limiting that blocks IPs after a configurable number of failed login attempts. Install one of these security plugins as a baseline for any WordPress site you run.

Step 3: Enable Two-Factor Authentication on All Admin Accounts

Even a strong, unique password can be compromised through phishing, keyloggers, or a breach of another service where it was reused. Two-factor authentication (2FA) means a stolen password alone isn't enough — the attacker also needs access to your second factor.

For WordPress, the most reliable 2FA implementations come from dedicated security plugins:

• Wordfence Login Security — free plugin that adds TOTP-based 2FA (works with Google Authenticator, Authy, or any authenticator app). Required for admin accounts, optional for lower-privilege users.
• WP 2FA — another solid free option with a setup wizard and support for both TOTP apps and email-based codes.
• Jetpack Security — includes 2FA as part of a broader security suite if you're already using Jetpack.

Whichever plugin you use, enforce 2FA for all users with Administrator and Editor roles. Authors and Contributors can be required at your discretion. Store your 2FA backup codes in your password manager alongside the account password — losing both your phone and your backup codes means a locked-out admin account.

Step 4: Limit Login Attempts

By default, WordPress allows unlimited login attempts with no lockout. A brute force bot can make thousands of guesses per minute until it succeeds or your server falls over from the load. Implementing login attempt limiting shuts this down immediately.

The Wordfence plugin includes brute force protection that automatically blocks IPs after a configurable number of failed logins (default: 20 failures in 5 minutes). You can tighten this significantly — 5 failures triggers a 30-minute lockout is a reasonable setting for most sites. The plugin also throttles login attempts from known malicious IPs against a real-time threat intelligence feed.

If you'd prefer a lightweight standalone solution, Limit Login Attempts Reloaded is a focused plugin that does just this one thing well. Configure it to lock out an IP after 3-5 failed attempts for at least 20 minutes.

Step 5: Audit and Minimize User Accounts and Permissions

Every user account on your WordPress site is a potential attack surface. Users who no longer need access — former employees, contractors, guest authors — should have their accounts deleted or deactivated promptly. Accounts that haven't been logged into for 90+ days should be audited.

Go to Users → All Users and review every account. For each user, assign the minimum role needed for their work. An author who only needs to write and edit their own posts doesn't need Editor access (which can edit others' posts) and definitely doesn't need Administrator access (which can install plugins, change settings, and add new admin users).

The WordPress role hierarchy from least to most privileged is: Subscriber → Contributor → Author → Editor → Administrator. Most guest authors should be Authors at most. Only the people who manage the site's settings, plugins, and themes need Administrator access — and that set should be as small as possible.

Also check for any accounts with "admin" as the username. This was the default admin username in older WordPress installations, and it's the first username brute force bots try. If you have a user named "admin," create a new administrator account with a different username, log in with the new account, and delete the "admin" account.

Step 6: Keep WordPress Core, Themes, and Plugins Updated

Outdated software is the second most common WordPress compromise vector after credential attacks. When a vulnerability is disclosed in a plugin or theme, exploit code is often publicly available within hours — and attackers scan for sites running the vulnerable version immediately. The 2023 WPScan vulnerability database recorded over 4,500 new WordPress plugin and theme vulnerabilities in a single year.

Enable automatic updates for WordPress core minor releases under Dashboard → Updates. For plugins and themes, go to Plugins → Installed Plugins → select all → enable Auto-updates. Set a monthly reminder to check for major updates that require manual review.

Immediately delete any plugins or themes you're not actively using — even deactivated plugins with unpatched vulnerabilities can be exploited. Go to Plugins → Installed Plugins and remove anything you haven't used in the last 3 months. Same for Appearance → Themes — delete unused themes, keeping only your active theme and one default WordPress theme as fallback.

Step 7: Use HTTPS and Set Security Headers

HTTPS encrypts traffic between your site and visitors, preventing eavesdropping on login credentials, session cookies, and other sensitive data. Most hosting providers offer free SSL certificates via Let's Encrypt. Install one if you haven't already — modern browsers actively warn users about non-HTTPS sites, and Google uses HTTPS as a ranking signal.

Beyond HTTPS, set these HTTP security headers to prevent common web attacks:

• Content-Security-Policy — restricts which resources the page can load, preventing cross-site scripting (XSS) attacks
• X-Frame-Options: DENY — prevents your site from being embedded in iframes, blocking clickjacking
• Strict-Transport-Security — forces browsers to always use HTTPS, even if someone types http://
• X-Content-Type-Options: nosniff — prevents browsers from MIME-sniffing responses

The Wordfence or Sucuri plugins can set most of these automatically, or you can add them manually to your server configuration or .htaccess file.

WordPress Security Checklist

• All user accounts have strong, unique passwords stored in a password manager
• Default "admin" username replaced with a unique username
• 2FA enabled on all Administrator and Editor accounts
• Login attempts limited (lockout after 3–5 failures)
• /wp-admin protected with IP allowlisting or HTTP auth
• All inactive user accounts deleted
• User roles audited — minimum necessary permissions assigned
• WordPress core, all plugins, and active theme on current versions
• Unused plugins and themes deleted (not just deactivated)
• HTTPS enabled with a valid SSL certificate
• Security headers configured
• Security plugin installed (Wordfence or Sucuri) with notifications enabled

Recommended Tools

For managing the strong passwords your WordPress accounts require, we recommend NordPass (zero-knowledge encryption, free tier, works across all devices) or 1Password for teams managing multiple WordPress sites with shared credentials. For network-level protection when administering your site over public Wi-Fi, NordVPN encrypts your connection so your WordPress admin session can't be intercepted.

For a complete overview of security tools across password management, VPN, and identity protection categories, see our recommended tools guide. Also check our guides on two-factor authentication and browser security settings for additional layers of protection.