Maintaining Strong WordPress Login Credentials

May 10, 2017

One of the more common problems we encounter on a regular basis is clients who have had their WordPress login credentials compromised.

Most of the compromised accounts are due to a weak password. It’s hardly a shock when we discover the password is an employee’s first name.

WordPress installations are notorious for getting hacked via backdoor exploits in poorly written plugins, however there is no reason why a password should be discovered via brute force attack.

By default WordPress creates fairly strong passwords, but these can easily be ignored and instead an admin can create a password using the name of their dog.

Other problems begin when the admin of the account adds new users and the users reset their password to something easy to remember.

Recently we worked with a client who set a username of admin and a password of demo. Weeks went by before an alert visitor to the site noticed nefarious ads on the site, and contacted the site owner.

Store Your Passwords Securely

Our recommendation for WordPress passwords (as well as all others) is if you can remember the password, it’s too simple. Get a free copy of Last Pass and generate a 30 character password.

There is debate to as the exact number of characters that can be used in a WordPress Password, however this article suggests there is no limit to the number of characters WordPress will accept.

Do not store your passwords in your browser. If your computer is compromised, the stored passwords are one of the first things accessed — think valuables hidden under a bedroom mattress.  Last Pass stores all your passwords in a cloud-based vault protected by a master password and AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes.

As an added security measure, Last Pass offers two-factor authentication – use it.  Just don’t forget your master password! 

Wordfence Security Plugin

Maintaining a policy of strong passwords should be your first line of defense, however there are other measures you should take to secure your site. The free Wordfence plugin acts as firewall that blocks attackers before they can attack your website. 

Features include a web application firewall, blocing of brute force attacks and manual blocking which allows a user to block traffic from any source. Sources can include IP address blocks and referring websites. The premium version of Wordfence allows you to block entire countries  among a host of other features.

One of the most valuable security features (both free and paid versions) of Wordfence is the ability to block login attempts after a preset number of failed logins. After the failed logins threshold has been reached, you can choose to block the user for up to 60 days from accessing your website. 

Once installed, Wordfence keeps a log of both successful and failed login attempts.

As illustrated below, someone is regularly attempting to login to the site using various usernames and IP addresses. Notice one of the usernames attempted is admin.

After this account was successfully hacked, we deleted the admin user and created a new admin account, using a 64 character username.

Blocking the attempts by IP address would not be very successful because the person attempting to hack this account is hidden behind a proxy or VPN. 

Final Thoughts

 Because hackers are aware lax WordPress login credentials are so common, this is the most logical place to start an attack.

Maintaining a strong username and password is just one of the many steps you should take to secure your WordPress website.

Learn more about WordPress core software security in this free white paper from WordPress.