Protect Against Brute Force Attacks By Adding a Graphic Password to Your WordPress Admin Account

Due to its popularity, WordPress is a favorite target of hackers looking to exploit any vulnerability to gain access to your site. Once inside they can do things like compromise your files, deface your website and start gobbling up all your server’s resources until you are shut down.

With services like BruteProtect gaining traction and the recent widespread brute force attacks on WordPress sites, the incidence of compromised sites appears to be on the rise.

Experts who specialize in reversing hacked WordPress sites will generally tell you that the most important thing you can do is create a strong password. WordPress 3.7’s improved password strength meter came at just the right time. Assuming you’ve already selected a strong password, it’s time to take it one step further with the help of plugins.

WP Admin Graphic Password is a plugin that puts a new twist on WordPress’ traditional authentication mechanism. In addition to entering your text-based username and password, this plugin adds a graphic password for the site administrator.

After you install the plugin, the settings page allows you to select an image and then add your password using your mouse or finger, in the case of mobile devices.


After your password is set, the login page will require your graphic password as well as your original text-based username/password combination. If either one is omitted, you will not be permitted to enter the site. The lock button must be toggled open in order to reveal the graphic password entry, which is a further advantage against bots that are only trained to go after the traditional login form.


The only way to crack this method is if the hacker employs a machine trained on heuristic attacks against graphic password interfaces. This is certainly not as common as attacks on text-based authentication. Combine the two methods and your average nefarious bot is going to have to be smart as hell to get through.

Is this as strong as multi-factor authentication? Probably not. Generally two-factor authentication for WordPress utilizes the “something you have” requirement by asking you to produce a verification code from your phone. If you cannot be bothered with this or simply don’t have your phone on you at all times, then the graphic password might be a good alternative for you.

I tested WP Graphic Admin Password and found it to work as advertised. It is a simple and convenient tool for adding a higher level of security to your WordPress site. It is especially useful if you frequently access your site from a public, possibly infected, computer that might be logging text-based passwords. Download WP Graphic Admin Password for free from


The plugin was removed from the repository due security violations but will be back in the WordPress repository after it passes a second review. We’ll update this post when it’s fixed and re-approved.


44 responses to “Protect Against Brute Force Attacks By Adding a Graphic Password to Your WordPress Admin Account”

  1. Wow. This looks like a slick plugin and a great method for adding an extra layer of security.

    At first read I was a bit thrown by the need for something like this as I would assume most WordPress Admins always have their phones available for two-factor authorization, but then I remembered the dangers of assuming;)

    As WordPress continues to gain popularity around the world and keeps making it’s way to less experienced bloggers and publishers who may not be fortunate enough to even own a mobile phone, this seems like a great option.

  2. This plugin has been removed from the plugin directory due to security issues and the fact the plugin was harvesting personal information and phoning home with it.

    As a suggestion, I would quite like to see WP Tavern slow down a little bit with reviews of brand new plugins, so they get a chance to be reviewed by other developers for potential problems like this. This plugin was released only hours before this article was written, the author has no previous plugins in the directory, and the code was a complete mess. If WP Tavern had waited 24 hours before writing a review, then this situation wouldn’t have arisen.

    • Thanks for your advice. I tested the plugin and thought it was very useful, but I guess it had code in it that phoned home, unfortunately. I think I assumed that since it had passed the plugin review process that the code wouldn’t be “a complete mess” as you say. In the future we’ll do better at waiting on newer plugins. Thanks, John, for your suggestion and for reading!

      • In general, assuming it’s fine (when brand new) because it passed our code review is completely fine, though due to the sheer number of plugins that get reviewed in the repository every week, this cannot be considered a hard fast rule as it is easy for us to miss items. Also, just because it passes our review does not mean the plugin that is actually released on the repo is “clean”.

        In this particular plugin’s case, the plugin was soft rejected due to the issues and then later approved by someone other than the original reviewer because the issues cited in the soft rejection were fixed. Once approved, the plugin author submitted entirely different code than was reviewed. The only way to police that is to have the plugin get reviewed as it lives in the repo over time.

        • Lesson learned! Sometimes I get too excited about a new plugin without giving it much time to breathe. But in some cases time doesn’t matter if the code was added after the fact. If it wasn’t for the review, perhaps the person who reported the security issue would never have noticed the plugin at all. Hopefully the plugin author will be amenable to the guidelines.

        • @pippin, would it make sense to have plugins be reviewed if the code changes by a certain percent? I can imagine that some folks might also target an old plugin for takeover, hoping that some sites still have it installed. Get permission to update an old plugin and all of the sudden you get 100 sites that are still running it under your control. If an automated process kicked out plugins that changed by a certain % over a certain amount of time it would certainly slow down this sort of thing. It might also make sense to flag plugins that use certain php or WordPress functions to catch code that phones home and the like…

          • It’s a great idea in theory, but it wouldn’t have made any difference in this case because the code that is submitted for review doesn’t actually touch the repo. The first time the developer’s code touches the repo is when they submit their first version. We could theoretically compare version to version, but not review version to first version (automatically at least).

