Importance of Implementing Strong Password Policies on WordPress Sites
Lately, the popular Kanye West made headlines in the IT security world for all the wrong reasons. When he met the US president, Kanye was recorded unlocking his smartphone with the code 000000.
Kanye West has his personal iPhone inside the Oval Office, and his iPhone PIN is 0000. https://t.co/GGWMbM8J0G
— Ray [REDACTED] (@RayRedacted) October 11, 2018
Many security professionals made fun of this, and I do not blame them. Though even if it is something funny for many tech-savvy people, it is also a wake-up call. If you do not enforce policies people see complex passwords as an obstacle, so they will always use an easy password. This applies to everything, including bank pin codes, online services accounts and user accounts on your WordPress sites.
WordPress Allows Users To Use Easy To Guess Passwords
As a WordPress site administrator, you can do a lot to improve the security posture of your site. For example, you can use MalCare’s Firewall and Hardening Service and install an activity log plugin for WordPress to keep track of what is happening on your site. Though nothing protects your site from weak passwords, and since WordPress gives your users the option to use weak passwords, your users will use weak passwords.
WordPress Recommends Strong Passwords But Does Not Enforce Them
When users want to change their password or reset it, WordPress recommends a very strong password, as shown in the below screenshot.
Though typically users do not like to use strong passwords, and since they are given the option they will use an easy password. As seen in the below screenshot, once you type in an easy password and tick the option confirm use of weak password WordPress allows you to use a weak and easy to guess password.
Hence why it is important to enforce strong password policies on WordPress with a plugin. With strict policies in place, users do not have the option to use easy to guess passwords, which could potentially jeopardize the security of your WordPress site.
Educating Your WordPress Site Users on Passwords
Policies are the best way to enforce strong WordPress password security on your site, though you must also do some homework so your users do not see the policies as an obstacle. If you introduce and enforce policies without educating the users they will see them as a hindrance. Therefore when you introduce the password policies on your WordPress site it is also very important to educate your users on:
- Why it is important to use strong passwords on a WordPress sites
- What are the risks to the site when users use weak passwords
- What makes a good and strong password
- How to use password managers so they can use difficult passwords without having to remember them.
When you educate your users, they will understand why they are using strong passwords, so they will be more willing to comply and will not see your password policies as something that makes their work more difficult.
How To Implement Password Policies in WordPress
To implement password policies on your WordPress site and enforce users to use strong passwords you should use the Password Policy Manager for WordPress plugin. Getting started with this plugin is very easy: install the plugin and simply enable the password policies you’d like to enable from the Settings > Password Policies menu entry.
With the Password Policy Manager for WordPress plugin you can enforce any of the following optional policies:
- Minimum password length
- Use of both upper and lower case letters
- Use of numeric digits
- Use of special characters
- Password expiration policy
- Disallow use of already used passwords
Once the password policies are enabled on your site, users will not be allowed to reset their password and use an easy one instead. The only way to reset or change the password is to meet the criteria set by your policies. For example, in the below screenshot we can see that the password does not contain numerical digits, so that policy is highlighted to alert the user and they are not allowed to reset the password unless they add numerical digits to their password.
Exempting Users and Roles From Password Policies
The plugin also allows you to exclude specific users or users with a role from the policies. Even though it is not recommended, you might not need to enforce very strong password policies on users with the subscriber role. In fact, in future updates of the plugin, you will be able to configure different password policies for every WordPress user role.
Reset All Passwords on a WordPress Site
The plugin also allows you to reset all the passwords on a WordPress site with just a single mouse click. When using this option you can also configure to terminate all sessions instantly or to let the users log out before being asked to reset their password. This feature is certainly handy in case you suspect a malicious hacker guessed some users password and might have gained access to your site.
Proactive WordPress Password Security
The security of your WordPress site depends on what you do as an administrator, but also on the passwords your colleagues use. Do not take risks – educate your site users to use strong passwords and use a WordPress password policy plugin to enforce them to use strong passwords.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.