Summary: Use your browser or the password manager included with your antivirus (if it has one); use a password manager such as LastPass, Passpack or 1Password; generate passwords that contain numbers, uppercase and lowercase letters, and symbols using your password manager; activate two-factor or fingerprint authentication whenever possible.
I'll let you in on a little secret: I do not know (most of) my passwords. This might seem contrary to common sense, but I feel safer this way and I also know that it would be impossible for me to know them all by heart. Years ago, I used to have the same password (or a variation of it) for all my accounts.
When I started working on websites (or, more specifically, when I built El Jardín Vegano's website) I realized how important it was for me to have a unique and hard-to-guess password, I'll tell you why: Once my website showed up on the first page of Google's search results (yay!), it started receiving attacks directed to the backend or administration page. The hackers tried to access my site using the most common (and default) username "admin" and variations thereof. Even if I don't know specifically which passwords they tried, I assume they were also the most common ones. They tried for a long time but, fortunately, they were never able to access the backend of my site.
If your website allows your clients to register, it is extremely important that you do not have an easy-to-guess password.
Image what would have happened if I had used a common password and the default username. Not only would they have gained access to my site and my information, but they would have also gotten access to my clients' information! Clients who had trusted me and had created an account on my website to buy their products. This is the reason I decided to create this blog post because I also want you to have secure, strong passwords and I want you to be able to manage them easily for both your and your users' sake.
This does not mean that having a unique and hard-to-guess password will let you off the hook and that you will never be hacked because this obviously depends on how sophisticated the methods the hacker is using are and how experienced the hacker is, but at least it will be harder to achieve.
So which methods do I recommend? In short, they are:
Passwords such as "12345678" or "qwerty" are super-popular and people generally use the same password in many or all of their accounts (including their bank's!). What would happen if a hacker (or someone else) gains access to this password? They would immediately gain access to very important information about your personal life and even try to steal your identity.
So what can you do to avoid this? Well, for starters, you can create a completely random password for each one of your accounts. This password needs to be as unique and long as possible. Some strong password examples are:
Hey! Please don't use the passwords above. This is just to give you an idea of how to create a strong password.
Note that there are websites that restrict the number of characters or don't allow special characters. Try to always use the maximum number of characters possible (or at least 16) and mix uppercase and lowercase letters, numbers, and special characters to create a really strong password.
But how on Earth will you remember all of them? It's very easy! And no, my advice is not "write them on a notebook". There are a lot of programs available that can help you with this, whether you prefer to save them on the cloud or in your device.
If you're using an antivirus, it's possible that it includes a password management service and, if it doesn't, there are other programs you can download or add to your browser which can help you generate and store these passwords safely. Besides, if you use a browser such as Chrome, it can save your passwords to your Google account. The disadvantage is that this method only works if you're using your browser, but it doesn't work in apps on your phone or programs on your computer (unless you copy-paste the password).
This is probably the best way to keep passwords safe. Some of the most popular password managers are LastPass, Passpack, and 1Password. In this post, I'll focus on LastPass since it's the one I use to manage my passwords.
LastPass is a very popular password manager, that stores your encrypted passwords on the cloud. To see or use your passwords, all you have to do is remember one single password, called "master password". Their Android and iOS apps and their modern browser extensions allow you to have your passwords up-to-date, no matter the device.
With LastPass, you can also store your credit card information, your Wi-Fi password, addresses, safe notes, etc. and they will be equally stored under strict security measures.
Besides, if you struggle to create original, secure, and hard-to-guess passwords, LastPass includes a complex password generator that you can use to stop worrying about whether your passwords are good enough and it allows you to share your passwords securely with your contacts.
In case of an emergency where for any reason someone needs to know your passwords and you are unable to share them, LastPass allows you to add emergency contacts that will have access to your account if necessary (you can revoke access at any time and they can only access your account after a certain waiting period).
LastPass also has a security challenge feature, where it analyzes all your passwords and gives you a rating based on how complex they are, if they're used on multiple sites, etc. To give an incentive to security experts, LastPass has a bug hunter program that rewards those who find vulnerabilities in their software and report them to LastPass.
LastPass has a free plan and some premium plans, including one for families and another one for businesses. Right now, I'm using the free plan because it has basically everything I need.
Whenever possible, activate two-factor authentication or 2FA. You will then receive a notification on your phone (through an app or SMS) with a code that you'll have to enter on the login page of the account you want to access. I really recommend this option, since even if a hacker got access to one of your passwords, it would be unusable unless the hacker also has your phone.
But what if you don't have access to your phone and need to use a website where you've enabled two-factor authentication? No need to panic! Usually, websites that allow this type of authentication also allow you to download a file with authentication codes in case you lose access to your phone or don't have any Internet. Just make sure you don't give it a very obvious name when saving it like "pleaselookatmypasswords.txt".
Also, if your device allows fingerprint authentication, make sure you use it. It is easy to set up and can save you some hassle. The best way to keep your accounts safe is to use a combination of the above methods.
While it is basically impossible to stop hackers from trying to get into your site, there are quite a few things you can do to improve your website's security and make sure that at least it is really hard for them to be able to take control of your site.
In a nutshell, these are:
There is basically no excuse not to have an SSL certificate on your website on the 21st Century.
They help you encrypt your information (and your users' information as well) and it's a must if there's any type of login or password feature on your website (which every WordPress website has). Also, Google ranks websites with an SSL certificate higher than those who don't.
