
WordPress login credentials guidelines
Weak passwords, either because they are too obvious to guess or work out by password bots or because the same password is used on multiple services, are one of the main source of security compromise for a website.
In this post I attempt to provide a few essential steps to help strengthen your WordPress logins to better secure your WordPress website.
Create non obvious and hard to guess user names
Not directly related to your name or the website name and NEVER obvious such as“admin” or “editor”
For example use “uytgav3” instead of “pauline” or “john”
Use complex passwords
Short passwords using common names are easy to guess by automated software, even where some letters are substituted for number. Using the same password on multiple services dramatically increases chances of being compromised.
- Create a completely random combination of lower case and upper case letters, numbers and symbols
- Make it 14 characters or more
- Write it down somewhere safe
- Don’t save it in your web browser – if you must save it electronically then use an encrypted password manager such as https://www.lastpass.com/
- DO NOT re-use a password you already use on another website or online service
BAD password example: pauline123, littleflower, bla4ckc4t
GOOD password example: 9i*Gf£45dnMs!@
Never share you login details with anyone
Access to WordPress admin is based on the principle of “least privilege”. This mean that each user has access to a the level he or she needs, no more, no less. This helps reduce security risks by ensuring users don’t have access to things they shouldn’t have.
Examples of WordPress user roles:
- An “author” can only add, edit or delete their own pages or posts
- An “editor” can edit or delete any content on the site
- An “admin” can do everything manage including creating users, installing plugins, modify code etc…
Having said that, if you do need to communicate passwords don’t use email which generally sends content in clear, instead you can:
- Send it in two halves: one half by email and the other by sms to a mobile phone
- Use an encrypted messaging service such as WhatsApp
Final word
Make sure always logout when you have finished working on your site
That’s it, I hope following these simple steps help you have a more secure WordPress website