A Complete Guide to WordPress Password Security
I know I talk a lot about how it’s your responsibility to ensure that your WordPress websites are secure. (Because it is.) That said, there are instances where you have very little control over the vulnerabilities that other users introduce to the site. Specifically, I’m referring to users who don’t abide by smart and safe password practices.
To be fair, think about how many names, numbers, birthdays, addresses, facts, workflows, and so on that you have to keep track of on a daily basis. Then think about how many applications you log in and out of as well. The last thing you or anyone else wants to do is to have to memorize a unique and complicated password for each one of them.
But passwords are there for a reason. You can’t skimp on securing a website (or, if you’re a user, your private information) simply because you don’t want to generate a better password than the one you created for Gmail five years ago. Same goes for all your users.
So, let’s talk about WordPress passwords and why they play such an important role in fortifying your WordPress site’s security.
The History of Passwords and WordPress
WordPress has always suggested that developers take responsibility for ensuring that strong passwords are used by everyone who has access to their site. Additionally, in an effort to abide by the OWASP 10, WordPress has enacted a number of security measures over the years to better protect users from faulty password practices. Specifically:
In the 3.7 update, WordPress added a password strength indicator during account setup and password resets. This was meant to give users a nudge towards creating stronger passwords.
With the 4.0 release in 2014, WordPress began destroying all existing sessions the moment a user logged out of the CMS.
WordPress also added an auto-populate feature that will encourage users to create strong passwords with WordPress’s suggestion.
As of now, WordPress has enabled the following password fortification features:
- WordPress manages all user login information and authentication cookies server-side.
- The core software provides additional protection for passwords through salting and stretching techniques.
- There is also a WordPress permission system which restricts who has access to private user information, including email addresses for users who leave comments as well as content that’s been published but marked as “private”.
Why does WordPress even bother with this? Well, it’s because a weak password can open websites up to many risks. The WordPress security team might not be able to fully automate updates to the core or require that everyone use security and backup plugins, but they sure as heck can do everything they can to require smarter decisions during signup and login.
The Right Way to Use Passwords with WordPress
When Wordfence monitored websites for a 16-hour time frame in 2016, this is what they found:
“During this time we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26.”
Without extra security measures in place, all it would take is for one particularly weak user password to succumb to this type of brute force attack. And then where would that leave you? Your site, your users, and any visitor that arrived at your site could potentially be exposed to this vulnerability.
So, let’s not allow that to happen. Here are 8 things you can do to enforce the creation of stronger passwords on your WordPress site:
1. Listen to WordPress
This suggestion is a little oversimplified, but you get the point: create a complicated password.
2. Go Long
WordPress recommends a password be more than six characters in length. However, if you want to ensure that passwords be as un-crackable as possible, require something longer. 10 to 50 characters should do.
3. Mix It Up
You might think that a long string of numbers or a lengthy phrase will suffice. Nope. It’s best to require a mix of uppercase letters, lowercase letters, numbers, and symbols in the creation of passwords for your site.
4. Reject the Old
While many users might feel like it’s okay to revert back to a password from two or three resets ago, you’ll want to shut that down by preventing the usage of any former password.
5. Require Frequent Updates
If you’ve employed each of the above rules in the password generation process on your site, that’s great. However, allowing a password–no matter how strong it may be–to sit and fester on your server is like leaving a website’s design to stagnate: just plain bad news. This is why you should require all users to update their password frequently (say, every few months).
6. Add Two-Factor Authentication
Even with the strongest passwords in place and security best practices holding users’ accountable for keeping those passwords safe, that doesn’t make them totally impervious to a hack. To provide extra protection against this scenario, you should use two-factor authentication. Basically, it requires users to activate a second device or app (like Google Authenticator) that they will then have to use to confirm their identity before they’re allowed to log into WordPress.
Wondering how you can add two-factor authentication to your site? The Defender security plugin includes this feature, among other login security enhancements.
7. Use a Security Plugin
Many WordPress security plugins won’t just monitor your site and provide patches for detected vulnerabilities. You can use these plugins to limit the number of failed login attempts as a stop-gap for brute force attacks (again, the Defender plugin will help with this).
Some premium security plugins will also enable you to audit your users’ passwords in one fell swoop. If you haven’t been too rigid about enforcing password security until now, this power could definitely come in handy. Wordfence has equipped its plugin with this functionality if you’re interested.
8. Get a Password Manager
As WordPress suggests in its password guide, “The best way to create a strong password is to use a password manager to generate a long, random selection of letters, numbers, and symbols.”
While WordPress has made great strides in securing the login and encouraging password generation best practices, there’s no auto-save or populate functionality here–which is part of the reason we’re discussing this. It’s not that WordPress users can’t come up with long, complicated passwords on their own. The problem is the memorization (and convenience) aspect.
These tools work in a number of capacities:
- They serve as a master username and password storage, so you only have to look in one place for login information for all sites and apps.
- They also collect and secure other sensitive details you input online frequently, like credit card information.
- Password managers can help users generate completely new–and strong–passwords, too.
- When activated, a password manager will auto-populate your login details for saved sites. This becomes extra convenient if, say, you manage multiple user accounts on the same site.
While you can’t require that everyone who enters your site use a password manager, this is something you can add to your own workflow and something you can encourage all your team members to do as well.
Ensuring that your WordPress website is safe from a security breach is difficult, to say the least. There are so many different ways in which hackers can break their way in, which is why it would be silly to allow something as simple as a password to go unchecked.
By now, everyone knows that a stronger password leads to a safer online experience. It’s just not always the preferred choice as it often leads to greater inconvenience in having to generate a complicated password and remember a unique one for every new site visited. By giving your users the tools needed to better secure your passwords, you can empower them to help you secure the WordPress login more easily.