Ensuring Your Site’s Passwords Stay Secure

This post will take 4 minutes to read.

When it comes to securing your WordPress site, there are dozens of tasks and best practices to follow. However, one area that many people neglect to consider is the passwords. Today, I am going to give you 6 tips for keeping your site’s passwords secure.

Do not use words in your password

I was working with a user the other day and his password was his name followed by a number. It was something similar to Frank55. When a hacker is using a brute force attack, he or she will usually first go through every word in the dictionary and combine with various characters and numbers. This is referred to as a dictionary attack. By using words in your password, the hacker will be able to get into your site after running a quick dictionary attack script.

Do not use short passwords

When hackers are using a brute force attack, they are cycling through every possible password. When you use a 2 character password such as PW, the hacker only has to try roughly 2,500 possibilities which only takes less than a second using a script. When using a 6 character password such as aT4h*q, the hacker has to try roughly 15625000000 possibilities which takes a few seconds. When creating a password, you should have at least 15 to 20 characters in the password. For example: 3)S’Fb2rVa:?Sc-t@~D&. This creates 9.536743164×10³³ possibilities which will take much much longer.

Use multiple types of characters

When creating your password, never use all numbers or all letters. You should always have a variety of lower-case letters, upper-case letters, special characters, and numbers. For example, a strong password could look something like this: W4:5~Bkt9;KL:Rqt. Luckily, there are plugins to help when creating your passwords. The plugin I use on all of my sites and highly recommend is Strong Password Generator. This plugin will add a button to generate a strong password. This button will appear when creating users and when changing passwords.

passwords photo
Photo by Lulu Hoeller

Change passwords regularly

If your password is comprised, the hacker will not always use your password immediately. Also, the longer you have the password, the more people/services that you may have given it to. You should have all users change their passwords at least every 3 or 4 months. Fortunately, there are plugins that help with this. I personally use Expire Passwords which allows you to require users to change their passwords after the interval you set. I usually require user to change their passwords every 90 days. This includes all admins and myself as well.

Do not give your password out

I see this one quite a bit. Your password should only be used by you in most cases. The more people that you have using your password, the more chances of it being comprised. Also, the way you give your password to people can also be comprised. Never send your password to someone through email or IM. If you have someone that needs access to your site, such as a developer, always create a temporary developer account for them. Once they are finished, delete the temporary user. Never give them your password.

Use different passwords for each site and service

I see this quite a bit. It may be convenient to have the same password for your website, your bank account, your email account, and your IM account so you don’t have to remember multiple passwords. However, if one gets comprised, the hacker will immediately look for other accounts you have to see if the password works there also.  Always use a unique password for every account you have.

Do you have any best practices or tips for password security that you follow? Be sure to comment below!