Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

iThemes Security Pro Feature Spotlight – Password Requirements

Written by Michael Moore on August 24, 2020

Last Updated on November 2, 2021

In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.

Today we are shining the spotlight on the Password Requirements feature in iThemes Security Pro, which is a great tool to secure your WordPress login.

In This Article
  • Why We Developed Password Requirements
  • What Are Password Requirements in iThemes Security Pro?
  • How to Use Passwords Requirements in iThemes Security Pro
  • Wrapping Up

Why We Developed Password Requirements

We know how hard it can be to get people to follow security best practices. A strong password is an essential part of your WordPress login security. Let’s talk about some of the common password pitfalls that can put your website at risk.

1. Weak passwords are still too common.

In a list compiled by Splash Data, the most common password included in all data dumps was 123456. A data dump is a hacked database filled with user passwords dumped somewhere on the internet. Can you imagine how many people on your website are using a weak password if 123456 is the most common password in data dumps?

2. The WordPress login is the most attacked part of your website.

The WordPress login is the most attacked part of a WordPress website, and using a weak password is like trying to lock your front door with a piece of tape. By default, the WordPress login URL is the same for every WordPress site, and it doesn’t require any special permissions to access. That’s why the WordPress login page is the most attacked—and potentially vulnerable—part of any WordPress site.

3. An 8-character password can be cracked INSTANTLY.

It has never taken long for a hacker to brute force their way past a weak password into a website. Now that hackers are leveraging computer graphics cards in their attacks, the time it takes to crack a password has never been lower.

For example, let’s take a look at a chart created by Terahash, a high-performance password-cracking company. Their chart shows the time it takes to crack a password using a hashstack cluster of 448x RTX 2080s.

By default, WordPress uses MD5 to hash user passwords stored in the WP database. So, according to this chart, Terahash could crack an 8 character password … almost instantly. That is not only super impressive but is also really scary.

Note: Learn how two-factor authentication can help secure your WordPress login from this type of attack.

4. Too many people are reusing compromised passwords.

Another thing to keep in mind when it comes to password security is that you need a different strong password for each of your online accounts. If you use the same password for every site and one of those sites is compromised, you are now using a compromised password on every website. Hackers can use data dumps of compromised passwords paired with your email address or username to gain access to your accounts. It’s best not to even take the risk.

Even though 91% of people know reusing passwords is poor practice, 59% of people still reuse their passwords everywhere! Many of these people are still using passwords that they know have appeared in a database dump.

Hackers use a form of a brute force attacked called a dictionary attack. A dictionary attack is a method of breaking into a WordPress website with commonly used passwords that have appeared in database dumps. The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. That is billion with a b. That kind of score will really help a dictionary attack narrow the most commonly used WordPress passwords.

As you can see, having a password policy is an essential part of our WordPress security strategy. However great your password policy is, it isn’t worth anything if your administrator and editors aren’t following the guidelines.

What Are Password Requirements in iThemes Security Pro?

The Password Requirement feature in iThemes Security Pro is not only your password policy, but it is also your enforcement tool. You can force members of a user group to use a strong password, choose a time of password expiration, refuse compromised passwords, and force a site-wide passwords change to make everyone comply with your new strong password policy.

  • Force Strong Passwords – Force a set of users to use a strong password.
  • Password Expiration – Set the maximum number of days a password can be used before it is expired.
  • Refuse Compromised Passwords – Force users to use passwords that have not appeared in any password breaches tracked by Have I Been Pwned.

According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that 81% of hacking-related breaches leveraged either stolen or weak passwords. The iThemes Security Pro Password requirements will help secure your WordPress login against all the password pitfalls mentioned in this post.

Plus, you get the added bonus of enforcing your password policy with a click of a button. As humans, we are hardwired to take the path of least resistance. By removing the option to use weak or compromised passwords, you are helping everyone protect their accounts.

How to Use Passwords Requirements in iThemes Security Pro

To get started with your new password policy, navigate to the User Group settings and check the Select multiple User Groups to edit together box.

Now select the User Groups that you want to enforce a password policy, check all of the boxes in the Password Requirements section, and then click the save button.

One quick note on password expiration, there are some people in the security community that think we should abandon the password expiration policy. They say that If you are using a unique and strong password, that no amount of time will make your password weaker.

I would recommend enabling this for all the users on your website. It is completely understandable and encouraged to make creating a new customer account as easy as possible. However, your customer may not know that the password they are using has been found in a data dump. You would be doing your customer a great service by alerting them to the fact that the password they are using has been compromised. If they are using that password everywhere, you could save them from some major headaches down the road.

And finally, navigate to the security dashboard and click the Force Password Change button on the User Security Profiles card. Now, all of your users to be forced to create a new password the next time they login that complies with your new password policy.

Wrapping Up

Your WordPress login is the most attacked part of your website, and a strong password is your first line of defense. The Password Requirements feature in iThemes Security Pro makes it easy for you to create and enforce a password policy to secure and protect your WordPress login.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
wordpress vulnerability report - security
WordPress Vulnerability Report – June 29, 2022
Authentication Bypass Vulnerability
What is an Authentication Bypass Vulnerability? 7 Things to Know
WordPress vulnerability report
WordPress Vulnerability Report – June 22, 2022
what-is-a-pharma-hack
What is a WordPress Pharma Hack?

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap