WordPress Security: Passwords – WPQuickies

In this lunchtime #WPQuickies, I’m continuing the series on WordPress security – this one is on using secure passwords.

WordPress Security – Useing Secure Passwords #WPQuickies webinar

Sun Tzu

Sun Tzu was a Chinese General, Strategist and Philosopher born around 512BC.

He wrote the bible in offensive and defensive strategy called The Art Of War and even today his words are relevant.

One of my favourite quotes of his is:

Even the finest sword plunged into salt water will eventually rust.”

Sun Tzu

So what does that mean in the context of website security today?

“Just because your site is secure today, doesn’t mean it can’t get hacked tomorrow, next month or next year.”

Wil Brown

You Are At War With Multiple Enemies

There are a tonne of botnets out there trying to automatically hack into websites and WordPress, due to its popularity, has a big target on its back.

Millions of websites are hacked every day for the same number of reasons.

Let’s try to make sure yours is not the next one by having a look at passwords.

Usernames & Passwords: Not Just WordPress

Remember that your WordPress website is built on a stack of other services. 

Don’t just secure your WordPress username and password, think about those other services such as: cPanel, email, FTP, SSH and MySQL.

Make sure those services have secure passwords as well.

Usernames To Avoid

Try to avoid these commonly targeted usernames:

admin, administrator, root, manager, debug, user, system, default, netman, superuser, guest, backup, sys, sysadmin, siteadmin, test, …

Why Avoid Username “Admin”?

A few years ago, web hosting companies offered a one-click WordPress install script.

This script installed WordPress along with a default user whos username was “admin”.

As such, many hackers now knew a username and only had to hack a password to get into the WordPress admin dashboard with administrator level priveleges.

Password Letter/Number Substitutions

Don’t replace letters with numbers or symbols.

Simple character substitution is weak.

butterfly = 8utt3rf1y

This no longer works and takes just a few days to crack!

This rather lengthy article from the National Institue of Standards and Technology (NIST) describes in great detail why simple character substitution no longer works.

Social Engineering

Social engineering is defined as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

For example if somebody calls you and asks for your mothers maiden name, your date of birth and current address for “proof of identification” – RED FLAG there!

Avoid personal / social information

  • Name and memorable dates: Bob1976, 2005Cindy
  • Fav footie club name, car rego, house number: Swans2017, CY35TG, 4/2044

Basically anything that is on public record that somebody could look up.

Social Engineering Must Reads

Two great resources to read about this are:

2003 The Art Of Deception, Kevin Mitnick

The Art of Deception Book Cover

2016 LastPass Survey The Password Paradox And Why Our Personalities Will Get Us Hacked

2016 LastPass Survey The Password Paradox And Why Our Personalities Will Get Us Hacked

Good Password Examples

Use a random 16 (at least) character password and include at least one uppercase, lowercase, number and symbol.


Or use 4 random common words stringed together:

correct horse battery staple = correcthorsebatterystaple

Why does the four random common words work well as a password?

Password Entropy

The following comic from https://xkcd.com/936/ demonstrates how using four random common words stringed together increases the difficulty of guessing the password (password entropy) compared to character/number substitutions from a base non-gibberish word.

comic from XKCD.com explaining password entropy.

For the sceptics, there is even a stack exchange question and answer about do four random common words make a stronger password?

What Is Entropy?

What is entropy and why is it useful?

What is Password Entropy?

Password entropy predicts how difficult a given password would be to crack through guessing, brute force cracking, dictionary attacks or other common methods.

Password entropy is calculated from the base character set being used (including uppercase, lowercase, number and symbols) and the length of the actual password.

Password Managers

The two most popular password managers are LastPass and 1Password.

Both work across multiple devices, have good user interfaces and use strong encryption to store passwords.

For me, LastPass is a clear winner due to its use of multi-factor authentication with lots of 3rd-party options such as Google Authenticator, whereas 1Password just uses a secret key.

You can read more about the comparisons between LastPass and 1Password on the Digital Trends blog post.

Two-Factor Authentication (2FA, Multi-factor)

You can use another external device to generate an authentication code which you can use in combination with your username and password to login to your WordPress website.

WordPress with Google Authenticator for 2FA
WordPress with Google Authenticator for 2FA

The idea of 2FA is that you are the only person with the device that can generate the authentication codes, e.g. mobile phone app, usb key.

I use the Google Authenticator plugin or Wordfence’s built in 2FA if Wordfence is being used on that site.

WordPress Password Storage

Passwords themselves are not stored in the database!

WordPress stores user passwords in the database as salted MD5 hashes using Portable PHP password hashing framework.

How WordPress stores password hashes in the database
How WordPress stores password hashes in the database

That means, if you have access to the database, you can replace the password field in the users table record with an online MD5 hash generator and gain access to the account.

WordPress will replace the has with a salted hash after you have logged in, using the salt table in the wp-config.php file.

Is MD5 Insecure?

The MD5 hash designed for high volume speed, not security.

MD5’s “collision resistance” of ~264 has already been broken but not resistance to preimages or second-preimages.

MD5 + salts is still a poor choice as it’s designed to be fast to generate the hash which modern computers can easily do.

Modern GPUs can generate billions of candidate passwords per second i.e. brute force so theoretically MD5 hashes alone (without salt) can be guess reasonably easily.

Replace MD5 with Bcrypt

Warning – if you do this, your user passwords cannot revert back to MD5!

The team at roots.io have created a plugin which replaces the MD5 hashing system natively used by WordPress with the newer PHP Bcrypt library.

You can download the plugin from https://roots.io/plugins/bcrypt-password/

It does require that your server PHP version is v5.5.0 or above. 

You can check your site’s PHP version from Tools > Health Check in the WordPress admin area.


I hope you can use the information in the security WPQuickie to keep your WordPress logins secure.

Join me every Thursday at 1 pm AEST for some more WPQuickies.

Suggest a #WPQuickies Topic

If you have an WordPress topic you’d like to see explained in 30 mins or under, fill out the form below.


Was this article helpful?

Leave a Comment

Your email address will not be published. Required fields are marked *

Keep In Touch With My Weekly Blog Email

A once-per-week daily digest of my posts from the week. No sales, no spam and I will not share your details with anyone else.


Wil is a dad, WordPress consultant, WordPress developer, business coach and mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.

Leave a Comment

Your email address will not be published. Required fields are marked *