Skip navigation


  1. Posted March 16, 2012 at 3:45 pm | Permalink

    Or, you can just use and your troubles are over…

    • Posted March 16, 2012 at 4:23 pm | Permalink

      There are a lot of password creation and saving tools, but step away from your familiar computer setting and what were they? How do I get them?

    • Posted March 17, 2012 at 7:21 am | Permalink

      I agree, LastPass is awesome.

      Lorelle: If you pay their $1 a month fee, you get access to their mobile versions, allowing you to get your passwords on your phone-of-choice. Worth it, IMO.

      • Posted March 17, 2012 at 10:30 am | Permalink

        I’ll keep that in mind. In all the years of using my system, only once I’ve had a problem and that is with one account that limits the password to 10 characters. Totally stupid, IMHO, and forces me to break the norm with my more than 10 character passwords.

  2. Posted March 16, 2012 at 3:46 pm | Permalink

    Reblogged this on Believe Anyway and commented:
    In case anyone did not receive this, Lorelle at wordpress put this post up today. It is about fighting spammers, passwords that are resistant to attack, etc.

  3. Posted March 16, 2012 at 11:20 pm | Permalink

    Thanks for posting this article! As a WordPress nerd, I love this article… but my security nerd forces me to make a couple of comments…

    The best way to make a secure password is to use a phrase like a song lyric. Insert a special character and then you’re done. If your special character isn’t ! you’re even better off.

    Using a schema on every site defeats the purpose of switching up your passwords. The purpose of switching up your password is so when someone has one password, they can’t guess others. If your facebook is FacebookJack, and your twitter password is TwitterJack… well your Twitter account will get jacked.

    Your “leet” speak examples are serious! I highly doubt anyone is ever going to guess one of your passwords. It’s important to realize that password crackers are well aware of leet speak. So, if you follow the leet speak advice, make SURE your leet speak is very ‘leet’. “P@ssword1” just doesn’t cut it. But, Lorelle’s examples sure do!

    The safe user advice is BRILLIANT. I use it EVERY day when I log into my computer, why I don’t do this with WordPress is beyond me!

    Changing your admin account name to “greg” does you no good if you then post articles as greg… because WordPress shares the usernames for all authors! A quick example to illustrate:

    Lorelle’s username is, “lorelle” (I hope you don’t mind me posting? If you do, please edit this part…). To confirm her username, go to her admin panel at /wp-admin and type in the user name with any password. You’ll promptly get a notification from WordPress that you have her user account: “ERROR: The password you entered for the email or username lorelle is incorrect.”

    Congratulations, you’ve just won the first half of the password cracking battle. You can thank for making that so easy… Now, of course, you still have to guess her password… Good luck with that one!’s not helping you there.

    I keep meaning to build user account scanning into my WordPress security scanner:, but I’m still working on getting it to detect malware as good as the Sucuri scanner does.

    • Posted March 17, 2012 at 7:23 am | Permalink

      Greg, usernames are not considered confidential information. Security is all in your password. Having to guess two things doesn’t actually make it twice as hard.

    • Posted March 17, 2012 at 10:26 am | Permalink

      Otto is right. The author name is often the nickname or display name, not the username. I have many accounts with a variety of usernames and none of them are my author name. Good point though. Many don’t change it, publishing content under sillygirl42. 😀

      As for song lyrics, that would be the same as a unique word in the above example. Something you can easily remember. I still recommend changing the letters to mixed caps and symbols, and Leet makes that fairly easy.

  4. Todd
    Posted March 17, 2012 at 4:35 am | Permalink

    Recently a victim of a wordpress attack. Beyond strong passwords and limiting accounts, I realized I’d never completed my .htaccess file. Feeling much safer now.

    • Posted March 17, 2012 at 10:28 am | Permalink

      The .htaccess file is one way to add some protection, but not the only one. Make sure you pay close attention to little gaps that many of us leave knowingly (and forget) or unknowingly.

  5. Posted March 17, 2012 at 11:38 am | Permalink

    Unfortunately, Otto is incorrect. Login names ARE confidential information. The first step to brute forcing a password is having a user name, or better, a complete list of possible user names. WordPress gives out both of these. There is no reason it should.

    If you don’t have a user name, the number of possible combinations of username/password becomes a lot more complex. Without a list of names, guessing the right password, even if that password is “password” is hard. Often times, people use their first name as a log in, so, it’s not really very difficult. But, it shouldn’t be something an automated password cracker can get by loading your homepage. WordPress should also check to make sure “fist name” and “user name” aren’t the same.

    When I get more time, I’ll round up a collection of links about how to program secure login screens.

    The short list:
    1. Give the same error message for all errors on the login screen.
    2. Do not allow users to set weak passwords like ‘password’.
    3. Don’t allow user names to be harvested.

    WordPress developers argue that these things are the user’s responsibility. It’s the stupid users who let their WordPress get hacked. But, when we can prevent the user from making stupid mistakes, is it really the user being stupid, or is it that our program needs improvement?

    • Posted April 26, 2012 at 6:58 pm | Permalink

      I think this one is key:

      “2. Do not allow users to set weak passwords like ‘password’.”

      Because you can inform people that they need strong passwords but some people actually think that “password!” is strong — because they don’t understand how serious

      Do you know of any ways/plugins to force a certain quality of password on WP? It shouldn’t be that difficult, since WP already has the built in password-strength meter.

      • Posted April 26, 2012 at 7:15 pm | Permalink

        There are WordPress Plugins that use password-strength meters for sites with extensive registered users or members. However, if you have less than 20 people registered with your site, an email reminder to ensure they make their passwords strong is better than adding another Plugin.

        We tend to put a lot of energy into serving the lowest common denominator and we need to start trusting people to look after themselves, too. Education is the key, not gatekeepers.

  6. Dennis
    Posted March 17, 2012 at 11:57 am | Permalink

    I agree with freddyflow. I use last pass and generate a password which is a very strong password.

    • Posted March 18, 2012 at 5:54 pm | Permalink

      Thanks, Dennis. Yes, I can’t imagine life without Lastpass!

      Another great timesaver is These are my dynamic duo…

      -Freddy Flow

  7. LGR
    Posted March 18, 2012 at 10:55 am | Permalink

    Aside from having a strong password and using a login that is not the admin account I also like having the Login Lockdown plugin installed.

    It will slow down and stop many brute force attacks. The best feature is you can tell it to automatically lock out unknown usernames, so if the attacker tries to login with a username that does not exist they get locked out right away.

    It has been great. I am sure there are other plugins that do similar things but that is my favourite.

  8. genomega1
    Posted August 27, 2012 at 5:19 am | Permalink

    Reblogged this on News You May Have Missed and commented:

    Update WordPress Now: Reuters Hacked

  9. Posted April 23, 2013 at 2:37 pm | Permalink

    Pity that there isn’t an easier way…

6 Trackbacks/Pingbacks

  1. […] VanFossen shared Defying Brute Force Attacks on WordPress Logins. Defying Brute Force Attacks on WordPress […]

  2. […] Defying Brute Force Attacks on WordPress Logins […]

  3. […] to run through a whole series of passwords or MD5 hash combinations to gain access to your website. has a great write-up on the issue along with resources to assist you in the battle of protecting […]

  4. […] wrote about brute-force attacks on WordPress logins last year recommending to all to get serious about making your usernames and passwords stronger. A year later […]

  5. […] Lorelle VanFossen explains how to create a strong password that is not terribly long and is easy to …. Her technique is a little unconventional, but stick with her through the article and you will end up with multiple passwords based on the same word […]

  6. […] Login: To enhance the security of your site, it is recommended that you create a second login as a safe user account to use when you are traveling or at an insecure Internet access point. Use your admin login only […]

Post a Comment

Required fields are marked *

%d bloggers like this: