How Secure is My Password? 6 Tips to Strengthen Your Password Security

How Secure is My Password?

How secure are the passwords that you use to access your online accounts? And even more importantly, how secure is the password you use to log into your own WordPress website?

Throughout the years that you’ve been using the Internet, you’ve no doubt chosen dozens (if not hundreds) of different passwords and usernames. And if you’re like a lot of Internet users, you don’t put a lot of thought into the passwords you choose.

A 2019 Google study, in conjunction with Harris polls, found that nearly 66% of people use identical passwords across multiple online accounts. In addition, the study found that 13% of Internet users reuse the same exact password across ALL of their online accounts. And a full 52% use the same password for several (although not all) online accounts.

It’s important to understand that a secure password (and username) will help keep malicious hackers out of your website’s admin area. This protects your sensitive information, as well as the personal data and payment details of your site users.

It also helps protect your site content and keeps it from falling prey to a cyberattack.

Your Passwords Have Never Been More Important

At some point in everyone’s online life, they’ve stopped for a moment to wonder, “how secure is my password?” In fact, the mantra of choosing secure online passwords is so common that it has almost become a cliche.

Even still, you’d probably be surprised to know how many people don’t seem to care. As recently as 2017, the most common password in use was 123456.

And the second most common?


Yes, the word “password” was the second most commonly used password only a few years ago (see the hint at the top of the post).

But the reality is that using secure passwords has actually become more important as time has moved forward. With more technology use also comes more trust of our financial and personal data across higher volumes of apps and websites.

Unfortunately, it’s become harder to create strong, unique passwords that hackers can’t crack. It sometimes feels like hackers are always a step ahead, constantly developing improved algorithms quicker than most users are able to tighten up their login credentials.

You may be surprised to know that reusing passwords is more common among IT professionals than for the average Internet user. In fact, 50% of IT professionals admit to reusing old passwords on their work accounts. However, among non-IT professionals, only 39% do the same.

IT pros are also nearly as likely (49%) to share their passwords with other people as are other users (51%).

But what about when a breach happens? Certainly, the average IT pro knows that they need to change all of their passwords after experiencing an account takeover.

Unfortunately, only 65% of IT specialists change the way they protect their accounts and manage their passwords after a login breach. Conversely, nearly 75% of average Internet users take action on their accounts after experiencing the same.

But with all of the major hacks being reported around the world, it’s never been more important to be careful about how you log into your WordPress website. A recent report showed that over 80% of online data breaches are a direct result of stolen or weak passwords. And, unfortunately, over 70% of WordPress installations are highly vulnerable to attacks by hackers.

Have you ever wondered why WordPress is so heavily attacked by hackers?

The answer is that so many WordPress site owners use weak admin passwords that make it easy for hackers to find their way in.

And whether it’s your online banking accounts, social media profiles, or the WordPress administrator account where you manage your website, the use of strong passwords matters.

By not using secure passwords, you risk:

  • Spam bots (or humans) posting malware and spam on your site, ruining your brand and reputation
  • Getting locked out of your own site, or losing your site completely
  • Various other hacking attempts, where malicious attackers gain access to your site and steal the most sensitive information

Whether you’re operating a successful eCommerce website or a tiny personal blog, keeping it safe from attack is critical. Fortunately, it’s not difficult to do.

Tips for Choosing a Secure Password

Using Random Characters For Passwords

This is a password-generating method that you’re probably already familiar with. The method involves building your passwords by stringing random letters, numbers, and special characters together.

Passwords like this are very secure, and even more so if you follow some simple guidelines:

  • Minimally, use at least one letter, number, and special character (such as @ or *)
  • Use at least one lowercase and one uppercase letter
  • Make your password as long as you can. Every character you use in a password adds thousands (or millions) or different possibilities

Remember, a password of 12 characters will take 62 trillion times longer for a hacker to figure out than a password of only six characters.

As a WordPress site owner, this process should be the primary method by which you generate a strong and secure admin password. WordPress even lets you generate this kind of random password in the dashboard, or you can use an external password generator.

Of course, these kinds of passwords are extremely difficult (if not impossible) for you to memorize. Because of this, there is an entire industry of password tools, such as LastPass, that securely stores your passwords for easy access when you need them.

But in 2021, the random password approach may not be the best way for you to generate a secure password.

Multi-Word Passwords

One password-selecting option that has become increasingly useful in recent years is referred to as the multi-word password approach. This strategy involves the process of stringing random words together to create passwords that bots cannot guess.

This type of password would look something like “Deercloudgranitecheese.” While this approach may seem non-traditional, there is a lot of recent research that supports these types of pass phrases as being extremely secure.

Some studies have shown that they are even more secure than random passwords.

Beyond that, they’re easier for users to remember than randomly generated passwords, because you’re able to form your own word associations that only make sense to you.

If you’ve decided to use a multi-word password to secure your WordPress admin account, there are a few guidelines that you should keep in mind:

  • Choose words that are truly random and not associated with each other. If you run out of imagination, you can use a random word generator to help out
  • Using more words makes your passphrase more secure. It’s a good idea to use a minimum of four words in your passphrase
  • Always use different passwords for every account you access, including your WordPress admin dashboard

Remember, no matter the style of password that you choose to use, you always need to use a different one for every account you access. Make sure that the password you’re using for your WordPress admin dashboard isn’t in use anywhere else on the web.

Additionally, keep all of your passwords safely backed up in a secure location, and change them on a regular basis. It’s a good idea to set a calendar reminder to change your passwords every 90 – 120 days.

While doing so may sound like quite a hassle, simple precautions like this will protect your private data and the data of your site users. And you’ll never again need to ask yourself, “how secure is my password?”

Understand How Hackers Crack Your Password

Before we get into specific tips and help, you need to understand how hackers can crack your passwords. It’s not as simple as poor passwords like “password” or “12345” (though never, ever use those).

If you want to start using more secure passwords, the first thing to understand is that, in nearly every case, there isn’t a human hacker trolling around your WordPress login screen, testing potential passwords one at a time.

Rather, a sophisticated set of bots attempt dozens of login attempts every single second, running through all potential options until they find success.

This is the main reason why a common approach to security is to limit how many login attempts one user can make on your site.

If you want to create a secure and strong password, it’s important to build one that’s incredibly difficult for bots to figure out. And if the password you choose is obscure enough, bots will give up on your site and move on to a target that’s easier to crack.

Whatever tricks and tips we come up with for more secure passwords, the hackers just respond accordingly and keep on cracking. It’s a losing battle of increasingly complex passwords that become more and more unusable.

There are ways you can make passwords work.

Even if you think you’re smart about your password, hackers have gotten a lot smarter about cracking them:

Brute Force

Hackers use brute force techniques to attempt millions of password combinations in short periods of time. There are tools that allow hackers to do this offline, so login limiters are often useless.

Password Breaches

Whenever hackers score a bunch of password data, they better understand how people come up with passwords. Not only do they have a whole pile of common passwords to work with, but they start to see patterns they can exploit.


Those brute force programs allow hackers to try all kinds of variations. So sticking a number or character on the end of a password doesn’t necessarily make it more secure.


Hackers know the same tricks you do for coming up with a password. They know that people will replace certain letters with numbers or symbols (e becomes 3, a becomes @, etc.). They know people will use words, phrases, or quotes. Whatever tricks you read about, hackers can also read about and devise rules to mimic and exploit those tricks. Ruh-roh.


You think your password is completely random, but the odds are it’s not. People are way more predictable than we think, and hackers can exploit that. Think a phrase from the Bible or a made-up word in literature is safe? Nope. Hackers are not only using dictionaries to find words that might be in passwords, they’re scouring Wikipedia, the Gutenberg Project, and YouTube for all kinds of common phrases, quotes, slang, and even made-up words that might make their way into passwords.

Best Password Strength Checker

There are several online tools you can use that will break down the strength of the passwords you use, then give suggestions on how you can improve them.

Some of these tools are:

  • RoboForm
  • PasswordMonster

However, if you put in a 12-character password of only letters and numbers, a bot could crack your password within three years. Of course, this is another good reason to change your passwords out on a regular basis.

A 10-character password containing only letters will take 58 minutes for a bot to crack. It’s amazing what difference two characters can make in providing security to your website.

When it comes to multi-word passwords, or passphrases, such as “Deercloudgranitecheese” you will see that it would take a bot 44 quintillion years to figure it out.

Can you now see how important it is to put some real thought into the passwords you use?

WordPress password security is about more than WordPress. It’s about keeping your digital life safe. And that all comes down to a little password.

In these digital days, we’re drowning in passwords. Your financial accounts, your social media life, your business website, and your eCommerce shopping binges are all protected by those passwords. And some random hacker wants to crack them.

If all those passwords are the same, you’re in trouble.

If those passwords are too short, too simple, too predictable, you’re in trouble.

If your WordPress password security isn’t up to the job, your WordPress site is in trouble.

Trouble can mean hours of your life wasted, business and work flushed, identity theft, credit trouble, and worse.

