WordPress is the most popular CMS, with over 35% share in the market. Such popularity can’t go unseen.
It makes WordPress a popular CMS among hackers.
The first step to login security is WordPress password security.
You cannot expect it to be secure while keeping a weak and easy to guess password.
A planned and researched dictionary attack can guess your WordPress password if you are not taking the threat seriously.
In this article, I will show you how you can tighten up the WordPress security.
WordPress Password Security Requirements
According to security experts and WordPress.org, your WordPress password should meet the following requirements:
- Include numbers, uppercase and lowercase letters, special characters (@, #, *, etc.)
- Be lengthy (10 characters – minimum; 50 characters – ideal)
- Can include spaces and be a passphrase (Just don’t use the same password on multiple accounts)
- Change passwords every 120 days, or 4 months.
These are the suggestions that you should follow to have a strong password. However, you can use any combination as a password.
Improving WordPress Password Security
You can improve the WordPress password security by following the following recommendations.
- Length Matter for Passwords
- Combinations of Characters
- New is Better
- Use Password Manager
- Frequently Update
- Enable Two-Factor Authentication
- Using Plugins
#1 Length Matter for Passwords
One of the most popular ways of WordPress hacking is the brute force attack. The brute force attacks are also known as dictionary attacks.
In Brute Force Attack, the hackers try to guess your password using the random (or planned dictionary after researching the victim’s profile) string of characters.
Now here is the wonderful math:
Assuming the person is only using numbers to make a password.
- Numbers of combination in 1-word password: 10
- Numbers of combination in 2-word password: 100
- Numbers of combination in 3-word password: 1000
- Numbers of combination in 4-word password: 10000
You can see how the numbers of the combination are increasing as the password’s length is increasing.
With 2-word password, the hackers can guess the password in seconds. Same is with 4-word, or 8-word password if you are only using numbers.
That’s why we use alphabets and characters too.
#2 Combination of Characters
As we see above, the length of the characters makes the password strong. But to make it stronger, one has to use the combination of numbers, letters, and characters.
Here is quick math to explain the permutation.
Let’s assume there is a 2-word password to be made. The number of combination, if you only use numbers, will be 100. Because you can only use numbers between 0 to 100, and there are only 100 numbers between those two numbers.
By adding the alphabets, we add 26 new characters. Now the possibility of filling the two spaces is increased. Before we had ten characters to choose from (0-9) to fill the box, we now have 36 (10+26). So the numbers to make the 2-word password is 1296.
Now 1296 combinations are only for 2-word characters using numbers and 26 letters.
What if we use an 8-word password, with letters that could be uppercase, lowercase, numbers, and add symbols too.
If we have 26 uppercase alphabets, 26 lowercase alphabets, 9 numbers, and 12 symbols, the total number of options would be 73. Using 73 options to fill 8 boxes means 8 to the power of 73.
Seriously, that will yield such a large number that it will take years to guess the numbers. Even with the supercomputers, it will not be possible to crack the WordPress password quickly.
And with every extra space, you use to increase the password’s length; you improve the WordPress password security.
#3 New is Better
New passwords are always better than old ones. You should not use the same password for multiple accounts and sites.
Having the same password for all the social media, and your WordPress site is the poorest decision you can take.
Always try to use a new password for every site and service.
However, it will be hard to remember each password. Using a password manager can solve that problem. Never save the password to your browser, as it is easy to fetch the information from them.
#4 Get a Password Manager
Majority of the crowd likes to use simple and short passwords. And why not?
They are easy to remember. We all hate resetting the passwords – confirming the email address, typing a new password and then logging in with it.
A Password Manager solves both.
It creates a strong password for your application and saves it so you don’t have to remember the password. These Password Managers are secure and come with browser extensions and mobile applications for convenience.
If you are running multiple WordPress websites and serious about WordPress password security, using Password Managers are strongly recommended.
Best Password Managers:
#5 Frequently Update
Just like regular WordPress upgrades and Plugins updates, you should update the WordPress password too.
If you are following all the best practices, your password is secure. Though keeping the same password for years increase the chance of leaking.
Don’t keep the same password for longer than the 5-6 months.
The most significant advantage of regularly changing passwords is you logout from all the other devices. So if you accidentally left your username password saved in any device, changing the password will erase it.
#6 Enable Two-Factor Authentication
All the tips above in the article will surely help you to protect the WordPress password. However, if someone is dedicatedly targeting your website, then you have to take additional measures.
Enabling two-factor authentication will add the extra layer of security on your WordPress login page. Even if someone manages to steal the login information of your WordPress site, they will not be able to access it without proving their authentication.
The authentication could be done via:
- A unique password (OTP) sent by SMS/e-mail
- A phone call
- A QR code
- A push notification
Whoever the authentication is done, it makes it impossible for anyone to access the site without you.
Many WordPress plugins are available (free and paid), which you can use to set up 2-factor authentication.
Best Enable Two-Factor Authentication Plugins:
- WP 2FA
- Google Authenticator
- WordPress 2-Step Verification
- Unlock Two Factor Authentication
#7 Using WordPress Password Plugins
Finally, you can use the WordPress Password Plugins to take total control over the password settings. Plugins allow you to automate the password updating, and log the password changes.
Password plugins offer you more features, such as you can password protect the various part of the dashboard.
There are many plugins available that you can use. However, they work at their full potential on the membership sites, but you can use them on blogs too to tighten the WordPress password security.
Best WordPress password manages:
- WordPress Password Expiry
- Password Protected
- Simple User Password Generator
- Password Pointer
- Profile Builder
Changing vs Resetting WordPress password?
There is a difference between changing a WordPress password and resetting the password.
The difference between changing a WordPress password and resetting the password is that you know your current password while changing the password. You don’t know your current password during reset, so you clear the older password and set a new one.
Resetting WordPress password
To reset the password, you have to click on the Forgot password on the wp-admin page. On the next page, enter your username or email. You will receive the email with reset password link to the registered email.
Changing the WordPress password
You can change the WordPress password from the admin dashboard.
- Login to the WordPress
- Go to the User profile page
- Set the new password
You cannot reach this page without knowing your current password.
When securing WordPress sites, one has to secure multiple aspects of the platform. WordPress is not a single entity; it is a bundle of many technologies, working together to support the most intuitive CMS.
In this article, we learned to secure WordPress password. In one line, make your WordPress password lengthy + mixed, and you are halfway there.
If there is any other queries or questions, leave them in the comment box.