Before you go to bed tonight unlock your front door. Open the windows too. In fact, make sure you do it when you go away and then put a note on the mailbox that you’re gone. That’s exactly the way a hacker sees a site with a weak login password, especially when the owner doesn’t login often. Read on to see how to protect your site and keep hackers away.
Strong Login
There are two elements to your WordPress login and you need to be smart about making both hacker-proof. The first is your username and the other is the password.
Username
If your username is admin, you’ve just given hackers half of the combination to the lock on the front door of your site. If you did the 1-click installation of WordPress, that’s likely how you got admin as your default login. (Read Why the WordPress 1-Click Installation is Not Secure)
There is only one way to change your username and that is to create a new User with a better login and delete the old one. It’s easy to do, but be very careful. There is one critical step in it and if you miss it, you lose all of the posts and pages assigned to the old user. (BlogAid has a video tutorial on the User Profile and how to do this.)
Giving Hackers Clues
Are you advertising to hackers that you’re using admin as the first part of your login? Check your post meta data. It’s just below the post title and displays the by line and the date if you have those enabled. If the by line is admin, you’re advertising to be hacked. (See Invite Hackers and Shun Viewers with Bad Meta Data for examples.)
If you really want to invite hackers in, make few posts or tell folks on your social media sites that you won’t be logging in for a few days. Both things tell hackers you’re not looking at your site and they can break in undetected.
Good Username Examples
Your username needs to be at least eight characters and contain at least one capital letter and one number. You can have more of each, but it needs to contain at least one of each. WordPress is not fond of special characters in the username. Following are a few examples.
- MsBlogAid2
- Gypsy4Rose
Bad Username Traits
- Your name
- Your first initial and last name
- Less than eight characters
- No capitals or numbers
Password
Every password you use anywhere needs to be strong. Hackers use sophisticated algorithm producing software to break passwords. They are very fast and a weak password can be broken in less than a second. Don’t believe it? See for yourself. Go to How Secure is My Password and start typing. Below the input field is a status report that evaluates your password with each character you type. It will take 71,000 years to crack the first password I typed in. (See Good Password Examples below.)
How Passwords are Made Strong
While there might not be much difference to you in a lower case a and an upper case A, there is a huge difference to a password cracker. Each is a different character. The way password cracking software works is to run through all available characters in sequence. It runs through all 52 lower case letters, all 52 upper case letters, all ten numeral characters, and all special characters like #%&! (not necessarily in that order). It has to do this for each character in the password.
The more and different characters you use, the harder the password is to crack.
Good Password Examples
It’s important to mix your password characters, but you need to create something you can remember too. Perhaps switching the number 0 with the letter o or substituting an exclamation point ! for the letter i are choices to consider. Here are a few examples that are all very strong.
- Gold!Rush69 – takes 71,000 years to crack. See, it just doesn’t have to be hard to remember to be strong.
- go!ng4(br0ke – takes 8 billion years to crack
- i8DaWh01eTing – takes 5 trilliion years to crack
Weak Password Traits
- password123 – although it would take 16 years for simple algorithm checkers to crack this password, the more sophisticated ones know to look for common patterns such as a word and then a few numbers. So, it’s not just the length or throwing in a few capitals that make a password strong. Be sure to break up the pattern, just as the ! broke up the pattern in Gold!Rush69.
- Avoid using words and numbers that are connected to you like your name, your pet’s name, your birthday or anniversary, etc.
- If possible, avoid using whole words. Notice that the Gold!Rush69 example uses whole words, which would be far harder to crack if a zero were substituted for the o in Gold, and the u were taken out of Rush.
Change Your WordPress Login Password
Changing your password is very easy. Be sure you keep a copy of it somewhere safe.
From your Dashboard, go to Users. Then click on your User (it will be the only one in the list if you are the sole administrator.) Scroll to the bottom of that page and you’ll find a section titled About Yourself. Just below your bio are fields to enter a new password.
While you’re there, if you haven’t filled in the rest of your User info, see this post on why you should and how to get the most out of it. How to Show Up Everywhere Online Consistently.
Rotate Your Passwords
You might also want to consider changing your password every quarter. I do this for all of my passwords and keep an Excel file with them. FYI, I keep that file on a thumb drive so if my computer gets attacked, they won’t find the master list. I also write the password cryptically. For example, if my password were Gold!Rush69, I might write it in that file as G!R69. So, even if someone gets the file, they still don’t have the password.
I have four master passwords for each type of account such as sites, social media, membership sites, etc. It’s easy to rotate them every quarter and just update the number at the end or the special character. The point is that you change them regularly and you don’t have to make it hard on yourself to be protected.
A Little Extra Insurance
Another thing you might want to add is a little plugin called Login Lockdown. After three missed attempts, it locks out that IP address for about an hour. Hackers hit that with their auto-cracking software and move on to an easier target.
How’s Your Site Security?
There’s a lot more to site security than just making your login hacker-proof. If you don’t know whether your site is secure, it probably isn’t. Most of the issues are easy to fix. If you want a review of your security on the front and back end of your site, and a list of exactly what needs attention and what’s okay, it’s fast, easy, and inexpensive to do.
All-around excellent advice (if annoying that we have to be so vigilant). I just went back to two old WP sites I started a few years ago and created a new user name/password for myself, but when I tried to delete the original “Admin” the system wouldn’t let me. I backed right off, but will figure it out.
Laura, be sure to login with your new user info (and hopefully you made it different from your old user login). You’ll be able to delete the old user and, at that point, have the option to switch all posts/pages to the new user. Don’t miss that step!!!!