Most WordPress sites do not get hacked because of WordPress. They get hacked because of a plugin nobody updated, a login with no rate limiting, or a password that leaked off somebody’s laptop.
WordPress login security is the half of that you can fix in an afternoon. It is also the half most guides get wrong, because they lead with the stuff that feels secure instead of the two controls that actually stop the attacks people are running against your site right now.
- Most compromises trace back to an outdated plugin with a known hole, or a login with no rate limiting. Rarely to WordPress core itself.
- Rate limiting (locking out repeated failed logins) is the highest-leverage thing you can switch on today.
- Two-factor authentication is the one control that still works after a password has been stolen.
- Credentials leak from people’s own machines, not just from your server, so give every account the least access it needs.
- Changing your login URL cuts bot noise. It is obscurity, not protection, and it is not a substitute for the two above.
- Passkeys are where things are heading, but WordPress plugin support is still rough in practice.
What Actually Gets WordPress Sites Hacked
Across the sites I run, the pattern is boring and consistent. Two things cause most of the damage: plugins that never got updated, and logins with nothing rate limiting them.
The plugin half is the one people underrate. When a vulnerability is disclosed in a popular plugin, the details become public, and within days there are bots scanning the entire internet for sites still running the old version. Nobody is targeting you personally. You are just a row in a list of installs that match a known hole. Staying patched removes you from that list entirely.
The login half is what this post is about. By default, WordPress will let a bot guess passwords at your login form more or less forever. No lockout, no delay, no limit. That is the gap rate limiting closes, and it is the single cheapest security win available to you.
Notice what is not on that list: WordPress itself. Core is well audited and patched quickly. If your site gets owned, the odds overwhelmingly favor an outdated plugin, a weak or reused password, or a valid credential that fell into the wrong hands.
The Compromise That Had Nothing to Do With WordPress
Here is a recent one from a site I manage. An editor account was compromised, and WordPress was never the way in.
What happened is that the contributor’s own computer was infected with an infostealer, which is malware that quietly scrapes saved passwords and session cookies out of the browser. Their WordPress password went with it. The attacker did not need an exploit, a vulnerability, or any cleverness at all. They just logged in with a real password, the way that person would have.
That is the uncomfortable part of login security that most checklists skip. Your login is only as strong as the least-careful device belonging to anyone who has an account on it. You cannot patch your contributor’s laptop. What you can do is make a stolen password insufficient on its own, and make sure that when an account does fall, it cannot do much damage.
Which is exactly what the next two sections are for.
Rate Limiting: The Highest-Leverage Thing You Can Turn On
If you only do one thing after reading this, do this one. Rate limiting (often labeled “limit login attempts”) locks out an IP address after a handful of failed logins. It turns an unlimited guessing game into a few tries, which is the difference between a brute-force script that runs all night and one that gives up in ten seconds.
Most security plugins include it, and a few dedicated ones do nothing else. Set the threshold somewhere sensible (a handful of attempts, then a lockout measured in minutes or hours) and you have removed the entire category of attack that generates the most noise in your logs and the most load on your server.
A firewall in front of the site, whether that is Cloudflare or something your host provides, does the same job a layer earlier by dropping the traffic before it ever reaches PHP. Running both is not overkill.
Two-Factor Authentication: The One That Survives a Stolen Password
Rate limiting stops guessing. It does nothing about the story above, where the attacker already had the correct password. That is what two-factor authentication is for, and it is the reason 2FA belongs on every account that can publish or install anything.
Use an authenticator app rather than SMS codes where you can, since SMS can be intercepted or SIM-swapped. Then apply it to the accounts that matter most: administrators first, then editors and anyone else who can change what visitors see. If you have ever thought “it is just a small blog, nobody would bother,” remember that nobody did bother in the story above. A script logged in with a password it found lying around.
What I Actually Run
On my serious sites I use Solid Security Pro, which handles two-factor authentication and login rate limiting in one place. Having both under one settings screen matters more than it sounds like it should, because the security setup you actually maintain beats the clever one you abandon.
On top of that I change the login URL and keep a firewall and limit-attempts layer in front. The login URL change is the one I would rank last of those, and I want to be honest about why: it is obscurity. It cuts an enormous amount of bot traffic and quiets your logs, which is genuinely useful, but it does not protect a weak password from anyone who finds the new address. It is the cherry, not the cake.
A Straight Answer on Passkeys
Passkeys are clearly where authentication is heading. They cannot be phished, cannot be reused, and cannot be scraped out of a browser by the kind of infostealer described above, which makes them a genuinely better answer than passwords.
That said, I have not had much luck with the passkey plugins on WordPress so far. The experience is rougher than the pitch, and I am not going to tell you to build your login strategy on it today just because it is the exciting option. Keep an eye on it, and in the meantime get 2FA on and rate limiting configured, because those work right now.
The Rest of the Login Hardening List
Once rate limiting and 2FA are in place, these are worth an afternoon:
- Stop using “admin” as a username. It is the first thing every bot tries, so it halves their work for them. Here is how to change your WordPress username safely.
- Use unique passwords, generated and stored in a password manager. Reused passwords are how one breach somewhere else becomes a breach on your site.
- Give every account the least access it needs. Most people who need to write do not need to install plugins. Our guide to WordPress user roles covers what each role can actually do.
- Rotate your security keys after any scare. Changing the salts in wp-config.php invalidates every existing login session, which force-logs-out anyone riding a stolen cookie. Our free WordPress salt generator builds a fresh set in your browser.
- Keep bots off your forms and comments. The same scripts probing your login hammer everything else. Start with stopping WordPress spam comments.
- Have a working backup. Security is about recovery too. Here are five ways to back up a WordPress site.
Frequently Asked Questions
What is the most important WordPress login security setting?
Rate limiting, closely followed by two-factor authentication. Rate limiting kills password guessing, and 2FA covers the case where the password was never guessed at all but stolen. Everything else is a smaller improvement on top of those two.
Does changing the WordPress login URL actually help?
It helps with noise, not with security. Moving the login off the default address means the broad automated scans hit a 404 instead of your form, which cuts server load and cleans up your logs. It does not stop anyone who finds the new URL, so treat it as a nice extra rather than a defense.
Do I need a security plugin for WordPress?
You need what a security plugin provides: 2FA and login rate limiting. Getting those from one maintained plugin is usually simpler than assembling them from parts, which is why I use Solid Security Pro on sites that matter. If your host or Cloudflare already gives you the firewall and lockout layer, a lighter setup is fine.
Wrapping Up
Login security gets treated like a long list of tweaks, and it really is not. Turn on rate limiting, turn on two-factor authentication, keep your plugins updated, and give people the least access they need. That covers the ways sites actually fall over. The rest is polish.
Setting up a new site and want the rest of the settings that matter? Work through our WordPress setup checklist, or if you are just trying to get into your dashboard in the first place, here is how to log in to WordPress.


