The human security factor: Passwords

Hardening WordPress—the steps taken to tighten up security to prevent a malicious intrusion into your website—can seem daunting to the typical user. Luckily, one of the simplest things you can do to harden WordPress is also one of the most effective: use strong passwords.

Strong passwords can help protect you from brute force attacks. These attacks are probably the most common, and yet simplest, of the varied ways hackers attempt to gain access to, and control of, your website. They’re performed by deploying automated bots to seek out WordPress installs and repeatedly attempt legitimate logins by guessing the username and password. How common is this type of attack? Bryan discussed it last week and referenced this report by Sucuri. I pulled up the logs of a few average WordPress sites and was amazed at what I saw. It was entirely common to see a WordPress brute force access attempt at a rate of nearly 1 per minute, around the clock.

What makes a password “strong?”

A generally accepted definition of strong password means:

  • It is at least twelve characters long,
  • it does not contain your user name, real name, or company name,
  • it does not contain a complete word,
  • it is significantly different from previous passwords, and
  • it contains a mixture of upper and lowercase characters, numerals and special characters
    such as ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? and /

What about my username?

Combined with a strong password usernames can be recognizable words, even names. However, all of the most common usernames will be immediately guessed during a brute force attempt so definately avoid “admin”, “user”, “12345” and “qwerty.” In fact, WordPress stopped assigning a default “admin” username quite a while ago due to attacks targeting common usernames.

How to choose & remember your strong password

The best way to remember your strong password is to not need to. There are some great password management apps available that generate and save strong passwords. At Cinch Web Services, we like 1Password by AgileBits for it’s robust features, reliable syncing across multiple devices, and ability to manage numerous vaults. A password manager like 1Password lets you directly fill a login from the app without having to know or type your password. You will need to know and remember ONE strong password however: the master password for the app to function.

Another popular and effective way to remember your strong password is to use the Schneier Scheme. Begin by thinking up a personal sentence that contains numbers and turn it into a password. For example: “The best job I ever had was when I was 18 and made $7 per hour washing cars” might become tBj()b1EVERhWWiw18&m7$wcrs
So you think that even that password might be hard to memorize? That’s the point. Tough, but, doable.

Finally, a method I really like is Diceware. In essence, it’s a method for randomly selecting words in a random sequence that together become your password. Due to excellent modern decryption software, the Diceware people recommend that you use at least 6 words and insert numerals or special characters into your string. Using the Diceware method you might create this strong password: cleftcam09synod@lacyyrwok. Learn all about it at

Can I use my new strong password for multiple login accounts?

Ha ha ah hah! Absolutely not. Stay safe and stay tuned for our next installment. And for the lighter side of the web, there’s this.

This is part 2 of a multi-part post on hardening WordPress. Part 1, the Introduction, can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *

See if Cinch is right for you.

Ask us anything. Seriously. Like, what is the air speed velocity of an unladen swallow?

Start a chat right now

Or go ahead and Sign up now