WordPress password security is about more than WordPress. It’s about keeping your digital life safe. And that all comes down to a little password. In these digital days we’re drowning in passwords. Your financial accounts, your social media life, your business website and your ecommerce shopping binges are all protected by those passwords. And some random hacker wants to crack them. If all those passwords are the same, you’re in trouble. If those passwords are too short, too simple, too predictable, you’re in trouble. If your WordPress password security isn’t up to the job, your WordPress site is in trouble. Trouble can mean hours of your life wasted, business and work flushed, identity theft, credit trouble and worse. The bottom line: If you don’t have good password security, your life is in danger. It sounds dire, and it can be—but we can help. Understand How Hackers Crack Your Password Before we get into specific tips and help, you need to understand how hackers can crack your passwords. It’s not as simple as poor passwords like “password” or “12345” (though never, ever use those). Even if you think you’re smart about your password, hackers have gotten a lot smarter about cracking them: •Brute Force: Hackers use brute force techniques to attempt millions of password combinations in short periods of time. There are tools that allow hackers to do this offline, so login limiters are often useless. •Password Breaches: Whenever hackers score a bunch of password data, they better understand how people come up with passwords. Not only do they have a whole pile of common passwords to work with, but they start to see patterns they can exploit. •Variations: Those brute force programs allow hackers to try all kinds of variations. So sticking a number or character on the end of a password doesn’t necessarily make it more secure. •Tricks: Hackers know the same tricks you do for coming up with a password. They know that people will replace certain letters with numbers or symbols (e becomes 3, a becomes @, etc.). They know people will use words, phrases or quotes. Whatever tricks you read about, hackers can also read about and devise rules to mimic and exploit those tricks. Ruh-roh. •Predictable: You think your password is completely random, but odds are it’s not. People are way more predictable than we think, and hackers can exploit that. Think a phrase from the Bible or a made up word in literature is safe? Nope. Hackers are not only using dictionaries to find words that might be in passwords, they’re scouring Wikipedia, the Gutenberg Project and YouTube for all kinds of common phrases, quotes, slang and even made up words that might make their way into passwords. Let’s be honest: the hackers are winning. Whatever tricks and tips we come up with for more secure passwords, the hackers just respond accordingly and keep on cracking. It’s a losing battle of increasingly complex passwords that become more and more unusable. But don’t despair. There are ways you can make passwords work. WordPress Password Security First things first, you should do everything you can to make WordPress more secure. The Better WP Security plugin will let you do all of these things quickly and easily. We’ve hired the developer, Chris Wiegman, and are rolling that plugin into an updated version that will be out soon. Using ‘admin’ is a no-no for WordPress password security. 1. Don’t Use Admin Username We’ve hammered on this before, but do not ever use “admin” as your username. If that’s your username, change it. Change it now! 2. Hide Your Login Screen Another tip to shut down the hackers and bots is to hide your login screen. You can give the page a unique URL and keep the bad element from even getting to it. 3. Limit Login Attempts This might not stop hackers from cracking your password, but it will stop bots from hitting your login page with multiple attempts. Lock it down. 4. Require Strong Passwords WordPress password security is about more than just your password. If you’re using a 5-star, crazy good password but another admin has a weak password, your whole site is still vulnerable. But you can force all the users on your WordPress installation to use strong passwords. How strong these passwords really are is debatable, but at least no one will have simple five letter passwords that would make hackers weep with joy. Good WordPress password security requires strong passwords. You can require them in WordPress. Strong password! That’s what you want to see. Boost Your WordPress Password Security With Strong Passwords Once you’ve locked things down in WordPress, the next step is to make your passwords as strong as possible. Here are some basic tips for strong passwords: •Different Passwords: The first rule of password security is to use different passwords for different sites. People are lazy and they use the same password over and over again. That’s easy, but all it takes is one breach and all your logins are compromised. Oops. It’s tough, but you need to use a different password for every site. •Tip: One way to use different passwords you can actually remember is to have a base password that you can remember and then tack on something different for each site. You might add on the first few letters of the specific site. So if your password is pEan%t, then for Google your password might be pEan%tGOOG