Join Jeff Starr for an in-depth discussion in this video Implement strong passwords, part of WordPress: Developing Secure Sites .
- [Instructor] This video is all about using strong passwords to improve the security of your WordPress powered site. Choosing strong passwords is one of the most important things you can do to keep your site safe and secure. Weak passwords are things like password, 1234, and other easy to guess phrases. Conversely, strong passwords contain numbers, upper lowercase letters, and in WordPress, they can also contain symbols, like these. Using a good random mix of upper and lowercase letters, numbers, and symbols is a great way to create secure passwords.
Here are some examples. Instead of trying to remember strong passwords, try using a password manager, such as 1Password, Dashlane, KeePass, or similar. Doing so can simplify your online routine, and help you keep your passwords nice and secure. With WordPress, there are three key things to remember. The admin password is set when WordPress is installed. A password must be set for each new user, and passwords should be strong and changed frequently. When you install WordPress, you'll see the setup screen, and right here is where you set the admin's password.
WordPress does a good job of creating strong passwords, so go ahead and use it. Or, you can enter a custom password, if desired. There are many ways to create a strong password, but the easiest is to use an online password generator, like this one at strongpasswordgenerator.org. Just click the button to get a strong password, or take a moment to customize your options. Of course, you can and should change you password regularly after installing WordPress, but setting up a strong password from the get go is a great way to being your new site.
In addition to the primary admin account, you may also need to set up accounts for other users, which is done here on the users page. For existing users, just click the username and scroll down a bit. There, you will find the button to reset your password. This should be done on a periodic basis, according to your own security policy. And, for new users, click add new, fill out the details, and let WordPress generate a super strong password for the user.
Also, remember to copy this new password, because it won't be displayed again. And with that, we click the add new user button, and we're done. Real quick, here is what I was referring to a moment ago. Scrolling down to check our new password, we see that WordPress does not display it anywhere, so if we forget to copy it, we'll need to repeat the process, and generate a new password. In any case, strong passwords will help keep your site secure, and it's good practice to change them on a regular basis. I like to change my passwords every few months for most sites, but the ideal is probably something like every few weeks, or thereabouts.
To help with things like changing passwords and choosing strong passwords, here are some plugins worth checking out. Force Strong Passwords. This plugin forces your users to choose a strong password. Force Password Change, which requires users to change their passwords when they first log in, and Bulk Password Reset, which makes it easy to update all user passwords at the same time. And, there are way more plugins available at the WordPress plugin directory. Begin by searching for password, and then go from there.
There are plenty of great plugins available. Another important point, when installing WordPress, remember to change the default admin username from admin to something unique and difficult to guess. Attackers typically assume that the administrator's username is admin, so changing it to something, anything else, is going to block many automated attacks. Here's some names that you should avoid when creating users. Don't use admin, don't use your domain name, and don't use common names like administrator, demo, editor, author, login, and so forth.
Also, keep in mind that once you've installed WordPress, the admin username can't be changed via the user profile screen. So, to change the admin username, first create a new admin-level user, then log out as admin, log back in with the new admin-level user, and then delete the original admin user, and continue using your new account. In this video, we've seen how to create strong passwords, and change them for different users. WordPress provides built-in tools for doing this, and there are some great plugins available to make things even easier.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security