It sounds dire, and it can be—but we can help.

Choosing a Secure Username and Password For Your WordPress Admin Account

When we realize the size and scope of the threat that hackers pose to our websites, it’s natural to wonder, “how secure is my password?” And in the following sections, we’ll show you how to choose secure passwords and usernames, as well as how to check the security of the passwords you use.

Remember, if you already have a WordPress administrator account set up, it’s an easy process to choose a new password or select a different username. And the following principles apply to your WordPress account, as well as your other accounts throughout the Internet.

Pick a Strong Username

When someone starts talking about secure login credentials, the first thing you probably think of is your password. And with good reason. After all, a username isn’t quite as important as a password when it comes to your online security. It’s your password that ultimately locks your account from outside use.

But if a hacker is trying to gain unauthorized access to your site, your username will be needed to get in. By carefully choosing a secure username, you’ll make it more difficult for these hackers and spammers to find a way in.

This means that you should pick a unique username that’s not easy for hackers to guess.

One of the reasons that WordPress sites are hacked so often is that many WordPress site owners employ the username of “admin” for their administrator accounts. Of course, hackers know this and will often begin their hacking attempts by trying to log into your site using “admin” as the user name.

Another common mistake is using personal details like your email address or name. These usernames are too easy for hackers to guess.

But at the same time, you really don’t want a username that’s completely random and obscure. After all, if you ever need to retrieve your WordPress password, you’ll need to remember your username. And if it’s a random series of numbers and letters, you may lose it.

If that happens, it will be very difficult for you to access your site.

To choose a secure username, follow these guidelines:

  • Keep your username simple. Avoid using special characters or too many random numbers
  • Make sure it’s memorable to you, and completely unique. Choose a phrase (or word) that has personal meaning to you, but that other people won’t be able to guess
  • Avoid using identifying or personal info in your username. It could easily fall into the wrong hands

One of your first thoughts may be that your admin username is displayed on your site every time you post or make a public comment. And a username such as “doglover92” may not be suitable on a business-related site. Additionally, wouldn’t the username be visible to any hacker who wishes to gain access to your site?

Fortunately, WordPress makes it easy to set your public display name to anything you choose. It doesn’t need to be your official WordPress username.

Beyond that, it’s very easy to change your public display name in WordPress. Therefore, you’re completely free to choose a WordPress admin username that’s memorable to you, simple, and secure. And you’ll never need to worry about how the username appears to the public.

If you’re highly concerned with personal privacy, you’re also able to use the Edit Author Slug plugin, which hides your username from the author archive page created by WordPress.

Top 5 WordPress Password Security Tips

1. Don’t Use Admin as a Username

We’ve hammered on this before, but do not ever use “admin” as your username. If that’s your username, change it. Change it now!

2. Limit Login Attempts

This might not stop hackers from cracking your password, but it will stop bots from hitting your login page with multiple attempts. Lock it down by limiting login attempts to your WordPress website.

3. Require Strong Passwords

WordPress password security is about more than just your password. If you’re using a 5-star, crazy good password but another admin has a weak password, your whole site is still vulnerable. But you can force all the users on your WordPress installation to use strong passwords. How strong these passwords really are is debatable, but at least no one will have simple five-letter passwords that would make hackers weep with joy.

5. Don’t share your passwords.

Sharing your password with random people can be as silly as randomly handing out extra house keys to people you don’t really know. If you have to give your password to third-party vendors then change your password once the transaction is complete.

Boost Your Password Security With Strong Passwords

WordPress security has been a big issue in the past year and we’re taking it seriously. But one of the most important things you can do has little to do with WordPress. It’s all about your password. If you want your site to be safe, worry about your WordPress password security.

Strong, safe, unique passwords will protect not only your WordPress site but the rest of your digital life as well.

Once you’ve locked things down in WordPress, the next step is to make your passwords as strong as possible.