and for WordPress it might be pEan%tWORD. That’s simple and fairly predictable, so you might want something more complicated. •Don’t Be Predictable: That’s the second rule of password security—don’t do anything predictable. And you’re more predictable than you think. If you follow the rules for devising passwords in any article about creating passwords (including this one), know that hackers can read that article too. •Long Passwords: You want your password to be long. You don’t have to be crazy with it, but six characters is unacceptable. You want at least eight. Probably more. WordPress accepts spaces in the password field, so you can even make it a phrase. •Don’t Use Real Words or Phrases: Just don’t just an actual phrase. Hackers scour real world text (whether it’s proper English or not—and don’t think foreign languages are safe either) and use it to crack passwords. So if you’ve got a really long password that’s your favorite quote, it’s not nearly as secure as you think. •Use Weird Characters: Use upper and lower case letters, numbers and symbols in your password. Add some complication. Make it weird. So truly strong passwords are ridiculously long, full of numbers, symbols and random capitalization. They don’t contain any real words or phrases. And you have a different one for every single site. So they’re basically impossible to memorize That’s no good. Unless you get some help. Use a Password Service The solution to WordPress password security—and password security everywhere—is to use a password service such as 1Password or LastPass. This is software you install on your computer that creates crazy good passwords—we’re talking up to 50 characters of truly random gibberish—and then memorizes them for you. It uses browser plugins to auto-populate those impossible to memorize passwords. There are also apps so you can do the same thing on your phone or tablet. So what keeps all these ridiculous passwords secure? You have a master password for the service that needs to be something you can remember. It locks down all these passwords on your computer, so even if it’s stolen hackers would need your master password to get at all your other passwords. It’s a complicated security approach, but it works. It’s a solid way to keep your WordPress site safe, as well as the rest of your digital life. Some tips for your password service: Good Master Password The strength of your master password is crucial. This needs to be a strong password. It should follow as many of the rules above as you can manage (check out more master password tips). You’ll probably need to work at memorizing it, but it should be one of the last passwords you’ll ever need (woohoo!). Passwords You Need to Type Unfortunately, your master password isn’t the only one you’ll need to memorize. A password service won’t work very well on the password you use to get into your computer or have to type into your TV. An Apple password is another one you might be forced to enter fairly often and a password service might not always be there to help. You should still use a password service to store and remember these passwords (so you don’t forget), but don’t use a crazy gibberish password you can’t remember. Come up with something that’s still strong but easy to remember. Ideally this list of passwords you need to remember can be counted on one hand. That sure beats the dozens and dozens of passwords you have for various financial, social and business sites. It Takes Time Transitioning your entire online life to a password service is going to take some time. You need to enter every account into the system and change a lot of passwords. Think of every site you have a login for. It’s a little overwhelming. So getting the system up and running will take some time. But start with your important sites and power through. You’ll get there eventually. Buy for Mobile & Desktop You want your password service everywhere you go in the digital world, so that means buying the app for your mobile and desktop devices. In some cases that means two separate purchases. It’s a pain, but it’s just the cost of using the service where you want to use it. Two-Factor Authorization To really boost WordPress password security you don’t want to rely on a password alone. You want to use what’s called two-factor authorization. This is where logins require two pieces of information—something you know (your password) and something you have. Something you have can be accomplished with an app such as Authy that verifies who you are using your phone. You can also use SIEM tools to protect your website from cyberattacks. It adds an extra layer of security to your accounts. Google, Dropbox, Apple, Twitter and Facebook all support it, so this isn’t fringe paranoia. You can even get a WordPress plugin to add Authy to your site. We’re planning to include two-factor authorization in our forthcoming iThemes Security plugin. Boost Your WordPress Password Security WordPress security has been a big issue in the past year and we’re taking it seriously. But one of the most important things you can do has little to do with WordPress. It’s all about your password. If you want your site to be safe, worry about your WordPress password security. Strong, safe, unique passwords will protect not only your WordPress site, but the rest of your digital life as well.