In honor of World Password Day, we thought we’d check in on your WordPress password strength. Your WordPress security is only as good as your WordPress password security, so if you have a simple password, you have a simple website to hack.
Here’s a quick WordPress password quiz:
- 1. Have you used the password again someplace else, for a separate account?
- 2. Are you using “admin” as your WordPress username?
- 3. Is your password a dictionary word?
- 4. Have you shared your password with anyone else?
- 5. Does your password have fewer than 12 characters?
- 6. Does your password include numbers, symbols and both upper & lower case letters?
- 7. Are you using two-factor authentication for your WordPress login?
Don’t Use These Common Passwords
Here’s Keeper Security’s list of the most common passwords. Do you recognize any of them?
|1. 123456||10. 987654321||19. 555555|
|2. 123456789||11. qwertyuiop||20. 3rjs1la7qe|
|3. qwerty||12. mynoob||21. google|
|4. 12345678||13. 123321||22. 1q2w3e4r5t|
|5. 111111||14. 666666||23. 123qwe|
|6. 1234567890||15. 18atcskd2w||24. zxcvbnm|
|7. 1234567||16. 7777777||25. 1q2w3e|
|8. password||17. 1q2w3e4r|
|9. 123123||18. 654321|
WordPress Password Tips
Your WordPress password should meet the following requirements:
- Include numbers, capitals, special characters (@, #, *, etc.)
- Be long (12 characters – minimum; 50 characters – ideal)
- Can include spaces and be a passphrase (Just don’t use the same password in multiple places)
- Changed every 120 days, or 4 months
Here are a few more things you can do today to protect yourself and your WordPress website by strengthening your password.
1. Start Using a Password Manager
We’ll start here, with password managers, because the biggest complaint we hear about adopting password security is the inconvenience. We understand—and that’s where password managers come into the picture.
We’re big advocates of using a password manager like LastPass or 1Password. A password manager allows you to generate a strong, complex password for all your website logins, and then securely stores your login information. You can then install the browser extension for the password manager so you can easily autofill your login information.By using a password manager, adopting the rest of these password security best practices becomes a lot easier.
With password managers, you only need to remember one password—your master password. Here’s more on why you should use a password manager.
2. Don’t Use the Same Password More Than Once, Ever
As an online security best practice, you need to have a long, complex and unique password for every web account you use. If you use the same email address and passwords for multiple websites that you log into, what happens when one of those websites gets hacked? Your email address and password is now on a list that will be used to try to log into other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once.
Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.
3. Don’t Use the WordPress Admin Username
“Admin” used to be the default username for WordPress, so loads of people had the same username. If you’ve had WordPress for a while, you could still be using admin as a username. That’s a WordPress security no-no.One simple way to combat vulnerable logins is to not use default usernames.
So if you’re still using “admin” as your username, change it now! Newer versions of WordPress don’t allow it and the iThemes Security plugin can change it for you.
4. Require/Enforce Strong WordPress Passwords
If you have a website with multiple admin-level users, at a minimum, you should also be requiring those users to also have strong passwords. While you may have a strong password, if someone else doesn’t, your website is still at risk. That’s why it’s a good idea to enforce strong passwords for all users in your WordPress password security efforts.
5. Generate Strong WordPress Passwords
Don’t try to come up with long, unique and complex passwords on your own. Take advantage of password generators to do the job for you. Either use your password manager to generate a strong password or the iThemes Security plugin.
6. Change your Passwords Frequently
If you haven’t changed your password in the last 4 months, change it now. Set yourself a reminder to change your password every 120 days.
7. Protect Your Website from Brute Force Attacks
Brute force attacks refer to a trial and error method used to discover username and password combinations in order to hack into a website. The brute force attack method exploits the simplest form of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful.
So it’s a good idea to limit the number of failed login attempts allowed per user with WordPress brute force protection. If someone is trying to guess your password, they’ll get locked out after a few attempts.
8. Enable WordPress Two-Factor Authentication
We’ve saved this tip for last, but it’s probably the most important. Two-factor authentication, also known as two-step verification, is one of the best ways to protect your login. WordPress two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.
With two-factor authentication, users are required to enter both a password AND a secondary code sent to a secondary device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.
How’s Your WordPress Password Strength Now?
We hope this WordPress password quiz and the tips we’ve included in this post have helped you evaluate your current password security and take some steps to improve it. Strong, safe, unique passwords will protect not only your WordPress website, but the rest of your digital life as well.
Kristen has been writing tutorials to help WordPress users since 2011. You can usually find her working on new articles for the iThemes blog or developing resources for #WPprosper. Outside of work, Kristen enjoys journaling (she’s written two books!), hiking and camping, cooking, and daily adventures with her family, hoping to live a more present life.