Blog: WordPress
Lock on a chain

Strong Passwords in WordPress

Avatar for John Locke

John Locke is a SEO consultant from Sacramento, CA. He helps manufacturing businesses rank higher through his web agency, Lockedown SEO.

One of the best new features in WordPress 4.3 is the addition of strong passwords by default.

Why is this important?

How does this affect new users?

What should you do if you already have a user profile?

A Quick Overview of Passwords

Website security is always going to be a concern, no matter what platform you’re using.

WordPress is currently powering one out of every four websites (which is pretty damn impressive, when you think about it). This makes WordPress an attractive target for malicious hackers.

One of the easiest ways for a bad guy to get into your site is to exploit a weak password.

The fact is that most normal people have a fairly weak password. Check out this extensive analysis of ten million user passwords, and you’ll quickly realize how serious an issue this can be.

Automated brute force attacks are where a hacker bot simply tries to guess your password by running through a list of known passwords, dictionary words, common keyboard patterns, and even long quotes found online. Even the “leet speak” method of substituting numbers for letters is not as effective as people might believe against a brute force attack.

Whenever a large website has a database breach (and this happens with increasing regularity), all the passwords in that breach are dumped into future password-cracking databases, or pasted online for malicious hackers to use.

The online tool, Have I Been Pwned? can tell you if one of your emails was involved in a database breach from a third party site.

This is why it is important to have strong passwords that you do not reuse over and over again on multiple sites.

Strong Passwords Improve Security Substantially

All passwords have what is called “password entropy”. Simply put, this is how much time it takes a computer to run through all the possible alpha-numeric-symbolic combinations before it cracks your password.

For most users, this password entropy is still dangerously low.

Password entropy is why many sites require you to use uppercase and lowercase letters, symbols, or numbers in your passwords. The longer and more unpredictable a password is, the harder it will be to crack.

It’s important to note that simply having a long password is less effective if it is made up of common, easy to guess words.

Common words and numbers that are easy for you to remember also make it much easier for a bad guy to guess or crack.

Here’s where the new strong password feature in WordPress comes into play.

Strong Passwords In WordPress

New sites running WordPress 4.3 or later will assign you an auto-generated strong password when you first install a site or sign up. While you always have the option to change this later, keeping a strong password makes it significantly more difficult to crack your password.

This is all well and good for new users. But what if you already have a WordPress site? How do you change your password entropy to keep malicious hackers out?

You can login and go to Users > Your Profile, and from there, scroll to the bottom of the page.

Find the section called Account Management. You should see a button next to New Password that says Generate Password. Click that button.

Generating Strong Passwords in WordPress

WordPress will generate a new strong password for you. To save this auto-generated password, scroll to the very bottom of your profile page, and click Update Profile.

Make sure you keep this new password in a safe place.

Strong Passwords Are A Step In The Right Direction

While no website is 100% un-hackable, you shouldn’t make it easy for bad guys to access your site.

Strong passwords require a little extra effort to keep track of, but it’s worth the small effort to keep your website that much safer.

Avatar for John Locke

John Locke is a SEO consultant from Sacramento, CA. He helps manufacturing businesses rank higher through his web agency, Lockedown SEO.

2 comments on “Strong Passwords in WordPress

  1. Hi John,

    I am using WooCommerce and if you do not put a number in the shipping method cost, it defaults to (Free) on the cart page.

    I have been digging around the php files in WooCommerce but cannot find where I can change this string from (Free) to (Enquire Price) or something similar.

    Do you have any ideas?


  2. Hi Jordan:

    The reason we cannot change shipping rates to say “Enquire For Price” with WooCommerce right out of the box is the Shipping Rates are looking for either a number or a formula to get a number. This is problematic if you’re unsure of how much it will cost to ship something to a specific address. I’ve been burned by guessing wrong myself, so I feel your pain.

    There are two ways you can go to solve this problem. One is to use a premium extension to let customers type in their address and calculate how much shipping will be. If you’re in the US, you could use the Woo extensions for the postal service or UPS:

    There are advantages to this method: the customer is more likely to complete the purchase, because they have the item in the cart.

    There are also disadvantages to this. The customer may see the shipping price and abandon the cart if it seems higher than their expectations. There is more work that needs to be done on the development and fulfillment end. Multiple origin addresses aren’t allowed.

    The other route is to use a plugin that returns a “Request A Quote” message, like this one: . I haven’t used this one, so I can’t vouch for it, but there are others similar to it.

    The disadvantage is the customer may not bother to contact you, or decide against purchasing altogether. But the main advantage is if they do contact you, they are seriously interested in buying your product.

    The other thing I like about this is the customer doesn’t get anchored around a price, only to see it shift when you add shipping.

Join the Conversation

Your email address will be kept private. Required fields marked *.