And the thing is, nowadays you don't even have to pay for one, thanks to Let's Encrypt.
Most hosting and domain providers allow you to add your own Let's Encrypt certificate to your website, and some of them even renew the certificates for you automatically.
However, some providers do not support Let's Encrypt out of the box. One of these companies is GoDaddy, but I would never use them to host my websites or domains anyway because of their involvement in animal rights controversies.
Another one is Namecheap, which is the one I currently use to host my websites and manage my domains.
While these companies don't actively support Let's Encrypt, you are free to install them on your own. The downside is you have to renew them yourself every three months but, they do provide an excellent alternative for those who host with them, giving 50 SSL certificates that are valid for one year and which they install automatically. You can also auto-renew them if you're comfortable with SSH, you just have to activate SSH on your cPanel and then follow this tutorial to enable automatic renewals of Let's Encrypt SSL certificates.
The other option is to purchase an SSL Certificate and add it to your website, the advantage of this is that purchased certificates actually come with a money guarantee or protection in case your data gets leaked, but until now I've found the Let's Encrypt certificates to be more than enough.
For your reference, this is a list that contains a lot of hosting providers that support Let's Encrypt.
My advice for this section: Use a hosting provider that supports Let's Encrypt or that provides you with their own SSL certificates for free, alternatively, install the certificate on your own.
This is one of the most common mistakes people make when building and managing their own WordPress sites. Upon installing, WordPress asks you to create an administrator account and most people choose to just write admin.
This is a huge security problem because you're basically giving away free information to hackers and you just made their lives a bit easier, because they don't have to spend time guessing what your most powerful user's username is.
Of course, it's as bad if you just use your website's or business' name as the administrator username (maybe only slightly better).
To illustrate my point, here are some screenshots from some of the sites I'm managing:
So, imagine the results above were from your site. How difficult would it be for them to guess your password?
My advice for this section: create a new administrator with a random username (I use LastPass to help me generate random usernames and passwords) AND create another user with no administration capabilities (so an editor, an author, or a subscriber) to create posts and manage comments. This is especially important if you have several people working on your site. Do not share your credentials and do not make everyone an administrator.
Ideally, your subscriber user would manage public comments, and your author or editor users would create posts. Your administrator user should only be used for backend stuff (updating plugins, changing colors, themes and whatever) and its name should never be shown on the frontend.
Also, make sure that you're not displaying your plain username, display your name or nickname instead or something else.
I already talked about this at length in my post about tips on keeping your passwords safe, but I'll make a small recap here.
Make sure that you only allow strong passwords on your site. While this option is not enabled by default on WordPress, you can use a plugin like No Weak Passwords or a more complex security system (I'll talk about this in my next tip).
In any case, using a password manager (such as LastPass) will allow you to generate secure passwords without going crazy by trying to remember all those numbers, uppercase and lowercase letters and symbols.
It should go without saying that using passwords like 12345678 should be a big no-no. Unfortunately, these passwords are still widely used and, if you use one of them, you could lose all your hard work.
Another thing is to never use the same passwords for every account you have. Again, a password manager, could help you improve the security of not only your WordPress website but also all your other accounts.
My advice for this section: Read my other blog post on password security and start using a password manager ASAP.
Sure, your hosting company might provide some security and protect your website from some attacks. But why take the risk?
It's better if you take control of your website's security (or hire someone with knowledge about it) and use a firewall to block hacker attacks, malware installation, etc.
A firewall program, such as Wordfence or Sucuri, can help keep intruders out and defend your website against scripts that could destroy your site, redirect your users to unwanted third-party sites, steal your users' information, etc.
You'll usually have to go through the whole installation and configuration options to see which ones make most sense for your site.
These firewalls also come with options to force strong passwords (so that users can't register on your site using passwords such as "password"), limit login attempts, block IPs, block non-existant or specificusernames, and more.
WordPress usually doesn't limit the number of times a user can try logging in to an account, which makes it an easy target for Brute Force Attacks (basically, trying out passwords until you get it right).
To avoid this, the best thing to do is to limit the number of times a user can try logging in to an account by using a firewall (see tip above) or a plugin such as Loginizer.
In my experience, someone who is a legitimate user of your site will use the "Forgot Password" option after a couple of tries. So, if someone tries 27 times they're mostly just trying to log in to someone else's account. I usually set my sites to 3 loggin attempts.
Now, there's always a chance that something goes wrong and your website gets hacked anyway. What can you do in such cases?
The simple answer is to make continuous backups of your site. If you installed your website through Softaculous, they have a nice backup option that you can use, which is useful as long as your server/host doesn't go down.
Another option is to use (yet) another plugin to take care of this for you. I currently use UpdraftPlus and make backups of my websites to my Google Drive. You can set it up to make backups as frequently as you want (on my most active sites I backup daily, while on others I might backup every week or every month) and you can also set it up to keep a set number of backups, I usually choose from 2-4 depending on how often I make changes to the site.
By default, WordPress allows user scanning through /?author=N scans and APIs, and the first user (the administrator) is always number 1. So, if someone adds this string at the end of your domain, they could easily figure out your administrator username even if it's not "admin".
To prevent this, firewall plugins such as Wordfence usually come with a nice checkbox that disallows user scanning. If someone adds the above string to your domain and you have this option enabled, they'll get a "Page Not Found" error instead.
Just make sure this option is enabled in your Wordfence security settings and you're good to go!