Beefing Up WordPress Password & Username Security

If you’re planning your first WordPress website or already have one. To put it bluntly: your site could be under attack as your reading, from hackers who are looking to break into your WordPress site. That’s a fact. If you’re thinking your site is too small or new to earn the attention from hackers, think again.

Who’s responsible to secure your website?

It’s your responsibility to make sure that your WordPress websites are secure. (Because it is). Situations can arise and vulnerabilities you have very little control over the issue. As a WordPress user, I’m referring to users who don’t abide by smart and safe username and password practices.

Just think of how many names, numbers, birthdays, addresses, facts, that you keep track of daily. For one minute, realise how many applications you use, your logging in/out. The last thing you or anyone wants to do is to memorise unique complicated passwords for each one.

Strong username and passwords are for a reason! You can’t take shortcuts on securing a website, or if you’re a user, safe-guarding your private information. Because you don’t want to generate a better password. For example, the ones you created for Yahoo, Outlook or Gmail several years ago.

First, let’s talk about WordPress passwords. They play such an important role in protecting your WordPress site’s security. Why does WordPress even bother with this? Well, because a weak password can open up the websites too many risks and hackers fully know of this! Because of WordPress popularity, it makes it a prime target. WordPress can be an easy target if you’ve not implemented the correct security measures.

To make things crystal clear to understand the severity of attacks. Various leading security firms specialising in WordPress security. These firms have reported in a 24hr period that there can be over 6,000,000 attacks targeting over 70,000 websites!

Without extra security measures in place. All it takes for one particularly weak user password to succumb to brute force attacks. And then where would that leave you? Your site, your users. It has exposed any visitor that has arrived at your website to these vulnerabilities or find out your Google’s blacklist! So, let’s not allow that to happen.

The Blue Elephant Guide to Creating Strong Passwords

For passwords, one thing is sure: Size matters! Adding a single character to a password boosts its security. In a so-called “dictionary attack”. A password cracker will use a word list of common passwords to figure out the correct one.

I will now show the difference when adding characters to passwords, for instance, if you have a simple and common password that’s 7 characters long. A pro could crack it in a fraction of a millisecond. Add one more character and the time increases to five hours. Going above 11 characters, the passwords become strong, roughly 13 years to crack. Again adding one more character, and you’re looking at 200 years’ worth of security.

Computer generated strong password examples such as “284u8+1VH.4a4”. Yes, it’s a great password, but trying to remember is another thing. Let’s now look at the following table, at ways to create strong remember-able password;

Password Characters Time Needed To Crack The Password
Ilikecake 9-characters 12 days
ILikeCake 9-characters 13 days
I2LikeCake 10-characters 21 days
I2Like8Cake 11-characters 13 years
I2Like-8Cake 12-characters 2 centuries
I2Like2-8Cake 13-character 13 centuries
I2Like2-8Cake=2018 18-characters 10,000+ centuries!
Think about the password strings above I have created. Using the alphabet, number and symbol character set, the password sounds like the following phrase: “I too like to eat cake during 2018”. To sum up the password guide. Passwords should contain at least 12 characters but preferably 14+ characters long. If you wish to test password strengths, please visit password checker Use none of the passwords I have shown here, nor test password checker with any password you intend to use!

When to change passwords?

Now, this doesn’t mean you can avoid changing passwords ever again. There are key times when you should change a password.

They include;

In all these cases, updating your password is a smart precautionary step. A new password ensures that someone can’t abuse your account even if they have the old password. It’s good practice to change even strong passwords periodically.

The Blue Elephant guide to creating strong Username

You’re starting to get the picture now. It’s time to change old habits and mindsets setting a secure username is vital to keeping hackers out. Not only will this guide help you understand what makes a secure username. But how to put in place changes to keep your site safe and sound.

Believe it or not! Many WordPress users use username “admin” or “business name” or your own “name”. For example, I wouldn’t use “Blue Elephant” or anything listed on my website as a username, will make it a hackers wet-dream easy enough for someone to guess! As I stated earlier, it’s your responsibility to make sure that your WordPress websites kept are secure. By following the guide, will secure your WordPress Login from being compromised.

How Easy Hackers Can Find Your WordPress Username?

You’ve taken measures to hide your WordPress login and admin screens from hackers. You’ve changed your default usernames, removed all mention of them from your theme. You’re safe, right? There’s no way that hackers can find your login pages, let alone your usernames, wrong!

Unless you take necessary precautions, here’s how hackers can find your WordPress username with ease. And not just yours, but those of everyone on the site.

Anyone can find your WordPress username by appending the query “/?author=1!” To find your username. First, enter your domain name in the URL browser bar, then add “/?author=1” query after the URL like this example:

You will see immediately that the server returned the author page in the URL bar;

This is just an example!

Solution: Changing the .htaccess File

The username now exposed. It’s right out there in the open! For now, forget about making your username difficult to guess. First, we need to change the “.htaccess” file. By creating a simple “.htaccess” rule. It instantly blocks all attempts to access your WordPress username via the ”/?author1” query. 

If you have access to file manager, open the hidden “.htacces” file in the root directory of your WordPress installation. And paste in the following code at the end, then save the file:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

These rules check to see that you’re not logged into your WordPress admin dashboard. And whether someone is attempting to access using the “author” query parameter. If they meet every condition, then redirects back to the WordPress homepage. Problem solved! On the plus side, this will help reduce brute force attacks on your login page! Good job, no longer can hackers find your username.

Let's Get Creative With Usernames

Now let’s look into creating a strong username, think mash-up, gibberish, slang, etc…

Yes, that’s right, let’s get messy!!! Even use a mixture of nicknames, your pet, favourite colour, hobbies, let’s get creative!

Username Example: Big_Dog_8_Jimmy


Never create usernames that:
Always create usernames that:

If your account username or password falls into the bad, or even the good category. It’s time to change out your username or password ASAP.

The big Q? Did you find this blog helpful or benefit you?


Do you know anyone who may find this blog/guide helpful? Send them this page URL or click on the share buttons below.

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on whatsapp
Share on email

You’ll be helping me out by spreading the word about Blue Elephant website, and you’ll be helping someone out!

Thank you.