The Guide to WordPress Password Security

Last updated on June 26th, 2020 by Robert Abela. Filed under WordPress Security

Strong WordPress password security with policies

Weak passwords are one of the biggest threats that put the security of a WordPress site at risk.

As an internet user, or if you guest author on a WordPress site you are always told to use complex and different password for every website or service you are subscribed to. You also have to change your passwords every few months. And when you are ready logout the session, do not use the remember me setting on websites, and do not save your passwords in the web browser, in case your computer gets hacked.

On top of that you have to remember your friends’ birthdays, do the shopping and all the other things in life. So having a different and complex password for every different website or online service sounds like too much, too difficult, doesn’t it? In reality it is not. This article explains what makes a strong password, how to manage passwords and also how to force strong WordPress password security if you are a site admin.

Password Manager for Your WordPress Sites Passwords

Keepass and 1Password logos

A password manager is a software or online service where you store all your credentials, so you do not have to remember them. You only need to remember one master password to unlock the database or service and access the saved passwords. The advantage of using a password manager is that you can use the most complex passwords, and a different one for every service or site you are subscribed.

There are several different password managers available, all of which have different features. Read password management best practices for WordPress administrators to learn more on passwords managers, their features and how to use them.

Tips for Strong WordPress Password Security

Even if you use a password generator to automatically generate your password, it is always good to know what makes a strong WordPress password, so you can avoid using weak passwords.

The Longer The Password, The Better

Many recommend a minimum length of eight characters for a password. To be on the safe side, at least the password should be ten characters. Any password that is made up from 10 to 50 characters is secure.

Spice It Up

Do not use phrases or known words. Also, do not use any words to which you can be associated with, such as names of pets, cities and friends. Just use random text. Use a mix of lowercase and uppercase letters, symbols and numbers.

Keep It Fresh

Even if you use the strongest of passwords, change it every two or three months. And do not use the same password for two or more services.

Example of Strong Passwords

Below are just some examples of some strong passwords. DO NOT USE these passwords for any of your services or WordPress sites.


Tips for WordPress Administrators & Strong Users Passwords

A weak user password can leave your WordPress site exposed to malicious hacker attacks. WordPress does recommend a strong password to users but as seen in the below screenshot they can, and will use an easier password.

Confirm the use of a weak password in WordPress

So as a WordPress website administrator and owner it is your responsibility to force strong passwords on your WordPress users. You can do so by using WPassword. This plugin allows you to configure the following password policies:

  • password history
  • complexity
  • password age

The plugin is very easy to setup. You can install it and configure the password policies within just a few seconds. Also, read the article how to secure your WordPress login with easy-to-use plugins for more tips on what you can do to further harden the security of your WordPress site.

Enable Two-Factor Authentication

There is no bulletproof WordPress security solution. So the more, the merrier! This means that even if you and your users use very strong passwords, if possible you should also enable two-factor authentication on your WordPress website. You can easily implement 2FA on a WordPress site with a plugin, within just a few minutes. Here is a list of the top Two-Factor Authentication plugins for WordPress.

Bonus – Get Notified When Your Password is Breached!

Even if you take all the necessary precautions the unfortunate can still happen and your site or a service you are subscribed to can get hacked. In such case you need to know as soon as possible so you can change your password. The website owner is obliged to advise you when there is a data breach, though this doesn’t always happen.

Therefore you can to subscribe to Have i been pwned, a free service that alerts you if any of your emails and passwords are identified in data breaches.

There are no more excuses to not using strong passwords. All you need is a password manager and as a WordPress site owner you should force strong passwords on your WordPress users.


Christian 25/09/2018

I’m using WP-OAuth with Google as provider. Maybe worth mentioning as alternative.

Robert Abela 03/10/2018

Thanks for sharing Christian though that plugin hasn’t been updated in more than 3 years, so I wouldn’t recommend it. Try to stick to plugins that are maintained.

Leave a Reply

Your email address will not be published.

Our other plugins