For every user or account you have you should use a unique and difficult password. That’s a given, but you’d be surprised at how many people don’t give a second though to password security.
This means that, in many cases, the safest approach is to not leave password safety up to your users. Instead, you can enforce the use of strong passwords across all your WordPress site users. This is a simple way to improve the security of your WordPress site.
What Makes for a Secure Password?
You’ve probably heard plenty of advice about how to create strong passwords. In the past, the common wisdom focused on using complex combinations of characters, such as: “sd8f!¿$”?”.
That’s not a bad password, but these days we know that length is the main contributor when it comes to password security. Long passwords are harder to guess and to crack. The problem, of course, is that they’re also tougher to remember.
Fortunately, there are plenty of excellent password managers out there. You can use them to generate, store, and automatically enter your login information anywhere on the web. Even so, research shows us that most people don’t take password security seriously (more on this shortly).
That poses a problem if you’re running a WordPress website that has guest authors, editors, users or customers. After all, it’s your responsibility to provide a safe environment for your users, even if they don’t make good choices when left to their own devices.
4 Reasons You Can’t Leave Password Security in Your Users’ Hands
You might think that we’re exaggerating when we say you can’t trust users with password security. So let’s look at three key points that may change your mind.
1. Most People Use Terribly Weak Passwords
If you’re reading this, you probably put at least some thought into your passwords. That already puts you in the top percentile among internet users. To give you an idea of how bad things still are, here are the top five most common passwords on the web according to Wikipedia:
If you find that list hard to believe, you’re not alone. Those passwords are all much too short, very easy to guess, and just plain silly. With such poor choices being most people’s default, it’s no wonder there are so many online account breaches every day. If an editor or administrator on your WordPress business site uses a similar password, it will only take a few seconds to crack their password during a brute force attack.
2. Secure Passwords Are Difficult to Remember
Let’s be honest: remembering passwords can be a pain. The simple reason so many people ignore all the advice out there about password security is that it’s a bother. These days, it’s not uncommon to have accounts on dozens of services and websites, and who has the time to memorize unique passwords for all of them?
Fortunately, you don’t have to rely on memory or post-it notes to remember your passwords. What you can and should do instead is get acquainted with some password management best practices. These are password managers which you can use to store your credentials securely. If you haven’t tried using a password manager yet, we strongly recommend doing so right away – they’re real game changers.
3. People Tend to Reuse Passwords for Multiple Accounts
One common issue in web security is that even people who do use strong passwords often recycle them for many accounts. That poses a problem, because no matter how strong a password might be, if one of the websites you use it on is hacked and attackers get access to it, they can also gain entry to all your other accounts.
As we pointed out earlier, remembering dozens of long unique passwords can be quite difficult. That’s where password managers once again come to the rescue. Even if it takes a little longer, it’s vital to create a unique password for every online account you have.
4. People Will Easily Tell Their Password
During my first job as a systems administrator I noticed that most employees will tell their password without questioning why. Most users are not aware of how damaging it can be when they give their password to someone else. So if someone from work calls them asking for their password they will easily tell it, making them susceptible to social engineering attacks. Watch the below video for a good laugh!
How to Enforce Strong Password Use in WordPress
At this point, we’ve hopefully made it clear how terrible people are with passwords in general. The real question is: What can you do about it?
For one, you should educate your users about smart password choices. Make them aware about social engineering attacks, and the negative impact on the business weak passwords can have. A lot of sites try to do this during the sign-up process. However, it also pays to be realistic. This means understanding that a lot of people won’t follow good practices unless you force them to.
By default, WordPress warns you if you’re setting a weak password. However, users can always ignore the warning and still use a weak password. So as a WordPress site admin you have to go a step further. Using the right plugin, you can force your WordPress users to use strong passwords with our own WPassword plugin:
Use this must-have WordPress plugin to:
- set a minimum length for all passwords
- enforce rules about what types of characters, numbers and case should be used
- set passwords to expire (always a good move, otherwise people will use the same password for years)
- configure password policies per WordPress user role
- and much more!
Strong Passwords as an Essential Part of Website Security
One of the easiest ways to secure your accounts and online data is to use strong, unique passwords (and enabling two-factor authentication when possible). Remembering multiple long passwords is no longer an excuse. These days there are plenty of tools, a.k.a password managers that you should use to store credentials securely.
If you’re an administrator of a WordPress site yourself, educate the users about smart password choices. However, it’s far safer to enforce the use of secure passwords. In WordPress, you can do this easily using the WPassword plugin. On top of that, you can also use WP 2FA to configure policies and make 2FA mandatory on WordPress.