If you’ve been managing a WordPress site for a while, you may be wondering why a strong password policy is so important. Surely, users are aware that they need to use strong passwords? Unfortunately, many users knowingly use weak passwords, putting your WordPress site at risk.
There are differing reasons why this continues to occur. Some don’t want to have to remember a complex password. Whereas others like to reuse the same password across multiple sites. Either way, enforcing a strong password policy protects you against users’ poor password choices such as password123.
In this post, we will explain why password security is so vital, and how you can guarantee that all users choose a strong password with just a few clicks. But first, let’s examine how you can guarantee that all users choose a strong password with the help of a password manager.
Why you should be using a password manager
Just under 75% of website users have trouble remembering their passwords. This drives risky behaviour such as reusing passwords across multiple sites or storing sensitive passwords in online files that could become compromised. It’s for this precise reason that many WordPress administrators fail to enforce strong password policies. They’re worried that their users will be put off if forced to remember complicated passwords.
However, whether a user can remember their password or not shouldn’t come into the equation. By using a password manager, you can use very strong, difficult to guess, and distinct passwords without having to remember them.
What is a password manager?
A password manager is a software or online service that stores your credentials for different online accounts securely. All of the information within the password manager is protected by one master password. Many also facilitate two-factor authentication, rendering it even more secure.
By promoting the use of a password manager, your WordPress users will only have to remember one master password. Thus, it becomes far easier for them to comply with your strict password policy. We recommend either 1Password or KeePass, as we use both of them regularly.
What is a strong password policy (and password security)?
Implementing a strong password policy requires multiple steps. Many WordPress admins believe that they can rely solely on WordPress’ own password security meter. That does not work since it only recommends users to use stronger passwords, but it does not force them to, as explained in how to force strong passwords on WordPress. And just a simple minimum password length policy is not enough to prevent a security breach.
While password length is a significant factor; it needs to accompanied by the following additional password policies:
- Upper case and lower case letters
- Special characters
- Changing on a regular basis
- Blocking the reuse of old passwords
The approach to your password policy needs to be multi-pronged. Otherwise, passwords won’t be strong enough to eradicate the potential for a breach of your WordPress site.
Why is a strong password policy so important?
Implementing a strong password policy is so important because it protects against a range of attacks. Automated password-guessing bots have become sophisticated. If hackers have managed to find the email associated with a WordPress account, they could use this software to brute force their way into the account.
A dictionary attack is one of the most common techniques used for brute force entry to a user’s account. It works by trying thousands or even millions of likely possibilities, such as words in a dictionary or previously used passwords obtained from past security breaches. That’s why alphanumeric passwords are vital. A string of dictionary words can be cracked within a few milliseconds. Even having a password over ten characters long won’t be enough.
Strong password policies also protect websites from manual hacking attempts. This is a scenario whereby a cybercriminal has obtained personal information (such as a user’s date of birth or address), which frequently form part weak passwords set by careless users.
What are the qualities of a strong password?
Whether you use an automated password generator or create your own, it’s useful to know precisely what you need to focus on to make your WordPress passwords as secure as possible.
Longer passwords are stronger
The first item you should focus on is the length. Longer passwords are almost always stronger. Modern technology can guess a seven-character password with only letters in just .29 milliseconds. A ten-character password would take four months. Boost that up to 12 characters, and suddenly your password would take two centuries to crack. Not a bad return for a few extra characters.
All passwords should be alphanumeric
Next, make sure to include both alphabetical and numerical characters to add another layer of complexity. A password of “123456789″ could be cracked hundreds of times per second. But by adding the letter A to the front to make “A23456789″, you can enjoy decades of protection against brute force techniques.
Always include special characters
Next, make sure to include a special character as well as upper and lower case letters, to further bump up complexity. “Password” could be cracked in milliseconds. But “P@ssw0rD” would take 14 years.
Every few months you should change your passwords
The technology involved in cracking passwords advances at an increasingly rapid pace. So the longer you leave a password in place, the more vulnerable it becomes. Thus, regularly changing it is imperative. It also protects your accounts against malicious takeovers when old password information is collected from security breaches on other sites.
What are the dangers of having a weak password?
Depending on the type of WordPress site you operate, there could be a lot at risk when it comes to having a weak password. For instance, if you run an e-commerce store, a user could be risking their payment information if they have an insecure password.
Not only that, but a hacker could gain access to a shopper’s account and begin to place code into your website to collect the information of various card details. Cybercriminals then sell that information on the dark web. If you are found to have presided over a data breach of this nature, your customers will lose confidence in your site’s security. Worse, you could find yourself on the wrong end of a sizeable fine from a national regulatory body.
Those with other intentions in mind (such as hacktivists) may choose to deface your site with political slogans or racist abuse. Once again, shaking the trust of your visitors and sullying your company’s reputation.
Weak passwords are a leading cause of data breaches
Don’t forget that cutting-edge hacking software can guess 10 billion password combinations in seconds. Weak passwords are often responsible for the scenarios mentioned above. A 2016 study by Verizon found that 63% of confirmed data breaches involve using weak, default, or stolen passwords. Research conducted by Bitglass found that 25% of all financial services industry breaches since 2006 could be attributed to lost or stolen devices (and the passwords stolen from them).
Both of these cases perfectly illustrate the dangers associated with both weak passwords and password policies that don’t enforce regular password changing. That’s why it’s so crucial that you administer a strong password policy.
But you may be wondering exactly how you can achieve that outcome for your WordPress site. Fortunately, there’s an easy-to-use plugin that can protect your website against weak passwords in a mere matter of minutes.
How to set up your own strong password policy using WPassword
The WPassword plugin allows you to enforce a strong password policy including:
- Minimum password lengths
- Mandatory use of both uppercase and lowercase letters
- The requirement to use numbers
- The compulsory use of special characters
- And much more (read the complete plugin features list for more information)
To get started, simply download and install WPassword. Then head over the “Password Policies” node in the settings menu found within your WordPress dashboard.
How to use WPassword
Here, you can configure your website’s password policies and force your users to use strong WordPress passwords. You can stipulate the rules governing passwords as laid out above as well as implementing a password expiration policy. This policy will ensure users frequently change their passwords and refrain from reusing old ones.
WPassword also allows WordPress administrators to:
- Exempt specific users or roles from the password policies
- Specify when user sessions are terminated upon password expiry
- Reset all passwords with just a single mouse click
In the event of a WordPress hack, that last feature can help you regain control of your user accounts by bumping out all users and asking them to reset their passwords.
Finally, in the settings of this plugin, you can also select to disable inactive accounts using the inactive WordPress users policy. Inactive accounts are particularly vulnerable because they were probably set up years ago, before you enforced a strong password policy. Hackers target them for this very reason. So make sure you lock out inactive users to block those malicious intruders from hijacking those accounts.
Start setting up your strong password policy
Hopefully, you should now fully appreciate why a strong password policy is so important for the security of your WordPress website. Automated hacking software can easily crack weak passwords, and the consequences of a user account breach could be catastrophic.
Therefore, it makes sense to use the WPassword plugin so that you can:
- Enforce strong passwords on your users
- Attach expiry dates to passwords
- Lockout dormant users
- Exempt specific user roles
- Reset all passwords with just one click
Download WPassword to get started.
Bonus tip: add 2FA for even stronger WordPress authentication
Install two-factor authentication to make your website nigh-on impenetrable with the WP 2FA plugin for WordPress.
By implementing two-factor authentication, you ask users to identify themselves with another password, another device, or a piece of biometric information. Therefore, this additional security layer can protect user accounts even if a hacker has the correct username and password combination.