Here are some basic tips for strong passwords:

  • Different Passwords: The first rule of password security is to use different passwords for different sites. People are lazy and they use the same password over and over again. That’s easy, but all it takes is one breach and all your logins are compromised. Oops. It’s tough, but you need to use a different password for every site.
  • Be the same but different: One way to use different passwords you can actually remember is to have a base password that you can remember and then tack on something different for each site. You might add on the first few letters of the specific site. So if your password is pEan%t, then for Google your password might be pEan%tGOOG and for WordPress it might be pEan%tWORD. That’s simple and fairly predictable, so you might want something more complicated.
  • Don’t Be Predictable: That’s the second rule of password security—don’t do anything predictable. And you’re more predictable than you think. If you follow the rules for devising passwords in any article about creating passwords (including this one), know that hackers can read that article too.
  • Long Passwords: You want your password to be long. You don’t have to be crazy with it, but six characters is unacceptable. You want at least eight. Probably more. WordPress accepts spaces in the password field, so you can even make it a phrase.
  • Don’t Use Real Words or Phrases: Just don’t just an actual phrase. Hackers scour real world text (whether it’s proper English or not—and don’t think foreign languages are safe either) and use it to crack passwords. So if you’ve got a really long password that’s your favorite quote, it’s not nearly as secure as you think.
  • Use Weird Characters: Use upper and lower case letters, numbers and symbols in your password. Add some complication. Make it weird.

So truly strong passwords are ridiculously long, full of numbers, symbols, and random capitalization. They don’t contain any real words or phrases. And you have a different one for every single site.

So they’re basically impossible to memorize

That’s no good.

Unless you get some help.

Use a Password Service

The solution to WordPress password security—and password security everywhere—is to use a password service such as 1Password or LastPass. This is the software you install on your computer that creates crazy good passwords—we’re talking up to 50 characters of truly random gibberish—and then memorizes them for you. It uses browser plugins to auto-populate those impossible to memorize passwords. There are also apps so you can do the same thing on your phone or tablet.

So what keeps all these ridiculous passwords secure? You have a master password for the service that needs to be something you can remember. It locks down all these passwords on your computer, so even if it’s stolen hackers would need your master password to get at all your other passwords.

It’s a complicated security approach, but it works. It’s a solid way to keep your WordPress site safe, as well as the rest of your digital life.

Some tips for your password service:

A Good Master Password

The strength of your master password is crucial. This needs to be a strong password. It should follow as many of the rules above as you can manage. You’ll probably need to work at memorizing it, but it should be one of the last passwords you’ll ever need (woohoo!).

Passwords You Need to Type

Unfortunately, your master password isn’t the only one you’ll need to memorize. A password service won’t work very well on the password you use to get into your computer or have to type into your TV. An Apple password is another one you might be forced to enter fairly often and a password service might not always be there to help.

You should still use a password service to store and remember these passwords (so you don’t forget), but don’t use a crazy gibberish password you can’t remember. Come up with something that’s still strong but easy to remember.

Ideally, this list of passwords you need to remember can be counted on one hand. That sure beats the dozens and dozens of passwords you have for various financial, social, and business sites.

It Takes Time

Transitioning your entire online life to a password service is going to take some time. You need to enter every account into the system and change a lot of passwords. Think of every site you have a login for. It’s a little overwhelming. So getting the system up and running will take some time. But start with your important sites and power through. You’ll get there eventually.

Buy for Mobile & Desktop

You want your password service everywhere you go in the digital world, so that means buying the app for your mobile and desktop devices. In some cases that means two separate purchases. It’s a pain, but it’s just the cost of using the service where you want to use it.

The Power of Two-Factor Authorization

To really boost WordPress password security you don’t want to rely on a password alone. You want to use what’s called two-factor authorization. This is where logins require two pieces of information—something you know (your password) and something you have. Something you have can be accomplished with an app such as Authy that verifies who you are using your phone.

It adds an extra layer of security to your accounts. Google, Dropbox, Apple, Twitter, and Facebook all support it, so this isn’t fringe paranoia.

With the iThemes Security plugin, you get two-factor authentication to your WordPress website.

How Secure Is My Password? As Secure As You Want It To Be

You want your password to be as secure as you can make it because it is the bridge that protects your information from the outside world. An easy password means easier access for people you want to keep out.

There are many important tools to employ when WordPress website security is important to you. One of them is the iThemes Security Pro WordPress security plugin. This tool will help you generate strong passwords, engage two-factor authentication, and keep your site locked down from hackers and malicious attacks that come in many different forms.

But remember, secure WordPress administrator account credentials are always the first line of defense against cyberattackers. It’s important to make it as difficult as possible for bots (or humans) to access your admin account.

The next time you find yourself asking, “how secure is my password and username on WordPress?” remember these two things:

  • Always choose a username that’s easy to remember, simple, and doesn’t contain any of your personal info
  • Opt for long passwords made up of letters, numbers, and special characters. Or, preferably, use a strong and random passphrase that secure and easy for you to remember

Lockdown Your WordPress Website

For the most rock-solid site security you’ll find in a WordPress plugin, try using the powerful WordPress security plugin like iThemes Security Pro.

iThemes Security Pro,  WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × one =