Password & Secret Best Practices for WordPress Site Owners

Howdy Friends! Your WordPress site is only as secure as the passwords protecting it. That means your admin account, your hosting account, your email, and anywhere else that touches your site. Let’s talk about how to lock things down the right way.

Use a Password Manager

Writing passwords down or reusing the same one across multiple sites is a serious risk. A password manager solves both problems. It generates strong, unique passwords for every account and remembers them for you.

Here are the options we recommend:

Bitwarden — Our top pick. Bitwarden is open source, audited, and stores your vault encrypted in the cloud so it’s available across all your devices. It has free and paid tiers, browser extensions, and mobile apps. It works for individuals and teams. This is what we recommend to our customers.

Proton Pass — A solid alternative from the makers of ProtonMail. It’s privacy-focused, end-to-end encrypted, and integrates well if you’re already in the Proton ecosystem. A strong choice if privacy is a top priority for you.

KeePassXC — A free, open source option that stores your vault locally rather than in the cloud. Nothing leaves your machine. The trade-off is that syncing across devices requires extra setup. A great pick if you prefer keeping your data fully offline.

Any of these is a significant upgrade over no password manager at all.

Use Strong, Unique Passwords Everywhere

Every account should have its own password. If one site gets breached and you reuse passwords, attackers will try your credentials everywhere else — this is called credential stuffing, and it’s automated and constant.

A good password manager makes this easy. Let it generate a random password for every account. You only need to remember one strong master password.

For your WordPress admin account specifically:

• Use a randomly generated password of at least 16 characters
• Don’t use your name, business name, or anything guessable
• Don’t share it via email or text — use a secure share feature in your password manager instead

Enable Two-Factor Authentication

A strong password is good. A strong password plus two-factor authentication (2FA) is much better. Even if your password is compromised, 2FA requires a second step — usually a code from an app on your phone — before anyone can log in.

Enable 2FA on:

• Your WordPress admin account
• Your GR Host account
• Your domain registrar
• Your email account (especially important — email is often the recovery path for everything else)

Authenticator apps like Bitwarden Authenticator, Aegis (Android), or Apple’s built-in authenticator are more secure than SMS codes.

Protect Your WordPress Admin Area

Beyond passwords, a few simple steps go a long way:

• Limit admin accounts. Only give admin access to people who actually need it. Use Editor or Author roles for everyone else.
• Delete unused accounts. Old team members, old contractors — remove their access when they’re done.
• Don’t use “admin” as your username. It’s the first thing attackers try.

Don’t Share Secrets Over Email or Chat

Email and most chat apps are not secure channels for sharing passwords. If you need to share access with someone, use the secure sharing feature in your password manager. Bitwarden supports this natively, including temporary share links that expire.

A Quick Checklist

• Password manager set up and in use
• Unique passwords on every account
• 2FA enabled on WordPress, hosting, registrar, and email
• No “admin” username on your WordPress site
• Admin accounts limited to only those who need them
• Unused accounts removed

Good password hygiene is one of the highest-impact things you can do for your site’s security. It costs nothing and takes an afternoon to set up properly. If you have questions or need help locking down your WordPress admin, get in touch — we’re happy to help.

• 2026 11
• 2025 7
• 2024 6
• 2023 2