Strong Passwords for WordPress

The purpose of a password is to prevent unauthorised access to an account. Therefore, logically, it should be hard to guess. This however means two things:

  1. Firstly, it should be hard to guess by humans.
  2. Secondly, it should be hard to guess by computers.

The most common mistake non-technical people make is to focus on the first one thinking that the second one will be taken care of as well. This is, to put it bluntly, very bad practice because the way computers (ie hackers) “guess” passwords is completely different to how humans guess passwords.

A human will attempt to guess your password based on information they might know about you, such as your name and surname, date of birth, other family members’ names, places you live, etc.

A computer on the other hand takes a different approach. Because of the sheer speed at which a computer can try different combinations of letters and numbers, what makes it difficult for a computer is not how “unexpected” a password is but how long it is.

So here are the rules to follow to have strong passwords for your WordPress accounts (or indeed an account):


Rule #1: Avoid common words 

Just don’t use words, combinations, and phrases which are easily guessable. Some of the most common passwords people use — which you should avoid — include:

  1. 123456
  2. Password 
  3. 12345678 
  4. qwerty 
  5. 12345 
  6. 123456789
  7. letmein 
  8. 1234567 
  9. football 
  10. iloveyou 
  11. admin 
  12. welcome 
  13. monkey 
  14. login 
  15. abc123 
  16. starwars 
  17. 123123 
  18. dragon 
  19. passw0rd 
  20. master 
  21. hello 
  22. freedom 
  23. whatever 
  24. qazwsx 
  25. trustno1

Rule #2: Use a passphrase

It’s a small but important distinction to think of your password not as a “word” but as a “phrase”. A phrase is longer than just one word and passphrase length is the most important thing you can use to make it hard for a hacker to crack. This is because for each additional character you add to your passphrase, the possible combinations of letters and numbers a computer would need to test increases exponentially.

For example, let’s say you’re tempted to use the word “paris” as your password because you just had a great holiday there. A brute force attack script will guess this password in 0.20 milliseconds. Way less than it takes you to type it.

Try instead using a passphrase like “wehadsomuchfuninparis” and you’ll find its unguessable by a computer because it would take an infinite amount of time for a computer to guess all possible 20 character combinations.


Rule #3: Add numbers or special characters

A lot of sites recommend this. While length makes the biggest difference, adding more than just alphabet letters to your passphrase — eg wehadsomuchfuninparisin2019 — makes it even harder for a computer to guess because now, the total number of characters it needs to try out has grown from 26 (the alphabet) to 36 (alphabet plus numbers).


Rule #4: Use different passphrases

However cool and long your passphrase is don’t repeat it. There’s always a risk it will somehow be compromised and if you make a habit of using the same password for different services the attacker will suddenly have access to several of your accounts.


Rule #5: Use a password manager

However much you’re on board with security and strong passwords, it doesn’t change the fact that its hard to remember them — especially if they’re lengthy and complex as they should be.

A good way around this is to use a password manager like Google Smart Lock, 1Password, or LastPass.


Rule #6: Don’t rely on passwords only

Finally, make sure that you have two-factor authentication and some kind of brute force attack protection as additional security.