Hugues Audouard Freelance web designer and wordpress consultant

WordPress login credentials guidelines

Weak passwords, either because they are too obvious to guess or work out by password bots or because the same password is used on multiple services, are one of the main source of security compromise for a website.

In this post I attempt to provide a few essential steps to help strengthen your WordPress logins to better secure your WordPress website.

Create non obvious and hard to guess user names

Not directly related to your name or the website name and NEVER obvious such as“admin” or “editor”
For example use “uytgav3” instead of “pauline” or “john”

Use complex passwords

Short passwords using common names are easy to guess by automated software, even where some letters are substituted for number. Using the same password on multiple services dramatically increases chances of being compromised.

  • Create a completely random combination of lower case and upper case letters, numbers and symbols
  • Make it 14 characters or more
  • Write it down somewhere safe
  • Don’t save it in your web browser – if you must save it electronically then use an encrypted password manager such as
  • DO NOT re-use a password you already use on another website or online service

BAD password example: pauline123, littleflower, bla4ckc4t

GOOD password example: 9i*Gf£45dnMs!@

Never share you login details with anyone

Access to WordPress admin is based on the principle of “least privilege”. This mean that each user has access to a the level he or she needs, no more, no less. This helps reduce security risks by ensuring users don’t have access to things they shouldn’t have.

Examples of WordPress user roles:

  • An “author” can only add, edit or delete their own pages or posts
  • An “editor” can edit or delete any content on the site
  • An “admin” can do everything manage including creating users, installing plugins, modify code etc…

Having said that, if you do need to communicate passwords don’t use email which generally sends content in clear, instead you can:

  • Send it in two halves: one half by email and the other by sms to a mobile phone
  • Use an encrypted messaging service such as WhatsApp

Final word

Make sure always logout when you have finished working on your site

That’s it, I hope following these simple steps help you have a more secure WordPress website


I'm a freelance web designer & developer, as well as a bit of a digital marketing expert. I love all things WordPress and helping people make the most of their website and digital marketing presence. You'll sometimes find me lurking at various WordPress meet-ups, Facebook groups or the support forum...


I don't send out newsletter very often at all, but when I do I hope you'll find them useful

Your details will never be passed on to third parties. You can unsubscribe from emails at any time using a link which will always be provided.
Privacy policy

Something went wrong. Please check your entries and try again.

Share this article