WordPress passwords not enough is the lesson security teams have learned the hard way. A strong password is a baseline, not a complete defence. Credential leaks, phishing, and persistence attacks all defeat passwords. This guide covers why and what to add.
Why strong passwords leak anyway
Leaks happen at the providers your users reuse passwords with, not necessarily at your site. A leaked Adobe password from a decade old breach can compromise your WordPress site today if the user reused it.
The password strength does not matter if the password leaked elsewhere.
Phishing defeats strong passwords
A user typing their strong password into a fake login page hands the password to the attacker. The strength is irrelevant. The page was the wrong one.
Phishing campaigns specifically target administrators. WordPress admin is a known valuable target.
Two factor authentication as the answer
A second factor breaks both the leak and phishing problems. The attacker has the password but not the device. Login fails. Defyn Security Manager ships TOTP based 2FA compatible with Google Authenticator, Authy, 1Password, Microsoft Authenticator, and Bitwarden.
the Defyn Security Manager plugin also supports per role enforcement and backup codes so the rollout is practical for real teams.
Password rotation is the wrong fix
Forcing password rotation every ninety days does not improve security. Users pick weaker variants of their existing password. The friction adds no security.
Rotate only on suspected compromise. Otherwise leave strong passwords alone.
Password managers are the right baseline
Every administrator should use a password manager. Unique random passwords per site eliminates the reuse problem. 1Password, Bitwarden, and KeePass are all sensible choices.
Document the policy. Train new staff. Audit annually.
Frequently asked questions
Are wordpress passwords not enough even with a password manager?
Better, but still not enough. Phishing defeats password managers too. 2FA is the backstop.
Should I require 2FA for every user?
For administrators and editors yes. Subscribers usually optional.
What if a user loses their 2FA device?
Backup codes restore access. The plugin generates them at setup.
Does 2FA slow down workflow?
A few seconds per login. Worth it for the security gain.
Related reading
- Common WordPress login attacks
- Why login security matters
- Defyn Security Manager on WordPress.org – the plugin powering these techniques.




