Your WordPress website is a target for hackers and malware, and one way they take over your site is by guessing your username and password. What can you do to stop them? Let’s take a look at the security measures you need.
Choosing secure passwords is a great way to improve the security of your WordPress website, but not everyone uses one because they can be inconvenient. For example, Yhf%4edHuyR3! may be an excellent password, but it is impossible to remember.
For this reason, people often choose simple passwords when creating online accounts for websites. They pick a word that is easy to remember and often use a familiar password that they use elsewhere. One password to rule them all!
This is great for hackers!
If you do not have any security plugins on your WordPress site, you probably are not aware of how many people or bots (automated programs) try to gain access to your site through the account login form.
You may get dozens or even hundreds of login attempts every single day of the week. People and bots constantly guess usernames and passwords. Let’s take a look at what you can do to guard against them.
Avoid obvious usernames and passwords
The username you use to login to your WordPress site is not the most important factor in preventing unauthorised logins. However, it can help to avoid the most obvious ones.
Take a look at this list of failed logins for example:
Every day there is at least one attempt to log in with the username admin. The fact that hackers keep trying this must mean that it is common on WordPress sites or they wouldn’t keep at it.
An obvious username combined with an easy-to-guess password is a security disaster!
There are several common usernames that you should avoid:
- admin
- Your name
- test
- Your site name
Change your password
Strong passwords should be used for all accounts in WordPress, but it is especially important for admin accounts because these have the power to make major changes to the website. They can be used to delete your account, lock you out, replace the content, and more.
To change the password for your account:
- Go to Users in the sidebar
- Click your account to view it
- Click the Generate Password button
- A new strong password is generated and displayed
- Select the password and press Ctrl+C or Cmd+C to copy it
- Paste it somewhere safe where you will not lose it, such as a password manager
- Click Update User
Easy to remember passwords
The best passwords are the hardest to guess and, unfortunately, to remember.
One way to create a good password is to hit random keys on the keyboard, like hyFg5$edA-3. Passwords are usually not shown as you type them, so you need to create the password elsewhere, such as a text editor and then copy and paste it in.
It is impossible to remember, so here is a method you could use to create a memorable password.
Think of a phrase like: A camel stores water in its hump. The password is the first letter of each word: Acswiih. Optionally add a number to the end.
Acswiih2018 is not perfect, but is hard to guess. Yet remembering the phrase is easy, which makes it easy to use.
Of course, the easiest way to remember passwords is with a password manager. An example is LastPass, which offers free accounts. An extension for Chrome and other browsers is available and it automatically remembers passwords for websites. When you need to log in, it automatically enters the password so you don’t need to know it.
Force Strong Passwords
A problem you encounter is that users (maybe even you), change the password given when their user account is created to a simpler one that they can remember.
Force Strong Passwords is a WordPress plugin that forces certain users to use strong passwords. It will not let them change a password to a week one that is easily guessed.
It only applies to users that have permission to post on the site, such as Author, Editor or Administrator.
iThemes Security
iThemes Security is a free/paid WordPress plugin that has some useful features related to passwords. The paid version of the plugin has most features, but some are available for free.
For example, it can force users to choose secure passwords. In the Pro version you can force users to change passwords after a certain time, such as once a year, or you can force everyone to reset their password. These features are great for sites that have a lot of users.
WordFence Security – Firewall & Malware Scan
Wordfence is an excellent security plugin for WordPress that has free and paid versions. The paid plugin has a password auditing feature. It basically tests user accounts for weak passwords and then displays a report showing any that have been found. You can then take action and tell users to change them.
Hosting account password
The obvious way to gain entry to a website is through the site itself, such as by guessing an obvious password. Don’t forget that your web hosting account also has a username and password. A hacker might try to gain access to your whole hosting account if a weak password is used. From there they can access your site, delete it, take it offline, insert malware and so on.
Go into your web hosting account and change the password to a strong one if necessary.
Action points
- Use strong passwords with random letters, numbers and characters
- Change your admin password if it is too weak and easily guessed
- Change your web hosting password if it is too week and easily guessed
- Avoid words in the dictionary
- Use a plugin to incerase security and force strong passwords
WordPress security Course Contents
- How to change the WordPress admin user to something different
- Make your website more secure by using strong passwords
- How plugins damage the security of your WordPress website
- How to use and customise user roles in WordPress
- How to recover from website problems with a WordPress backup
- How to increase website security with a plugin for WordPress
- How to make your WordPress website secure and deal with threats
