Securing Your Site: Passwords

While having an SSL certificate on your site can give your website visitors peace of mind, one of the easiest and most important things you can do to keep your site secure is to choose strong passwords. Just last week, I worked on a website for a friend whose password was pass1234. And with the user name admin, it’s not hard to figure out how her website was being used by hackers to peddle stolen college essays. (It could have been much, much worse.)

When you create a new user (from the Dashboard, go to Users > Add New) or reset a password (Users > All Users > Username > New Password), WordPress shows a password strength indicator. If you can’t think of a strong password, you can use the Password Generator feature.

Here are tips for creating strong passwords:

1. Make it complicated: use upper and lower case letters, numbers and symbols.
2. Make it long: WordPress recommends a minimum of six characters, but the longer the better – 10-50 characters is much harder to crack.
3. Make it a mix: A long string of numbers or phrase isn’t enough. Mix in upper and lower case, number and symbols throughout.
4. Make it new: Don’t recycle old passwords.
5. Make it up-to-date: Change your password every 3-4 months.
6. Make it forgotten: Don’t store your password in your computer unless you are very, very sure of its security.

We know: complicated passwords are a chore to create, and even more so when you have to type them into the login screen, especially if you’re on a mobile device. We’ve found a plugin that makes that part of it easy, at least: hideShowPassword by Barry Ceelen.

This plugin works like any other WordPress plugin. To install it: From your Dashboard, go to Plugins > Add New. In the Keyword search box at the top of the page, type in hideShowPassword. WordPress will show several similarly-titled plugins, select the one by Barry Ceelen. (Note: ALWAYS check the author when installing a new plugin to make sure it matches the one you’re looking for.) Click on the Install Now button in the plugin box, and then click Activate. There’s nothing else to do for this particular plugin; the next time you log in, you’ll be able to toggle on and off your password visibility.