How’s Your WordPress Password Strength? Take This Quiz

In honor of World Password Day, we thought we'd check in on your WordPress password strength. Your WordPress security is only as good as your WordPress password security, so if you have a simple password, you have a simple website to hack. Here's a quick WordPress password quiz: 1. Have you used the password again someplace else, for a separate account?

Avatar photo
SolidWP Editorial Team
In honor of World Password Day, we thought we’d check in on your WordPress password strength. Your WordPress security is only as good as your WordPress password security, so if you have a simple password, you have a simple website to hack. Here’s a quick WordPress password quiz:
  • 1. Have you used the password again someplace else, for a separate account?
  • 2. Are you using “admin” as your WordPress username?
  • 3. Is your password a dictionary word?
  • 4. Have you shared your password with anyone else?
  • 5. Does your password have fewer than 12 characters?
  • 6. Does your password include numbers, symbols and both upper & lower case letters?
  • 7. Are you using two-factor authentication for your WordPress login?
If you answered “yes” to any of questions 1 – 5 or “no” to questions 6 – 7, it’s time to review your WordPress password security.

Don’t Use These Common Passwords

Here’s Keeper Security’s list of the most common passwords. Do you recognize any of them?
1. 123456 10. 987654321 19. 555555
2. 123456789 11. qwertyuiop 20. 3rjs1la7qe
3. qwerty 12. mynoob 21. google
4. 12345678 13. 123321 22. 1q2w3e4r5t
5. 111111 14. 666666 23. 123qwe
6. 1234567890 15. 18atcskd2w 24. zxcvbnm
7. 1234567 16. 7777777 25. 1q2w3e
8. password 17. 1q2w3e4r
9. 123123 18. 654321

WordPress Password Tips

Your WordPress password should meet the following requirements:
  • Include numbers, capitals, special characters (@, #, *, etc.)
  • Be long (12 characters – minimum; 50 characters – ideal)
  • Can include spaces and be a passphrase (Just don’t use the same password in multiple places)
  • Changed every 120 days, or 4 months
Here are a few more things you can do today to protect yourself and your WordPress website by strengthening your password.

1. Start Using a Password Manager

We’ll start here, with password managers, because the biggest complaint we hear about adopting password security is the inconvenience. We understand—and that’s where password managers come into the picture. We’re big advocates of using a password manager like LastPass or 1Password. A password manager allows you to generate a strong, complex password for all your website logins, and then securely stores your login information. You can then install the browser extension for the password manager so you can easily autofill your login information. [pullquote]By using a password manager, adopting the rest of these password security best practices becomes a lot easier.[/pullquote] With password managers, you only need to remember one password—your master password. Here’s more on why you should use a password manager.
Tip: Because the master password for your password manager account is so important, don’t forget to enable two-factor authentication for your account!

2. Don’t Use the Same Password More Than Once, Ever

[pullquote]As an online security best practice, you need to have a long, complex and unique password for every web account you use.[/pullquote] If you use the same email address and passwords for multiple websites that you log into, what happens when one of those websites gets hacked? Your email address and password is now on a list that will be used to try to log into other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once. Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.

3. Don’t Use the WordPress Admin Username

“Admin” used to be the default username for WordPress, so loads of people had the same username. If you’ve had WordPress for a while, you could still be using admin as a username. That’s a WordPress security no-no. [pullquote]One simple way to combat vulnerable logins is to not use default usernames.[/pullquote] So if you’re still using “admin” as your username, change it now! Newer versions of WordPress don’t allow it and the iThemes Security plugin can change it for you.
Tip: Use the iThemes Security plugin’s tool to change your “admin” username without any headaches.

4. Require/Enforce Strong WordPress Passwords

If you have a website with multiple admin-level users, at a minimum, you should also be requiring those users to also have strong passwords. While you may have a strong password, if someone else doesn’t, your website is still at risk. That’s why it’s a good idea to enforce strong passwords for all users in your WordPress password security efforts.
Tip: Force users to use strong passwords as rated by the WordPress password meter. You can enable this setting using a WordPress security plugin such as the iThemes Security Pro plugin.

5. Generate Strong WordPress Passwords

Don’t try to come up with long, unique and complex passwords on your own. Take advantage of password generators to do the job for you. Either use your password manager to generate a strong password or the iThemes Security plugin.
Tip: After enabling strong password enforcement from the iThemes Security dashboard, visit any user profile page. In the Account Management section, you can generate a strong password with just one click.

6. Change your Passwords Frequently

If you haven’t changed your password in the last 4 months, change it now. Set yourself a reminder to change your password every 120 days.
Tip: With iThemes Security Pro plugin, you can enable password expiration for your WordPress website. With this setting, you can force users to change their passwords after a certain number of days.

7. Protect Your Website from Brute Force Attacks

Brute force attacks refer to a trial and error method used to discover username and password combinations in order to hack into a website. The brute force attack method exploits the simplest form of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful. So it’s a good idea to limit the number of failed login attempts allowed per user with WordPress brute force protection. If someone is trying to guess your password, they’ll get locked out after a few attempts.
Tip: Enable Brute Force Protection within the iThemes Security plugin to limit the number of login attempts.

8. Enable WordPress Two-Factor Authentication

We’ve saved this tip for last, but it’s probably the most important. [pullquote]Two-factor authentication, also known as two-step verification, is one of the best ways to protect your login.[/pullquote] WordPress two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password. With two-factor authentication, users are required to enter both a password AND a secondary code sent to a secondary device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.
Tip: It’s easy to add two-factor authentication on your WordPress website using a plugin like iThemes Security Pro. Then you can configure your choice of authentication method: mobile apps such as Google Authenticator or Authy or email.

How’s Your WordPress Password Strength Now?

We hope this WordPress password quiz and the tips we’ve included in this post have helped you evaluate your current password security and take some steps to improve it. Strong, safe, unique passwords will protect not only your WordPress website, but the rest of your digital life as well.

Did you like this article? Spread the word: