Defeat the WordPress BotNet with this simple solution, use a pass-phrase.

You have all likely heard about the recent rise in brute force attacks against WordPress, if you have not: Sucuri has been chronicling it for you. Here at Pagely we have the the best in class enterprise security appliances protecting our network, additional 2nd level mechanisms in place to throttle and block brute force attacks against our clients sites, as well as remediation procedures should something get through. However Regarding brute force attacks; here is the honest truth that most hosting company’s may not tell you. You the site owner are the first and last line of defense

Regarding brute force attacks; here is the honest truth that most hosting company’s may not tell you. You the site owner are the first and last line of defense.

A brute force attack is simply a program trying to login to your site with common username and password combinations. The easiest way to defeat these attempts is to use a good password pass-phrase.


Img Credit:

This simple change to your online habits will increase the security of your properties 1000 fold. We’ll keep protecting your WordPress sites from the various and nefarious denizens of the interwebs as best as we can, but if your password is “password”, you are defeating all the work we are trying to do for you.

A easy to remember 3 or 4 word pass-phrase is WAY harder to krack/guess then mYp@sw0®d.

Easy fixes to protect your WordPress site:

  • Use a pass-phrase
  • Don’t use a common user-name.
  • Purchase and use an SSL for your login pages.
  • Use Roles responsibly. Not every user needs “administrator” rights.
  • Remove the default ‘admin’ account. (Create a new user with Administraor rights and good pass-phrase, login with it, and remove the ‘admin’ user)
  • Did we mention to use a pass-phrase.


Pagely® created the standard for Managed WordPress Hosting and offers Managed WordPress plans for Developers, Enterprise, and small business. Always secure, Always fast, our WordPress platform enables you to do more. Host Your Site Here

Fresh content to your inbox.

Subscribe below to receive a weekly email with the latest content from our blog.


  1. Jonathan

    I use SSL for my wp-admin and logging, but I found that not all plugins work over SSL, so that’s one thing to be careful of.

    A plugin similar for pass phrases could be the One Time Password plugin.

  2. Pingback Locking Down WordPress

  3. Pingback Another login to remember!? Account management for extra security. | Blog

  4. Frank Steiner

    As WordPress founder Matt suggests, choosing a strong password and making certain that you have most recent version of WordPress is an adequate protection. The botnet is in a literal sense guessing account details, if you have something that is simply not guessable you will be safe.

    Now there is a Google Authenticator Plugin for WordPress. You can enable (or disable) it per user (admin, editor, etc). This plugin in conjunction with strong password is the best you can do to secure the back end. This is the plugin I installed for my personal blog site.

  5. Robb Shecter

    Any know, what’s the maximum length allowed for a WordPress password? Are there any character restrictions? I’m hoping it’s a 255 varchar or even a text field with no restrictions on allowed characters. However, I’ve looked at the login.php source code and so I’m not optimistic.


Comments are closed.

Pagely® WordPress Hosting