    • Wow… I like that WP Tavern is on top of things and don’t slight Sara or WP Tavern in the least. In a perfect world we would know all before writing about things. But in our world John that just doesn’t happen and things like this do. Great job Sarah… I love your enthusiasm. Don’t let one Debbie-Downer ruin that. This is how things are found out, fixed and made available again. Love the WP Tavern!

      • Yeah, me too on this …

        It’s cool & right that John Blackbourn has the chops & position to spot this issue, and step in to notify the community about it.

        But is the community-design & dynamic therefore outa kilter and needs changing, because somebody pulled a fast on (and not just on the Tav)? Not that I see.

        Mr. Blackbourn made a valuable contribution … but Sarah Gooding and Jeff Chandler are also making valuable contributions, every day.

        That WPTavern is fast on the draw with news & innovations, is part of what their proper role & dynamic is. Sometimes, they will miscue. Now & then, they get sucked … Just as we see the bigger WordPress organization getting bamboozled a little, here & there.

        We want WPTavern to be hot-on-it. And we want John Blackbourn to be watching over our shoulder, clearing his throat when he sees something amiss.

        For my money, the universe is unfolding as it should. We all did good, and we should all just carry as we were.

  3. This looks actually a little on the fun side.

    That is still allowed, isn’t it? Yeah, good. It can be a drag, doing passwords. Anything to lighten-up the drill is a help.

    Here’s hoping that the author can clean up those security-dings, double-scan those Guidlines, and get it back in for re-review, asap.

    • janwoostendorp said;

      Looks fun but I’m curious how long before it gets tedious.

      There’s certainly no shortage of volunteers, anxious to probe that tedium-threshold. ;)

      But verily, yesterday’s cute is sooo yesterday.

      I won’t be surprised, though, if the idea goes a bit viral, with a parade of novel & charming (ok; cute) permutations getting spun off it.

  4. Hi Sarah
    I think that you said the most important thing at the beginning of your post…

    “Experts who specialize in reversing hacked WordPress sites will generally tell you that the most important thing you can do is create a strong password. ”

    A strong password and a long password.

    There are a some good password generators out there so generating a strong long password is easy – a password manager is also essential these days and there are some good free ones.

    For extra protection to my login I use the WordPress Simple Firewall plugin, which allows you to add a GASP type check box to your login and to your comments.

    One thing I’ve never solved is how to hide the author username.
    If you click on the author’s name at the top of a post you are taken to the author’s archive and the author’s username is shown in the URL.

    If I click on your name Sarah I am taken to

    So I’m guessing that your username is sarah.

    Am I missing something on this one?

  5. Keith,
    Thinking that knowing the user id (name) is a security issue is a fallacy. User ids/names are not meant to be secret. You user id on twitter/facebook/linked are all similarly discoverable.

    It does seem like knowing half of the equation would make it twice as easy to break in. But adding one more lowercase letter to your password makes it 26 times harder to crack. If you use a combination of upper/lower case letters, numbers, and special characters in your password (and you do don’t you?), then adding just one more character makes it 95 times harder to crack.

    So stop worrying about user names and add an extra character or two to your password.

    • Thanks for a great reply Mike
      “But adding one more lowercase letter to your password makes it 26 times harder to crack.”

      Makes perfect sense and I do “use a combination of upper/lower case letters, numbers, and special characters”

      I always looked at it from the “It does seem like knowing half of the equation would make it twice as easy to break in” point of view, which made me think that I was doing something wrong.

      Appreciate you taking the time to spell it out.

        • Thanks John

          This section says it all…

          “It has been stated in previous tickets, “leaking” of the username is not deemed a security issue by, as it’s a conscious decision to use the username as the slug in the URL, If you don’t like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.

          Instead of attempting to provide security by forcing people to guess your username (Which btw, is incredibly easy in most cases, as people are not that inventive) you should be focusing on improving passwords, and/or considering 2 factor authentication (ie. Google Authenticator) if your passwords are known to be insecure/weak.”

          Appreciate the help guys.

      • If you’re really worried about this, use two accounts. One to post articles, etc. with, and one to manage the site. The admin account can have a secure, hidden, username and the public author based one will not have permissions at a high enough level to do a lot of damage to your site. In fact you can even do this and never login as the lower level user at all, just set the author of the post to your secondary user account.

  6. I really think you should update your article. This article is showing in the News section of the wordpress dashboard. People like me are running over here and reading it. Then people like me may be trying to download it. The comments to this article are actually more helpful than the article itself. A huge lesson learned can be gained from reading the comments. ARTICLE SHOULD BE UPDATED TO REFLECT THOSE LESSONS!


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: