Guarding your WordPress dashboard against attack is vital. If a hacker manages to log in to your dashboard, they could steal confidential customer data, upload malicious code, deface your website, or even delete it entirely. The stakes are high, so it’s worrying to think that an admin password may be the only thing keeping your website safe.
Fortunately, there are ways to protect your password against malicious third parties. By taking some simple precautions now, you can avoid waking up to discover that someone is wreaking havoc across your website.
In this post, we’ll share four techniques, tools, and best practices to ensure your private WordPress password remains secure. Let’s get started!
Why it’s important to protect your WordPress password
There are lots of ways to secure your WordPress dashboard. However, your admin password is essential for preventing unauthorized access to your website. Even with multiple security mechanisms in place, a malicious third party could still use your password against you.
A hacker might log in to your WordPress dashboard and deface your site. They might steal confidential visitor data, including credit card information, or even delete your site entirely. If you haven’t created a backup, you could potentially lose your entire website with zero chance of recovering any of your content.
Most of us appreciate the importance of keeping our passwords secret, but this may not always be enough. Hackers can launch certain password-based attacks without even knowing your login credentials.
Password spray attacks are a common example. This is where a malicious third party attempts to gain access to your account by trying all the most commonly-used passwords.
Login credential reuse can also make your site vulnerable to attack. This practice was implicated in 80 percent of 2019’s hacking-related breaches. If you reuse the same username and password across multiple accounts, a breach at a completely unrelated website or service could put your site at risk as well.
Some hackers even publish lists of known password and username combinations. A third party may use this information to target your site.
4 ways to protect your WordPress admin password
There are multiple ways to protect your WordPress website, but passwords are often the first line of defense. With this in mind, here are our top four tips for protecting your WordPress admin password.
1. Follow password best practices
By following security best practices, you can make your password more difficult for a malicious third party to guess, or identify using trial and error. These include using a minimum of eight characters, and a mix of upper and lowercase letters, numbers, and symbols.
It’s also smart to avoid common phrases and known words. In particular, it’s important to never use words that are publicly associated with you. This includes the names of friends, pets, or places where you’ve lived.
Even if you trust the people you know personally, this information might be accessible beyond your immediate social circle. Something as simple as tweeting a photo of your cat could put your website at risk.
To ensure your password has no connection to you, it may help to use a password generator. Strong Random Password Generator and LastPass are two popular services:
You can also generate a password from your WordPress dashboard. In WordPress, navigate to Users > All Users. You can then find the account in question, and open it for editing. Next, click on Set New Password, and WordPress will generate one for you:
Even if you use a strong password, it’s still smart to change it frequently. We recommend doing so at least once every three months. If you suspect you may struggle to remember a long, complex, and frequently-changing password, it may help to store your admin password using a service such as LastPass.
2. Provide passwordless access to third parties and collaborators
Sometimes, a third party may require access to your WordPress dashboard. For example, a WordPress professional may be helping resolve an issue with your website. You might also collaborate with guest authors, or require approval from your client before publishing a new landing page.
While sharing your WordPress admin password may seem like a quick and easy solution, it can put your website at risk. The more people who have access to your password, the greater the risk of it being used against you.
When someone requires access to your WordPress account, the last thing you should do is share your admin password. Instead, you could grant them temporary, passwordless access using a plugin such as Temporary Login Without Password:
This plugin creates an automatically expiring account. Simply share a link to it with the intended collaborator, and they’ll have access to your WordPress website.
If you need something more permanent, you may want to try ManageWP’s Collaborate feature. This enables you to grant access to your website without having to share your own login details:
Once the third party in question no longer requires access, you can secure your site by removing them as a collaborator. Since this person never had access to your login details, you don’t need to worry about them continuing to access your site without your permission. There is also zero chance of them sharing your login details with anyone else – even if you parted with this person on bad terms.
When you add a collaborator via ManageWP, you can also limit their access to certain parts of your site, or provide read-only access. This is perfect for collaborating with people who may not have previous WordPress experience and could potentially damage your site by accident.
3. Set up Two-Factor Authentication (2FA)
Using a long, complex, and unique password can help keep your site safe. However, there are some attacks where password strength has no impact on whether they succeed or fail.
This includes ‘credential stuffing’ attacks, where a third party attempts to gain unauthorized access to an account using thousands of stolen credentials. There are also keystroke logging programs that can record everything you type, including your admin password.
Two-Factor Authentication (2FA) can help protect your website against these kinds of attacks. After configuring 2FA, a hacker will need to pass an additional security check before accessing your dashboard. This often takes the form of entering a one-time PIN that’s sent to your smartphone or email.
This way, 2FA makes it more difficult for a hacker to gain unauthorized access to your site. It’s highly unlikely that an attacker will have access to your WordPress site credentials and your smartphone or inbox (unless you reuse your admin password for your email, of course).
You can add 2FA to your WordPress site using the Google Authenticator mobile app. This application is available for Android and iOS. After configuring Google Authenticator, WordPress will verify your identity by communicating with the application on your smartphone or tablet:
At ManageWP, we’re big fans of 2FA, which is why we give all our customers the ability to add it to their ManageWP accounts. By connecting the Google Authenticator mobile app to your WordPress website and ManageWP dashboard, you can prevent unauthorized access to all your accounts.
4. Restrict access to your login page
Even if a malicious third party manages to gain access to your admin password, all may not be lost. There are still ways to prevent them from using it against you.
One method is to restrict admin access to a specific IP address. This can ensure that anyone outside of your regular office or home network is unable to access your WordPress dashboard, even if they have your username and password.
This approach might not be appropriate if you access your WordPress dashboard from multiple locations. In these scenarios, you could hide your WordPress login page using a plugin such as WPS Hide Login. If you choose a particularly obscure or complicated URL, hackers may not even be able to find it:
Alternatively, you might use All In One WP Security & Firewall to monitor your website’s traffic. This plugin will prevent suspicious requests from ever reaching your website. Again, this can stop a hacker in their tracks and prevent them from weaponizing a stolen admin password.
If a malicious third party manages to access your password, they could potentially log in to your WordPress dashboard and take control of your website. Fortunately, there are ways to create a strong WordPress admin password that bolsters your site’s security rather than leaving it vulnerable to attack.
To ensure your password is keeping your website safe, bear the following in mind:
- Follow password best practices, and use a password generator and manager if needed.
- Consider providing passwordless access to third parties and collaborators.
- Set up 2FA for your WordPress site and ManageWP account.
- Restrict access to your login page using IP blocking, a custom login page URL, or a firewall.