This is an ‘ultimate’ or comprehensive guide to WordPress password protection for business website administrators and owners. It’s written for those who manage or are the administrators of WordPress websites.
Roles aside, the next most vulnerable and easily hardened WordPress website security is your use of passwords, according to WordPress and security software vendors. Armed with login credentials, someone could potentially access your website and all the configurations and data available from the WordPress dashboard. A logged-in user could impersonate you, add, amend or delete items, deface your website, and ruin your business.
This blog post provides a series of best practice guidelines to help you establish secure WordPress password protection across your organization and educate your users on their use.
Table of Contents
- Establish a strong password security policy
- Employ a password manager
- Enable Two-Factor or Multi-Factor Authentication
- Educate your users in WordPress password protection
- Establish other relevant safeguards
Establish a strong password security policy
As a WordPress website Administrator, you have the opportunity and responsibility to enforce a strong password policy on your users. In doing so, you will protect your organization, its websites, data, staff and other users from a range of attacks.
- In the case of a company and its internal employees, marketing employees will need access to the WordPress website to create and edit website pages and blog posts, while others will only need access to moderate and respond to comments. On the other hand, client account management or customer service employees will need varying levels of access to customer accounts, to respond to support tickets. In this case, most internal staff users will not need access to customer accounts, though some will. Those working in IT support may need access to some aspects of customers accounts, though not all.
- Let’s think of the other viewpoint, that of external users on an ecommerce WordPress website. They may need to login in to manage their account, make a purchase, track the status of a delivery or return, or contact customer support. Those same users should not be given access to create or delete web pages for example, or be able to view the account and financial details of other customers. In some cases, ecommerce websites do not require users who are customers to create an account and log in at all, as it can sometimes be a barrier to getting a sale.
Why do you need strong WordPress password policies?
Why is all this consideration necessary? Don’t users already know how to create and use secure passwords?
The average computer user is not well educated about WordPress password protection or WordPress password security in general. It’s likely they will have a lax attitude to their own online data and find managing login credentials stressful (all of which we’ll discuss later), and they write them down on sticky notes and stick them to their monitors!
- Password guessing bots are becoming more sophisticated
- Malicious hackers still use brute-force and dictionary attacks
Nefarious activities become much easier for malicious hackers if they already have the personal information such as real names, that are likely to form part of a weak password.
What does a strong password look like?
- Longer passwords – As a general rule, the shorter the password, the more susceptible it is to a brute-force or dictionary attack. The best current advice is to set a minimum length of 16 characters for your password and allow for spaces. Some password generators allow users to customize the length of the secure, random password they create.
- Mixed passwords – Use a random combination of characters (both upper and lower case), numbers, and special characters. This will protect your password against dictionary attacks. Avoid dictionary words and patterns of letters or numbers, replacing letters with numbers (‘@’ instead of ‘a’, ‘0’ instead of ‘O’ including keyboard sequences (qwerty).
- Random passwords – Keep your passwords unrelated to you. Don’t use any part of your name, or that of a pet, child or other relative’s name. Don’t use your DOB, postal address, or any other public information that a malicious hacker could easily connect to you. Also, avoid using information that a colleague or acquaintance could guess, like nicknames.
- Changing passwords – Reset your passwords regularly (every three months is recommended.) This restarts the clock on any brute-force attempts and keeps you ahead of advances in unethical hacking technology.
- Different passwords – Have a different password for each website. That way, if one is breached, the others are still secure. Use a password manager daily to store, update and use them.
- Saved passwords – Do not use browser configuration, laptops or shared folders to save your passwords in case your computer gets hacked or stolen. That’s what a password manager is for!
WordPress user roles and their security implications
The configuration of roles has huge implications in WordPress website security. As a general rule, WordPress security should increase in direct proportion to the level of sensitive information that is contained or exchanged on the website.
