Site security requires the participation of the users who access it. For example, while you need to secure your WordPress login page (as it’s a point of entry,) the credentials your users choose need to be strong too. This makes it almost certain that a malicious user won’t get a free ride to your site.
For this tutorial, we’re going to look at how to implement WordPress password security guidelines. It’s going to cover some of the ground our companion article on WordPress password protection does. However, it will also talk about how you can make sure users follow those guidelines in line with your own strong password policy.
Why password security is so important
On the surface, this should be straightforward: strong passwords mean hackers and other malicious users will have a harder time breaking into your site. However, there’s more to consider here:
- Strong passwords are only one link in the chain. However, without them, your secure shackles will corrode fast.
- You can combat fake users or bots on your site through the need to set a strong password that changes often.
- WordPress is a secure platform. However, WordPress’ popularity means it’s a common target. A strong (and thorough) password security policy will protect the site as a whole.
On the whole, robust, strong password security is vital for your website. In fact, WordPress includes functionality to help you set stronger passwords for signups and registrations.
How WordPress helps you implement strong passwords for all users
The WordPress.org website offers its own list of WordPress password best practices, but the platform now includes ways to encourage users to use strong passwords. You can test this out from your user profile page on the WordPress dashboard:
The Account Management section includes two options by default, but one is of interest here. You can use the Set New Password button to open up a field that will autofill with a strong and unique password. All the user will need to do here is copy the password to store it (more on this later) and save the changes.
However, if the user attempts to set a weak password, you’ll spot that the dialog and options change to reflect this:
In cases like this, the user will need to confirm that they want to use the weak password using a checkbox. However, while it’s an extra step, most users will likely click the button and save the changes.
This isn’t ideal because it becomes one of your site’s vulnerabilities. Instead, you’ll want to implement a password security policy.
Why you need a solid password security policy for your site and users
We talk about password policies in our complete guide to WordPress password protection. However, to sum up, a strong password security policy will take the process out of the user’s hands for the most part.
As such, they won’t need to worry about sophisticated password-cracking bots, or brute force attacks. Instead, you can provide your users with a policy that fits your guidelines and let them continue to interact with your site safely.
However, it’s important to know what a strong password policy looks like. Let’s discuss this next.
The elements of a strong password security policy
One of the major benefits of a strong password security policy is that you can customize it to your needs and those of your users. However, there are a lot of WordPress password rules and policies you can put in place that can shore up your site and protect users:
- You could ensure a minimum length for all passwords.
- You’d also want to set up password expiration times too. Otherwise, you’ll find the same users’ passwords will be in place for a long time, which is risky. Forcing expiry gives users the push to create new strong passwords.
- WordPress user roles can have different password rules too. For instance, an Admin will arguably want a more stringent policy than a Contributor.
Later on, we’ll talk more about how to implement strong passwords using a dedicated policy plugin for WordPress. First, though, we’ll go through some essential elements of strong password security.
WordPress password security guidelines: a checklist
Next, let’s talk about some of the key password security guidelines your users should follow, and that you should implement. It’s a short checklist because, with a little care and thought, you won’t need many elements for all users to have strong credentials.
We’ll start with one of the most basic factors you can apply.
1. Make sure your password is long and strong
Much of the discussion around choosing a strong password values variety and random elements. For example, special characters can be important in a password you generate at random:
However, if you take this same philosophy and implement it in the wrong way, you’ll likely end up with a poor password choice:
Instead, we now know that password length is more important to its strength than the variety of characters. This philosophy even finds its way into popular media, such as this password cartoon from XKCD:
However, you’d do well to implement special characters and numbers too. After all, if you combine both length and variety, you’ll have even stronger passwords.
2. Use a password manager to store your credentials
One drawback to using long passwords is that they can be hard to remember, and is probably why typical advice often suggests using a mix of characters. In the past, we didn’t have the tools to create, store, and recall passwords. However, modern technology has a number of password manager apps to choose from.
Some of the most popular choices include 1Password and LastPass. Most browsers now include the ability to create and store passwords too. In fact, the three major players – Google Chrome, Apple Safari, and Mozilla Firefox – can all help users store passwords. However, this isn’t a good idea for optimal security.
In many cases, these browsers will also have extensions to integrate with third-party apps. For starters, you’ll keep your password data away from any potential browser vulnerabilities. What’s more, you’ll have an extra layer of security.
Most third-party password managers will offer encryption of your data, along with Two-Factor Authentication (2FA.) In addition, you’ll have better quality-of-life features than the browser. For instance, most password managers will monitor your credentials and inform you if they are compromised.
3. Update the password on a regular basis
Updating your passwords is almost a non-negotiable element of password security. After all, no password is 100 percent secure, which means that the potential for it to be cracked and leaked on the web exists, regardless of how minute it may be.
Because of this, changing passwords for all of your logins is a necessary step for your WordPress site’s users to ensure a leaked or cracked password is no longer valid. We’d recommend an instant password change in any of the following scenarios:
- If your WordPress site or account is hacked, breached, or you find malware on the server.
- Company-wide data breaches are also a time when you’ll want users to change passwords. While you could focus on affected accounts only, it’s better to ask all users to change their passwords as a precaution.
- If you choose to remove someone from your network, it’s a good idea to at least change the password for their account. Once you finalize everything, you can delete the user account altogether.
In some other cases, you’ll want to ensure that you change a password based on specific circumstances. For instance, many public Wi-Fi outlets will only offer an unsecured network to browse the web. If you handle sensitive information, you could fall foul of legal requirements to protect data in these situations. Because of this – and that using public Wi-Fi is not a good practice anyway – you’ll always want to change the password should you find yourself needing to use an unsecured network.
The best way to implement strong passwords for your WordPress website
WordPress’ own password security functionality is good as a basic way to help protect users, but it has shortcomings. Instead, WordPress plugins can close the gap and add the useful features you’ll need to implement a strong password policy and security.
A WordPress security plugin is vital for any website, but this might not always include everything you need to implement WordPress password security. This is why WPassword will be a good addition to your current security measures.
Once you install and activate WPassword, you’ll easily spot the plugin on the WordPress dashboard. The WPassword > Password Policies screen gives you your first task: toggle on the core policy functionality. Once you do this, you’ll see a whole host of options:
The password policy editor is powerful and contains all of the features you’ll need to enforce strong passwords on your site:
- You can specify a minimum length for passwords and determine whether the password has to contain numerals, uppercase and lowercase lettering, special characters, and even block certain characters.
- There’s a simple field to implement password expiration times based on your own needs and wants. You even have a one-click feature to reset passwords in bulk.
- You’ll also be able to set timeframes for inactive users, at which point they will be automatically locked.
WPassword also includes more features to help you implement your WordPress password security policy. For example, you can choose to not allow for using older passwords. Even better, configuring each of these options uses the default WordPress interface of checkboxes and drop-down menus, with no code required.
If your WordPress site users don’t use strong passwords, as a matter of course, you could be risking a security breach. This can have irreparable ramifications. As such, you’ll want to customize a dedicated password policy using WPassword.
The plugin lets you create a strong password policy and enforces it too. Your users won’t have to lift a finger, but you’ll ensure the security of your WordPress site is much stronger than before.
Do you have any questions about how to implement WordPress security guidelines on your site? Ask away in the comments section below!