How to Make Your WordPress Website 44 Times More Secure Against Brute Force Attacks

Get your FREE WordPress Troubleshooting Guide – see how to fix most WordPress problems!

padlock keysI’ve mentioned on many occasions (to anyone who will listen!) the importance of using long, complex passwords.

I recently came across an article on WordPress security that touched on the importance of creating strong passwords.

This was written in the context of comparing the benefits of adding just one character to your password against being able to block all IP addresses from an entire country.

Here’s the relevant excerpt, taken from an article on the iThemes blog:

Let’s compare that [my note: blocking all IP addresses from an entire country] to lengthening your password. If your password is made of upper and lower case letters, numbers and symbols, you have approximately 88 characters to choose from. Thus, extending your password by a single character will multiply the number of attempts needed to brute force it by 88 [my note: brute forcing a site means trying thousands of different username/password combinations until you find one that works].

That’s right, adding a single character to your password is likely 44 times more effective at stopping a classic brute force attack than blocking all non-US IPs.

Adding two characters to your password will require 7,744 times more attempts (88 × 88). This is roughly 3,872 times better than the best case scenario for Geo IP Banning, and again it only requires that you lengthen your password by two characters!

This all basically boils down to something called password entropy. Password entropy is how password strength is measured. You can further increase the benefit here by making sure your password isn’t on a worst passwords of the year list or one of the top 100 passwords from the Adobe breach. [Make sure] that it is long, random, and includes all the different types of characters listed previously.

If, in addition to extending your password by just one character, you create a username that’s unique and, in the case of WordPress, also contains upper and lower case letters, numbers, spaces and some symbols, you will have exponentially increased the security of your site.

As you’re probably aware, hackers can still find your username by doing an author scan: this will bring up all the blog posts you’ve written and the last element of the permalink for this archive will contain your username.

The simplest way to protect yourself against this is to add a space in to your username. This is because WordPress permalinks cannot contain spaces – they will always be filled with a dash ( – ). That means that when the hacker pulls up your archive of posts your username (last element of the permalink) will contain dashes instead of spaces and so will not be recognized by WordPress when a hacker tries to log in with it.

All the sites that I manage have complex usernames that bear no resemblance whatsoever to the name of the site, the domain name, the business name or the name of any individual mentioned in the site (e.g. blog post authors).

I track the usernames used in failed login attempts on all the sites that I manage. The most common ones are:

  • admin
  • administrator
  • domainname (the domain the site is on)
  • (the domain the site is on)
  • The author name (appears in the bye-line of blog posts)
  • no_match

You can see that simply adding spaces and numbers to your username will instantly strengthen it enormously. If you then add symbols (not all symbols are available for WordPress usernames, but some are) you will further strengthen the security of your site.

Remember that there’s no reason not to use complex usernames and passwords: all browsers these days will remember the login details associated with each site but, if you’re not happy about using that feature, here two excellent password managers: Roboform and Lastpass.

If you’re concerned about the security of your WordPress website and would like to understand more about the risks and mitigations please contact us – we’d be very happy to discuss any concerns you may have.


Very simple: Making passwords long and complex (minimum 8 characters – mine are usually 12 or 13 characters – using lower case and upper case letters, numbers and symbols) will hugely reduce the chances of your WordPress website being hacked.

To further strengthen your site against hackers create long complex usernames as well.


Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.