The Guide to WordPress Password Security

September 24, 2018

Weak passwords are one of the biggest threats that put the security of a WordPress site at risk.

As an internet user, or if you guest author on a WordPress site you have definitely been told to use complex passwords, to use a different password for every website or service you are subscribed to, and to change your passwords every few months. Also, you should always logout from the sessions once ready, not use the remember me setting on websites, and not save your passwords in the web browser, in case your computer gets hacked.

On top of that you have to remember your friends’ birthdays, do the shopping and all the other things in life. So having a different and complex password for every different website or online service sounds like too much, too difficult, doesn’t it? In reality it is not. This article explains what makes a strong password, how to manage passwords and also how to force strong WordPress password security if you are a site admin.

Password Manager for Your WordPress Sites Passwords

the-guide-to-wordpress-password-security Theme Builder Layout

the-guide-to-wordpress-password-security Theme Builder Layout

A password manager is a software or online service in which you can store all your credentials, so you do not have to remember them. You only need to remember one master password to unlock the database or service and access the saved passwords.

The advantage of using a password manager is that you can use the most complex passwords, and a different one for every service or site you are subscribed to because you do not have to remember them.

There are several different password managers available, all of which have different features. You should choose the one that fits your requirements as long as it uses strong encryption and is secure. Some features to look out for when choosing a password manager are:

  • Two-factor authentication support
  • Auto fill of web forms
  • Actionable password strength report
  • Supports secure sharing (e.g. passwords can easily be accessed from both your PC and mobile)
  • Configurable Password generator

At WP White Security we use KeePass, a free desktop software application, and also 1Password, a premium online password manager service.

Tips for Strong WordPress Password Security

Even if you use a password generator to automatically generate your password, it is always good to know what makes a strong WordPress password, so you can avoid using weak passwords.

The Longer The Password, The Better

Many recommend a minimum length of eight characters for a password. To be on the safe side, at least the password should be ten characters. Any password that is made up from 10 to 50 characters is secure.

Spice It Up

Do not use phrases or known words. Also, do not use any words to which you can be associated with, such as names of pets, cities and friends. Just use random text. Use a mix of lowercase and uppercase letters, symbols and numbers.

Keep It Fresh

Even if you use the strongest of passwords, change it every two or three months. And do not use the same password for two or more services.

Example of Strong Passwords

Below are just some examples of some strong passwords. DO NOT USE these passwords for any of your services or WordPress sites.


Tips for WordPress Administrators & Strong Users Passwords

A weak user password can leave your WordPress site exposed to malicious hacker attacks. WordPress does recommend a strong password to users but as seen in the below screenshot they can, and will use an easier password.

confirm_weak_password_wordpress Theme Builder Layout

So as a WordPress website administrator and owner it is your responsibility to force strong passwords on your WordPress users. You can do so by using the Password Policy Manager for WordPress plugin. This plugin allows you to configure:

  • password complexity policies
  • password age policy
  • password history policy

The plugin is very easy to setup. You can install it and configure the password policies within just a few seconds.

Enable Two-Factor Authentication

There is no bulletproof WordPress security solution. So the more, the merrier! This means that even if you and your users use very strong passwords, if possible you should also enable two-factor authentication on your WordPress website. You can easily implement 2FA on a WordPress site with a plugin, within just a few minutes. Here is a list of the top Two-Factor Authentication plugins for WordPress.

Bonus – Get Notified When Your Password is Breached!

Even if you take all the necessary precautions the unfortunate can still happen and your site or a service you are subscribed to can get hacked. In such case you need to know as soon as possible so you can change your password. The website owner is obliged to advise you when there is a data breach, though this doesn’t always happen.

Therefore you can to subscribe to Have i been pwned, a free service that alerts you if any of your emails and passwords are identified in data breaches.

There are no more excuses to not using strong passwords. All you need is a password manager and as a WordPress site owner you should force strong passwords on your WordPress users.

Share this article:

eHost-square-ad Theme Builder Layout

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:


Related Posts

best-practices-for-managing-wordpress-activity-log-data Theme Builder Layout

Best practices for managing WordPress activity log data

The data stored in the WordPress activity log is sensitive and confidential. So should you back it up? Should you archive it and keep it secure?Many compliance regulations stipulate who can access such data, and how such data should be stored, secured and backed up....

using-wpscan-to-find-wordpress-vulnerabilities-on-your-website Theme Builder Layout

Using WPScan to find WordPress vulnerabilities on your website

WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes.Since it is a WordPress black box scanner, it mimics a real...

how-to-remove-malicious-redirects-from-your-site Theme Builder Layout

How To Remove Malicious Redirects From Your Site?

Is your WordPress website maliciously redirecting your users to unknown websites like ones that sell medical products? Chances are you’ve been hacked.Visitors could also be redirected to unsecured sites that host adult content, sell counterfeit products, or try to...

Get ALL Your SEO, WordPress & Divi News

Join Our Daily Roundup

SEO News and More

SEO News and More

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.