Infrastructure
A Strong WordPress Password Is Not the Same Thing as a Safe One

A strong WordPress password protects nothing if it is also a reused one. That is the uncomfortable truth behind most of the account compromises that cross my desk: the password was twelve characters, mixed case, a symbol wedged in somewhere near the end. It would pass any strength meter WordPress puts in front of it. It was also the exact password the site owner used on a retailer account that got breached the year before, sitting in a stealer log dump that nobody in the business ever heard about.
Strength was never the vulnerability. Reuse is. Conflating the two has quietly become one of the most common gaps in WordPress account security, and it is getting worse, not better, as more of the internet's password history ends up compiled into searchable breach databases.
Strength Was Never the Vulnerability
Ask most business owners how to secure a WordPress login and the answer is some version of "make the password stronger." That instinct comes from somewhere real. A decade ago, attackers genuinely did guess their way in, cycling through dictionaries of common passwords against a login form until one landed. A longer, weirder password made that kind of attack take longer.
It rarely happens that way now. Modern account takeovers mostly use credentials that are already known to be correct, harvested from an unrelated breach and tried against every login form the attacker can reach. This is why WordPress's own advanced administration documentation does not lead with password complexity rules. It leads with something more direct: "use strong, unique passwords and a password manager" [1]. Notice the order. Unique comes before strong, because unique is the part that actually stops the attack that is happening.
So what does that mean for a business owner? It means a password strength meter is answering the wrong question. The right question is not "could someone guess this," it is "does this password exist anywhere else where a breach could expose it." Most owners have never checked, because most owners have never been asked to.

What a Reused Password Actually Costs You
Picture a typical case, one we see the shape of often enough to treat as representative rather than a one-off. A small chain of physiotherapy clinics in Mayo runs a shared WordPress login for its booking site, one set of credentials, three staff members, because setting up individual accounts felt like unnecessary admin at launch. One of those staff members reuses her personal email password across a handful of retail and subscription accounts. One of those accounts gets breached. The password surfaces in a public dump within weeks.
Nobody tries to guess the clinic's WordPress login. Nobody needs to. An automated script simply tries that known email and password combination against thousands of WordPress sites in sequence, the clinic's among them, and it works on the first attempt. The attacker does not deface the homepage or lock anyone out. That would get noticed too fast. Instead, spam links get quietly injected into old blog posts, the kind Google eventually flags as a security issue in Search Console, weeks after the fact, long after the injection itself happened. By the time anyone in the clinic notices, the damage is already indexed.
That is the actual cost of reuse: not a dramatic break-in, but a quiet one that sits undetected for weeks while it does damage to search visibility and customer trust. Our guide to WordPress security and backup practice covers the wider defensive picture, but reused credentials sidestep almost all of it, because the attacker is not breaking in. They are logging in.
The Fix WordPress Itself Recommends
The numbers get genuinely hard to ignore once you look at them together. Have I Been Pwned added a fresh dataset in June 2026 built from accumulated stealer logs: 56 million unique email addresses and 124 million unique passwords, all harvested by infostealer malware and compiled into one searchable batch [2]. That is one month's addition, not a running total. Stealer logs like this are exactly what feeds the kind of automated login attempt the Mayo clinic scenario describes, and they keep growing.
Separately, roughly two in three people admit to reusing passwords or falling back on predictable patterns across accounts, according to a 2026 PasswordManager.com survey [3], a single-vendor study worth treating as directional rather than precise, but consistent with what breach databases keep showing. Two thirds is not a fringe habit. It is close enough to the norm that assuming your own team is the exception is, itself, the risky assumption.
Verizon's 2026 Data Breach Investigations Report found that software vulnerabilities have now overtaken stolen credentials as the single most common way attackers get their first foothold [4]. That sounds like good news for passwords, and it is not. It means credential-based access has become one exploit path among several rather than the only one, not that it stopped working. A quieter path in is still a path in. Our breakdown of ongoing WordPress login attacks shows what that pressure looks like from the server side, in real time, all day, every day, whether or not anyone is watching the logs.
Reviewing an incident log earlier this year, we traced a compromised account back to a password that had already surfaced in a breach dump eighteen months prior. The client had told us during onboarding that it was a strong, unique password. It was strong. It was not unique. We check exposed-password databases ourselves now rather than taking that answer at face value, because owners are not lying when they say it, they simply have not checked.
A password manager solves the actual problem: a unique, randomly generated password for every account, stored once, never reused, never remembered by a human who might reuse it under pressure. That is a meaningfully different security posture to a memorable password reused everywhere, no matter how many symbols got wedged into it.
What a Password Manager Will Not Do
None of this is a complete fix, and it is worth being honest about where the edges are. A password manager stops credential reuse. It does not stop phishing that captures the password directly at the point of entry, on a convincing fake WordPress login page that looks identical to the real one. Many password managers now flag a mismatched domain before auto-filling, which closes most of that gap, but a determined attacker with a well-built clone site and a distracted target can still get lucky.
Two-factor authentication is the actual backstop for that scenario. It is worth knowing that WordPress does not ship it in core, where your hosting provider or dashboard may or may not offer it by default. It has to be added through a plugin or a single sign-on provider [1], which means the protection only exists if someone has actually deployed it, not because the platform assumed it for you.
Practically, closing this down does not take long. Audit who actually has access to the WordPress dashboard, including any account nobody remembers creating. Move every one of those logins into a password manager, generating a fresh, unique password for each rather than reusing what is already there. Check whether any current password already appears in a public breach database before assuming it is clean. None of that is technical work. It is half an hour with a checklist, done once and then kept current as staff change.

Where Managed Hosting Closes the Rest of the Gap
A unique password removes the reuse risk. It does not remove the fact that WordPress login pages get probed constantly, all day, by scripts that are not targeting any one business specifically. That is a hosting-layer problem, not a password one, and it is the part an individual business owner cannot fix by changing a setting in wp-admin. Web60 runs fail2ban intrusion prevention and server-level security hardening by default on every site, which blocks the repeated automated login attempts before they get anywhere near a password check, correct or otherwise. Automatic malware scanning catches the rare case where something does get through, well before it turns into the kind of quiet, weeks-long compromise the Mayo clinic scenario describes.
None of that replaces a unique password in a proper password manager. That part stays the business owner's job, and no hosting platform can do it on your behalf. But managed WordPress hosting built on Irish infrastructure with security hardening running by default means the login page itself is a harder target long before anyone's password becomes the deciding factor, which is a meaningfully different starting position to a shared server with no intrusion prevention watching the door at all.
If you are building a new business website and want that groundwork in place from the first day rather than bolted on after an incident, that is exactly the kind of default Web60 is built around.
Conclusion
Strength was never a bad idea. It was just never the whole answer, and treating it as one has let a much simpler fix sit unused for most business owners: a password manager, a unique password per account, and an audit of who still has access to a dashboard they may not need anymore. None of that requires technical skill or a developer. It requires half an hour and the willingness to stop assuming a password is safe just because it looks complicated. Check today whether any password protecting your website exists anywhere else, and if it does, that is the one worth changing first.
Sources
Ian oversees Web60's hosting infrastructure and operations. Responsible for the uptime, security, and performance of every site on the platform, he writes about the operational reality of keeping Irish business websites fast, secure, and online around the clock.
More by Ian O'Reilly →Ready to get your business online?
Describe your business. AI builds your website in 60 seconds.
Build My Website Free →More from the blog
The Fine Print in Your Cyber Insurance Policy Is a Website Security Checklist
Cyber insurance will not pay out if your website security does not match what you told the insurer. Here is what Irish policies actually check.
What Happens to Your Website When Your Hosting Provider Goes Out of Business
Your hosting provider can be sold, struck off or wound down with little warning. This covers what happens to your website next, and how to stay protected.
