Today is World Password Day and we wanted to share some resources you can use to review your password security. World Password Day reminds us of the importance of having a solid password strategy for all your online accounts. These resources apply to password security in general but also specifically for WordPress websites.
Here’s a quick WordPress password quiz:
- 1. Have you used the password again someplace else, for a separate account?
- 2. Are you using “admin” as your WordPress username?
- 3. Is your password a dictionary word?
- 4. Have you shared your password with anyone else?
- 5. Does your password have fewer than 12 characters?
- 6. Does your password include numbers, symbols and both upper & lower case letters?
- 7. Are you using two-factor authentication for your WordPress login?
Don’t Use These Common Passwords!Here’s a list of the most commonly used passwords. Do you recognize any of them?
|1. 123456||10. 987654321||19. 555555|
|2. 123456789||11. qwertyuiop||20. 3rjs1la7qe|
|3. qwerty||12. mynoob||21. google|
|4. 12345678||13. 123321||22. 1q2w3e4r5t|
|5. 111111||14. 666666||23. 123qwe|
|6. 1234567890||15. 18atcskd2w||24. zxcvbnm|
|7. 1234567||16. 7777777||25. 1q2w3e|
|8. password||17. 1q2w3e4r|
|9. 123123||18. 654321|
WordPress Password Tips
At a minimum, your WordPress admin password should meet the following requirements.
- Include numbers, capitals, special characters (@, #, *, etc.)
- Be long (12 characters – minimum; 50 characters – ideal)
- Can include spaces and be a passphrase (Just don’t use the same password in multiple places)
- Changed every 90 days, or 3 months
How to Increase Your Password Security: 9 Tips
Here are a few things you can do today to protect yourself and your WordPress website by strengthening your password.
1. Start Using a Password Manager
We’ll start here, with password managers, because the biggest complaint we hear about adopting password security is how inconvenient it can be to keep track of so many strong passwords. We understand. And that’s where password managers come into the picture.
A password manager allows you to generate a strong, complex password for all your website logins, and then securely stores your login information. You can then install the browser extension for the password manager so you can easily autofill your login information.
By using a password manager, adopting the rest of these password security best practices becomes a lot easier.
With password managers, you only need to remember one password—your master password. Here’s more on why you should use a password manager.
Tips For Using LastPass
One of the most important things you can do for web security is to have a strong, unique password for every site you use. LastPass can make that a reality. In this webinar, Nathan will walk through the features of this free password manager and demonstrate the benefits of its use.
2. Don’t Use the Same Password More Than Once, Ever
As an online security best practice, you need to have a long, complex and unique password for every web account you use. If you use the same email address and passwords for multiple websites that you log into, what happens when one of those websites gets hacked? Your email address and password is now on a list that will be used to try to log into other websites around the internet. If you use the same email address and password for all your websites, now the hacker will be able to log into all your accounts at once.
Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.
3. Don’t Use the WordPress ‘Admin’ Username
“Admin” used to be the default username for WordPress, so loads of people had the same username. If you’ve had WordPress for a while, you could still be using admin as a username. That’s a WordPress security no-no.One simple way to combat vulnerable logins is to not use default usernames.
So if you’re still using “admin” as your username, change it now! Newer versions of WordPress don’t allow it and the iThemes Security plugin can change it for you.
4. Require/Enforce Strong WordPress Passwords for Privileged Users
If you have a website with multiple admin-level users, at a minimum, you should also be requiring those users to also have strong passwords. While you may have a strong password, if someone else doesn’t, your website is still at risk. That’s why it’s a good idea to enforce strong passwords for all users in your WordPress password security efforts.
5. Make it Easy to Generate Strong Passwords
Don’t try to come up with long, unique and complex passwords on your own. Take advantage of password generators to do the job for you. Either use your password manager to generate a strong password or the iThemes Security plugin.
6. Change your Passwords Frequently
If you haven’t changed your password in the last 4 months, change it now. Set yourself a reminder to change your password every 120 days.
7. Protect Your WordPress Website from Brute Force Attacks
Brute force attacks refer to a trial and error method used to discover username and password combinations in order to hack into a website. The brute force attack method exploits the simplest form of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful.
So it’s a good idea to limit the number of failed login attempts allowed per user with WordPress brute force protection. If someone is trying to guess your password, they’ll get locked out after a few attempts.
Download the Ebook: A Guide to WordPress Brute Force Attacks
What are WordPress brute force attacks and why should you care? In this ebook, we explain how brute force attacks work and why WordPress sites are at risk. We also offer tips on how to protect your website.
In this ebook, you’ll learn:
- What are WordPress brute force attacks?
- How do brute force attacks work?
- Are you inviting brute force attacks?
- Why WordPress sites are at risk
- 5 ways to prevent WordPress brute force attacks
- Tips to protect your site for users, admins and developers
- How a WordPress security plugin can help
8. Enable WordPress Two-Factor Authentication
We’ve saved this tip for last, but it’s probably the most important. Two-factor authentication, also known as two-step verification, is one of the best ways to protect your login. WordPress two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.
With two-factor authentication, users are required to enter both a password AND a secondary code sent to a secondary device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.
9. Make WordPress Security Easy With Passwordless Logins
In reality, passwords are soon to be a relic of the past, which is why all of the major tech companies trying to kill passwords. That’s where Passwordless Logins come in, a new way to simplify the login process with extra security. Now you can add Passwordless Logins to your WordPress site with the iThemes Security Pro plugin.
Learn more about how to get started with passwordless login for your WordPress website.
In this ebook, you’ll learn:
- The passwordless future
- Different methods of passwordless login
- Adding passwordless login to your WordPress website
- How the passwordless login method works
Wrapping Up: World Password Day
A strong password is your first step in securing your WordPress website and World Password Day is a great time to review your passwords.
Get iThemes Security Pro, our WordPress security plugin, with 30+ ways to secure and protect your WordPress website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.