When it comes to securing your WordPress site, there are many important priorities, such as updating your site regularly and using SSL. Compromised admin accounts are one of the most common ways a site gets hacked so making sure your passwords are secure should be high on your priority list.
When referring to hackers trying to get into sites, many people imagine someone repeatedly typing out different login credentials to log into a site. In reality, hackers have sophisticated scripts that run autonomously and can try different usernames and passwords at millions or billions per second! Some powerful computers can even guess 350 billion passwords per second.
Read on for ways to improve the passwords of your site to harden its security.
Do not use words in your password
When a hacker is using a brute force attack, he or she will usually first go through every word in the dictionary and combine the words with a few characters and numbers. This is referred to as a dictionary attack. By using words in your password, the hacker will be able to get into your site after running a quick dictionary attack script.
Want to see this in action? In the video below, the user used a free and easy-to-get script called Hydra and an off-the-shelf wordlist to obtain the password to his own Google account. The video is a little technical but it should give you a good sense of how this type of hack works.
Do not use short passwords
When hackers are using a brute force attack, they are cycling through every possible password. When you use a two-character password such as PW, the hacker only has to try roughly 9,00 possibilities which take less than a second using a script.
When using a six-character password such as aT4h*q, the hacker has to try roughly 735,000,000,000 possibilities which can take a few seconds. When creating a password, you should have at least 15 to 20 characters in the password. An example would be 3)S’Fb2rVa:?Sc-t@~D&. This creates 9.536743164×10³³ possibilities which could take a long time to crack.
Use multiple types of characters
When creating your password, never use all numbers or all letters. You should always have a variety of lower-case letters, upper-case letters, special characters, and numbers. For example, a strong password could look something like this: W4:5~Bkt9;KL:Rqt.
Having a variety of types of characters requires hackers to test more combinations. If the hacker only needs to check lower-case letters, that means there are only 26 different characters possible for each character in your password.
For example, if your password were a 6-character password such as abcdef, there would only be 308,915,776 combinations of lower-case letters. However, if you used a variety of types of characters for a 6-character password such as aT4h*q, it is closer to 100 different characters possible, which would mean the hacker could try up to 735,000,000,000 possibilities.
Want to test out some passwords to see how long they would take to crack? Check out our password tester below!
* The password you type in stays in your browser and is never sent to our servers.
This password would take up to 0 seconds to crack using a high-powered computer.
The tool above shows how long the password could take to crack if the hacker is using a single high-powered computer. If the hacker is targeting you or your site, he or she may have a network of computers attempting to crack your password.
Change passwords regularly
If your password is comprised, the hacker will not always use your password immediately. Also, the longer you have the password, the more people/services that you may have given it to. You should have all users (or at least admins and editors) change their passwords regularly. It is recommended to change passwords several times a year.
Fortunately, there are plugins that help with this. I use Expire Passwords on many sites, including this one, which allows you to require users to change their passwords after the interval you set. I usually require a user to change their passwords every 90 days. This includes all admins and myself as well.
Do not give your password out
Your password should only be used by you in most cases. The more people that you have using your password, the more chances of it being comprised. Also, the way you give your password to people can also be comprised.
Never send your password to someone through email or IM. If you have someone that needs access to your site, such as a developer, always create a temporary developer account for them. Once they are finished, delete the temporary user. Never give them your password.
Use different passwords for each site and service
It may be convenient to have the same password for your website, your bank account, your email account, and your messaging app so you don’t have to remember multiple passwords. However, if one gets comprised, the hacker will immediately seek other accounts you have to see if the password works there also. Always use a unique password for every account you have.
Use a password manager
Once you start creating 20-character unique passwords for every account, it may be challenging to remember all of them and difficult to find a secure place to keep them. This is where password managers come in. A password manager is a tool you can install into your browser, on your phone, on your tablet, and many other places that will store your usernames and passwords for you.
These secure tools, such as LastPass and 1Password, are an excellent solution for generating and storing passwords. Even better, you can share some credentials to other people in a secure way through these tools.
Main post image by Thomas Breher