First, let’s look at the Administrator roles:
- Super Administrators – assigned to multisite owners using WordPress Multisite Network, it gives you the exact same permissions as the Administrator role
- Administrator – automatically assigned to a website owner/creator on installation, it gives you full control over a website including deletion, they can: install, edit and delete themes and plugins; run upgrades and updates; create, edit and delete pages and blog posts; add, edit and delete users including other Administrators; and add, edit and delete media
All other user roles, listed in order of decreasing range of authority are:
- Editor – can add, edit and delete new pages, blog posts, media; create categories and tags; publish content written by themselves and others; and moderate comments
- Author – can add, edit and publish only their own content; upload media; and assign existing categories and tags to blog posts
- Contributor – can add and edit only their own content; and assign existing categories and tags to their own blog posts
- Subscriber – can only update their own user profile; read others’ content; and add comments
Following the principle of least privilege, when you set roles to delegate tasks within WordPress, avoid giving anyone else (Super) Administrator access unless they need to have this level of control over a website, its features and users. Since readers can see the ‘posted by’ (username) across your website, Administrators – as an extra level of precaution – should set up an extra Editor user for themselves and only log in with the (Super) Administrator account when they need to perform these higher level tasks. This means malicious hackers have even less information on which to rely if they’re contemplating a brute-force attack.
For further information, see How to use WordPress user roles for improved WordPress security.
Install the right WordPress password security tools and plugins
One way that you can enforce strong WordPress passwords on your users is by using the WPassword plugin to:
- Enforce strong passwords on your WordPress websites in seconds
- Provide tips to help users come up with strong passwords (rather than having to guess)
- Configure password policies on vital aspects of password protection, such as password complexity, history and age
- Configure password policies based on user role to cater for customized, specialist roles, or exclude specific users from particular policies.
- Reset all passwords immediately if an attack is detected
- Implement a dormant users policy, to remove the threat posted by inactive user accounts that were set up before the policy was enacted
Set a good example for WordPress password protection
We recommend that you use secure credentials and that you also encourage your users to do so.
- Combine your strong password (see What Does a Strong Password Look Like?) with a strong username.
- As an Administrator, avoid obvious and weak default usernames such as admin, default, password or guest
- Don’t make it so easy for bad actors that they have only one credential left to discover
Remember that if you rely on WordPress password security measures, you must also enforce strong passwords using a plugin. WordPress has no built-in or default strong password enforcement.
Employ a password manager
A password manager is an online service or software client that securely stores and manages user credentials across multiple websites and services. This information is accessed with a single, master password and options for multi-factor authentication. Popular examples include 1Password and KeePass. But, even though there are many online password managers, this is no substitute for solid backups and reliability.
The benefits of using a password manager
- They won’t have to remember what their passwords are for each website – simultaneously one of the biggests pain points in the workplace that is ‘solved’ by a lazy and crazy practice of using the same credentials across many online services.
- They won’t be tempted to store login credentials in written form that breach data protection regulations or in online files that can be compromised.
- It will liberate users to use complex and different passwords. Many password managers have a built-in password generator with a convenient and fast browser popup suggestion that also instantly records a new record.
- They won’t leave their account or website open to malicious hackers and automated bots.
- Password managers often monitor email addresses and alert users following their appearance on the dark web. And, they may also recommend that reused or otherwise weak passwords are changed.
Enable Two-Factor or Multi-Factor Authentication”
Two-factor or multifactor authentication is an additional layer of credentials that must be entered before a user is granted access to a website or app, in addition to the traditional username and password combination. It’s employed when someone is already using strong passwords because a multi-factor approach is the best for WordPress security. Strong password and username combinations can be stolen. A one-time code is generated by an app and received by email or SMS sent to a user’s personal device, email account or cellphone, is more difficult for a malicious hacker to circumvent.
There are several alternatives that claim the place of the best two-factor authentication plugins for WordPress. Check these out. But we highly recommend our own product – the WP 2FA plugin. Not only will it improve your WordPress website’s authentication, it is designed with ease of use and simplicity of setup in mind. It also allows you to make 2FA compulsory, with fully configurable 2FA policies for different user roles. The combination of the WPassword and WP 2FA plugins makes your WordPress websites super secure.
Educate your users in WordPress password protection
Your website users already know in a vague sense that there is a need for strong password security. But they often fail to do anything about it.
So, what, specifically, do you need to educate them about?
Talk about the newsworthy data breaches
Weak passwords are one of the biggest threats to the security of WordPress websites. Why? Because weak credentials – easily circumvented with a brute-force or dictionary attack – are a leading cause of the data breaches we all read about in the news. Add to this the data losses facilitated by the default or stolen passwords, or passwords taken from lost or stolen devices, and the problem multiplies.
What can malicious hackers and unauthorized users do when they access your website?
- At a basic level, they can alter your configurations or insert malware
- They could also redirect traffic away from your website or use it to distribute pirated software
- In the most serious attacks, they can steal and misuse sensitive data, create bogus banking charges, or collect financial and other information to resell on the dark web
- Beyond these commercial activities, hacktivists can politicize or deface your website with hate speech
Highlight the implications of data breaches
Make sure your internal staff users are aware of the major, organization-wide implications on internal company information and external customer data, as well as fines or compulsory company strike offs. And, repeat the same messages to your website customers to ensure they prioritize the safety of their own personal, financial, health and other sensitive data.
The negative impacts that such data breaches can have on your organization and your website are enormous:
- Loss of reputation and confidence in your organization and website
- Substantial fines from regulatory bodies, as well as other penalties or dissociations from partners and clients
Enforce your strong password policy
- First, educate your users on all the elements in What Does a Strong Password Look Like? and The Benefits of Using a Password Manager? For example, make sure they know of persistent and seriously insecure password formulations such as thisismypassword, 123456789, [mykidsname] or [mypetsname]. And, instead encourage the use of strong password formulations (e.g. vqO&V13@H%fF or @iGOuqk%W0xY). Do not share or use these specific examples for any of your services or users. They are simply examples.
- Remind internal staff regularly about the employment and/or data protection policy they signed, and the personal legal responsibilities they have toward their employer.
- Remind internal staff regularly that the data protection policy and statements made by the company to customers and clients rely on them following company policies, and that they have potentially serious and permanent legal, financial, employment, and law enforcement implications.
- Encourage users to create their own secure passwords using password managers that also have password generator tools. Most password manager software will also have their own, which is helpful when you’re creating new accounts for online and other services.
Administrator activities for WordPress password security
- Check the password strength of your WordPress users’ passwords with a scanner such as WPScan.
- Use the tools that malicious hackers use to try to ‘guess’ your users’ passwords. Schedule brute-force and dictionary attacks yourself!
- Lock out for users who have weak passwords and send a prompt to reset them.
- Run workshops on how to use the password manager of choice.
Emphasize the stress-busting and time-saving benefits of using a password manager
Many of your users may see the need for strong passwords but are unwilling to use them due to unfamiliarity and the perceived difficulties or cost in practice. That’s where you can reinforce the ease and Benefits of Using a Password Manager, together with the low cost, reliability and ease of keeping backups of credentials.
It’s a massive advantage only to have to remember one password rather than multiple passwords.
From a user’s viewpoint, the highlights are:
- They have to remember only one password – bliss!
- The password manager will act as a new password generator, password management tool and a prompt to enter secure credentials onsite for them
Emphasize the worthwhile investment in strong WordPress password security
We need to face facts. Some potential users will be put off signing up to your website if they are forced to use strong passwords and change them frequently. These procedures take a little time and effort to set up initially. Some will consider it a hassle they don’t want, while others will complain that it spoils their user experience of your website.
Establishing and enforcing a strong WordPress password security policy, possibly using a plugin that differentiates password policies and security levels based on user roles, will reduce user disturbance to a minimum.
Establish other relevant safeguards
As a website owner or WordPress Administrator, here are a few concluding suggestions of larger issues you need to consider for WordPress password security:
- Familiarize yourself with general WordPress security hardening and protection protocols for WordPress. There are specific reasons why WordPress websites get hacked. It is to your advantage as an Administrator or owner to know what these are and how to handle them. Yes, weak passwords are a major problem, as are the lack of 2FA and activity logs. But did you know that the use of outdated WordPress core, plugins and other software is also a serious issue?
- Employ a WordPress activity log plugin that will let you know whether unauthorized users have gained access to your account and if so, what damage they’ve done. Our WP Activity Log helps you identify suspicious behavior at the earliest stage and prevent any malicious hack attacks on your website.
- Set up a dormant or inactive users policy for your WordPress website. Neglected user accounts are an easy point of entry for malicious hackers.
- Your website can be hacked even if you use strong passwords and enforce strong password policies on your users. It’s good to know immediately if your website has been breached. This is a free data breach notification service we suggest you check out.
Do you have any questions on WordPress password protection or any of the products we’ve mentioned in this blog post? Let us know below! And remember the words of Chris Pirillo:
“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”
Get a 7-day trial of WPassword to experience it in action and help your website users use strong WordPress passwords