Weak passwords are one of the biggest threats that put the security of a WordPress site at risk.
As an internet user, or if you guest author on a WordPress site you have definitely been told to use complex passwords, to use a different password for every website or service you are subscribed to, and to change your passwords every few months. Also, you should always logout from the sessions once ready, not use the remember me setting on websites, and not save your passwords in the web browser, in case your computer gets hacked.
On top of that you have to remember your friends’ birthdays, do the shopping and all the other things in life. So having a different and complex password for every different website or online service sounds like too much, too difficult, doesn’t it? In reality it is not. This article explains what makes a strong password, how to manage passwords and also how to force strong WordPress password security if you are a site admin.
Password Manager for Your WordPress Sites Passwords
A password manager is a software or online service in which you can store all your credentials, so you do not have to remember them. You only need to remember one master password to unlock the database or service and access the saved passwords.
The advantage of using a password manager is that you can use the most complex passwords, and a different one for every service or site you are subscribed to because you do not have to remember them.
There are several different password managers available, all of which have different features. You should choose the one that fits your requirements as long as it uses strong encryption and is secure. Some features to look out for when choosing a password manager are:
- Two-factor authentication support
- Auto fill of web forms
- Actionable password strength report
- Supports secure sharing (e.g. passwords can easily be accessed from both your PC and mobile)
- Configurable Password generator
Tips for Strong WordPress Password Security
Even if you use a password generator to automatically generate your password, it is always good to know what makes a strong WordPress password, so you can avoid using weak passwords.
The Longer The Password, The Better
Many recommend a minimum length of eight characters for a password. To be on the safe side, at least the password should be ten characters. Any password that is made up from 10 to 50 characters is secure.
Spice It Up
Do not use phrases or known words. Also, do not use any words to which you can be associated with, such as names of pets, cities and friends. Just use random text. Use a mix of lowercase and uppercase letters, symbols and numbers.
Keep It Fresh
Even if you use the strongest of passwords, change it every two or three months. And do not use the same password for two or more services.
Example of Strong Passwords
Below are just some examples of some strong passwords. DO NOT USE these passwords for any of your services or WordPress sites.
Tips for WordPress Administrators & Strong Users Passwords
A weak user password can leave your WordPress site exposed to malicious hacker attacks. WordPress does recommend a strong password to users but as seen in the below screenshot they can, and will use an easier password.
So as a WordPress website administrator and owner it is your responsibility to force strong passwords on your WordPress users. You can do so by using the Password Policy Manager for WordPress plugin. This plugin allows you to configure:
- password complexity policies
- password age policy
- password history policy
The plugin is very easy to setup. You can install it and configure the password policies within just a few seconds.
Enable Two-Factor Authentication
There is no bulletproof WordPress security solution. So the more, the merrier! This means that even if you and your users use very strong passwords, if possible you should also enable two-factor authentication on your WordPress website. You can easily implement 2FA on a WordPress site with a plugin, within just a few minutes. Here is a list of the top Two-Factor Authentication plugins for WordPress.
Bonus – Get Notified When Your Password is Breached!
Even if you take all the necessary precautions the unfortunate can still happen and your site or a service you are subscribed to can get hacked. In such case you need to know as soon as possible so you can change your password. The website owner is obliged to advise you when there is a data breach, though this doesn’t always happen.
Therefore you can to subscribe to Have i been pwned, a free service that alerts you if any of your emails and passwords are identified in data breaches.
There are no more excuses to not using strong passwords. All you need is a password manager and as a WordPress site owner you should force strong passwords on your WordPress users.