User Security in WordPress

Last Revised: October 2, 2021

In WordPress users have an important weight in the system. Whether you have the manager completely closed and only you access, or if you have a hundred people working with it, it is important to avoid that whoever does not have to access, does not.

The username

Historically WordPress created the [admin]as the default user. This means that older installations can still have it and it should be removed, as it is a source of common access attempts (so are words like [root] or [administrator]). In general, the use of simple usernames should be avoided and it is more than recommended that the username be different from the parts of the email account. If you have a user [admin] you can create another user (administrator or not) and when you go to delete it you transfer all the contents.

On this basis, if you have to create a user and you want it to be recognizable to the person, it is better to use a user of the style to [Javier Casares] than simply of [javier]. Simply including two words, uppercase, lowercase, and spaces, adds to the usual complexity that is assumed in a username. And WordPress, by default, allows you to use complex usernames.

The Password

Remember to read the article on Passwords to keep in mind what a strong password is.

Users will generally use insecure passwords, unless you are responsible and concerned about security and privacy. This is why it is best to force users to use a password considered secure (and with the minimum configuration that you indicate). For this you have plugins that force strong passwords that perform this task in a simple way.

Double verification (2FA)

Even all this, today there is a much more effective way to improve security, and that is to set up a double verification system. In addition to having a username and password, the goal is that, after accessing correctly, you verify that it is really you. How to get it? Well, with something that in general we all carry with us: our mobile phone.

The idea is to install a double verification plugin, mandatory for all users, so that once the user has accessed with their username and password (more or less secure) they will ask you for a new numerical key that is generated every minute and that will only be configured on your mobile device. On the screen that number will appear, you enter it and you can enjoy your WordPress. Thus, if someone gets your access, they will not be able to access since they should also have your mobile phone.

IMPORTANT: Do not use SMS verification, use an App. There are relatively simple systems in which other Apps have access to the SMS messages that you can receive and intercept or modify those messages; this is why it is better that the password generator is done by an App and is not received by SMS.

Block massive access attempts

An important detail is to limit a user’s access to the panel. In reality, the goal is not so much to limit the user but to limit someone (person, machine …) to make many access attempts either with an existing user or trying different ones.

Although a strong password and double verification is enough for no one to get into your WordPress using brute-force systems, it can be a bit tiring that thousands of access requests are being executed. That is why we can propose the installation of a plugin that when it detects this type of attacks blocks them. We can install a Firewall or we have systems that are limited to controlling the access attempts of the access area.


By default WordPress has a few simple user levels: Administrator, Editor, Subscriber… But if you start adding features that are not the simple ones to publish, it may be better that your users have a very specific role in which they only touch what they need to touch. For this there are several user management plugins, although I recommend the use of User Role Editor or Members.

In these cases you will see that although a user has the general permissions of a level, you can give or remove other specific permissions to different specific elements. This allows you to create levels of users that differentiate common tasks that some people must and others do not.

When you finish working…

It’s easy: disconnect your session. Leaving the session open on any device offers a possibility to leave the cookies and the active session so that the one who comes behind has access to it. Even if it’s a personal device, go out. It costs nothing to put your password back in.

Seguir con Seguridad para WordPress

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.