Protect your website by hardening your WordPress: Hard Passwords

WordPress is one of the most popular content management systems (CMS). I personally think it’s fantastic and recommend it often. But, the default installation and many older installations may have a few security weaknesses that you can easily improve. With the popularity of the software comes a big red bulls-eye on your site for hackers. Save yourself some trouble and take these steps to avoid future problems.

Why would someone want to target my site?
They probably aren’t targeting your site. Chances are it’s all automated and your site is just in a list of sites being systematically attacked in hopes that something will be vulnerable. It’s not necessarily your site, it’s any site they want to get into.

According to the site WordPress Security, the two main objectives for an attack are

  • Code Injection – adding code to places ads or phishing links on your site.
  • Back Doors – finding access to your web server to use it to attack other sites.

Here are some ways to keep hackers at bay:

Hard Passwords

Even if you cannot do anything else to harden your WordPress site, you should have a hard password.

What is a hard password? It’s easier to define a hard password by explaining what it is not: easy to guess.

In 2010, the Gawker Media servers were compromised and the hackers were able to get access to user passwords. The Wall Street Journal analyzed the password list and reported some embarrassing passwords that will make you want to slap your forehead. Your passwords should NOT be on that list. Anywhere.

Here are some real gems:

  • 123456
  • password
  • 12345678
  • querty
  • abc123
  • 111111

Those passwords were some of the most frequently used passwords on the list. If you use those passwords, or passwords like them, on any site change your ways and change your passwords.

There were many others that might seem secure, but because they are well known and commonly used, they are not secure at all.

For example:

  • trustno1

Even though that password uses more than one word and adds a number to the end, it’s from X-Files and, even worse, it was in the Gawker password list. At this point, everyone knows it. Never use it.

Also, to be more clear, the scheme of adding two dictionary words to a number is not very complicated. Number in the middle, number at the beginning, number at the end. More than one number. Doesn’t matter. Even a simple computer could whip up a list of passwords from an english dictionary and guess that password in relatively no time.

In a sense, the less common your password, the less likely it will be to guess. To make it uncommon, you need to be really creative or use a random password generator. It’s better if you can be creative, because you can probably remember a password you made up, or figure it out based on a mnemonic or some pattern you use.

There is an interesting article at World Start about how to make a password scheme based on initials and numbers.

ks86jw03ts92ctb02

Although some would argue that it’s not necessarily the best password ever, it’s much better than what most people have been using thus far.

Yeah, yeah, I know what you’re thinking, “How the heck am I supposed to remember that thing? It’s 17 random letters and numbers!” Read on.

That password is as easy to remember as any other – if you understand how it was constructed:

It’s based off a fictitious Smith family with a daughter named Kelly and a son named Tyler. They have a 2003 Jeep Wrangler and an 02 Chevy Trail Blazer. Now, let’s take those facts and look at the password again:

ks86 – Kelly Smith, born in 1986
jw03 – Jeep Wranger, 2003 model
ts92 – Tyler Smith, born in1992
ctb02 – You guessed it, Chevy Trail Blazer, 2002 model year.

You may be able to come up with something based on different things, but just as easy to remember.

If you can, I would recommend throwing in something seemingly random, like parenthesis or percent symbols, too.

Another interesting article at Free Software Magazine goes into detail about creating hard passwords, but also describes a mnemonic for a sample password:

“vhGT%Xz2” could become “Ve haven’t Gotten Ten percent Hex sleep, too!” or some similarly silly meaningless phrase. Our brains are capable of easily substituting one symbol for another. I wouldn’t trust this phrase for a password I only used occasionally, but for one you use several times a day, you’ll remember it in no time.

You may have to compare the password to the phrase carefully to see how/why it could make sense to a user. That’s kind of the goal though: a password you can remember and is hard to guess. Even someone who knows you would have almost no chance of ever figuring this one out.

If you really don’t feel very clever, or you absolutely must have a secure password, you could use a random password generator. This isn’t the best approach though. Chances are you will not be able to remember it. If you can’t remember it, you’ll need to save it someplace. You’ll probably need to put it in a file on a computer. If it’s on a computer, chances are the computer storing this password is protected by a password you can remember that isn’t as complicated as the one you are protecting. Then you are back to creating security risks for a password you must keep secure.

There a many reasons you should avoid random passwords unless you really feel you must. Otherwise, you should really try to come up with a pattern or mnemonic that makes sense to you and is easy to remember.

Read the next topic in my Hardening WordPress series: Protect your website by hardening your WordPress: Admin User

More information:

About Eric Holsinger

Eric Holsinger has broad background in web and mobile application development. He founded Whirlidoo, LLC in 2010 to create custom mobile applications and better websites.
This entry was posted in Blog and tagged , , , , , , . Bookmark the permalink.