Password security is one of the most important responsibilities any WordPress admin must take on. You can defend your site from the back-end. You can get GDPR and PCI compliant. You can provide a bucket of security options, settings, firewalls, and malware scanners. But in spite of all that, your users (yes, even fellow admin users) will still set their password to “123456” if you let them. And rest assured, hackers try the top 20 lazy passwords first before they even bother with complex attack methods.
Password security is the human weak link in your WordPress security chain. They are where your users and admins accidentally, unthinkingly, hold the door open for hackers and usher them onto your web server.
So today, we’re focusing the top three ways that hackers use password insecurity in your site or from your users to break into WordPress sites through the front door. Once we cover each one, we’ll share the go-to security methods specifically designed to conquer each one and keep that door locked.
Table of Contents
1) Brute Force Attacks on Password Security
Brute force attacks are the first thing that comes to every web admin’s mind when thinking about password security. Why? Because it’s the one you are personally responsible for. A brute force attack is when a hacker uses a program that can guess and enter thousands of passwords in a matter of minutes. They simply try one after the other in sequence, changing a letter or two with each iteration until they find the password they were looking for.
The most basic example of brute-forcing might start by guessing that a password is ‘0000’. It then tries ‘0001’ and then ‘0002’ and so on so fast that your server can barely keep up. But really, it’s more complicated than that. Modern brute-force attacks use algorithms based on thousands of stolen or studied common passwords. They start with the most frequently used passwords and try variations of those first. Many combine their identity theft efforts to try to personalize their programmatic password guesses based on whose account they’re trying to hack.
Fortunately, brute-force password attacks are easy to block with the right security plugin features.
Defense Strategy:
Limit Number of Password Attempts
The quick and simple way to prevent brute force attacks is to have a defense that limits the number of password attempts a single website session or account name can try within a given amount of time. On a micro-scale, you can slow hackers down by disallowing, say, one password attempt every 10 seconds. That puts a serious crimp in the brute force style.
Beyond that, you may also want to limit the number of total attempts per hour or day. Or, you can limit the number of attempts before an email-confirm is required again. Passing the limit will alert the account-holder that someone is trying to crack their account.
Password Security Bot Checks
The other recently popular way to stop brute force is to require a bot check before each new password attempt. The more secure your site needs to be, the more complex your bot check can be to prove you’re dealing with a human every time “submit” is pressed.
2) Easily Guessable Passwords
The second serious password security concern you need to account for is easily guessable passwords. Most people are inherently lazy about passwords and enter whatever they can remember. Even if that is drop-dead obvious and super hackable. Among the top ten most popular stolen passwords are 5 variations of “123456”, “password”, “111111”, “qwerty”, “sunshine” and “iloveyou”, so at least your careless users are upbeat.
But, they are not secure. The sad thing is that many of the users who choose these oh-so-hackable passwords are admins with real WordPress site privileges and access to defend. These days, hackers don’t even need to steal these passwords. They just try the top 50 most obvious lazy-passwords and it’s disturbing how often this works.
Fortunately, WordPress security plugins have your back. Just make sure that your plugins effectively enact the following defenses.
Defense Strategy:
Enforced Password Credentials
First, force your users to make strong passwords. Or, at least not-super-obvious passwords. A simple character limit produces passwords like “123456789”, and hackers will figure this out just by making their own accounts and seeing your criteria. You’ll need the advanced password security enforcement requiring at least one lower-case, upper-case, number, and special character in each password in addition to the character minimum. At least then your users have to get a little more creative.
Blacklist Worst Passwords
Another great move is to disallow all the most obvious lazy-password variations according to whatever your rulebook happens to be. Determine whatever the top 50 to 200 most common, easy password variations are. Then, politely inform users that their password is on a known hacker list when they try to use these.
Teach Users About Strong Password Security
Then, there’s the “teach a man to fish” solution. On your account creation page, offer a guide for users to quickly make up a secure password that they can actually remember. We prefer the joke acronym method. Write a joke that’s fun to remember, then transform it into a secure password variant. It will produce something like 9@gHtt5am every time. And, your users might learn how to keep more than your WordPress site secure.
3) Use of Stolen Password
Lastly is the type of password security problem that has become the most rampant since the aforementioned security measures became commonplace: use of stolen passwords. Once a hacker has infiltrated one unsecure site, all the passwords they stole can likely be used in other places when paired with the same or alias usernames.
When a hacker manages to steal a real user’s password and then access their account, there are even ways to defend your WordPress site (and users) from this kind of informed and equipped attack.
Defense Strategy:
Periodic Email or Mobile Confirmation Codes
Email and mobile confirmation codes are the single best way to make sure that the person logging in is the real account-holder. If they are, they can easily log in to their email or grab their phone to get the code. But a hacker cannot. And if they have email and phone, read on.
Detect New Devices, IP Addresses, and Locations
The next step is suspicious detection and response. If a user logs in from a new device, from a new IP address, or from a location miles from their normal login location, it’s a fair bet that the person behind the password is really a hacker. Especially if they fail at the password a few times.
If your system detects a suspicious login circumstance, it’s time to enact email or mobile authentication, two-factor authentication, and anything else you can do to stop the hacker and alert the real account-holder. Do not let that log-in enter until you have the confirmation.
Two-Factor Authentication
Two-factor authentication provides personal confirmation when passwords have been breached. For example, a hacker may know someone’s password. They may even know their security question answers. But they won’t know that they always tap the picture of the blue kitten in an array of six photos, or that they like to draw a smiling sun between the dots in your second-factor authentication.
Forced Periodic Password Updates
Finally, force your users to occasionally update their passwords. They will complain, they will try to use the same password again. Don’t take it seriously. Challenge your users to use their brains and come up with a new password every year to six months. It’s good for them, and will probably keep their other accounts secure across the internet as they are forced to memorize something new.
—
Hackers love to attack passwords on WordPress sites because, by default, a WordPress site is not too terribly secure in the password department. The good news is that with professional-grade plugins and the right configuration measures, you can absolutely keep your passwords secure. Contact us today for more WordPress security insights!
