I see it all the time, basic security principles totally ignored by otherwise responsible people.  Maybe it's ignorance, maybe it's laziness, but in every case, it's totally unacceptable.  If you own a Website, and for every Website you visit, you must use strong passwords and keep them private.  By far, the biggest security threat you face is poor password security.  Here is a list of the most commonly used passwords in 2013, it's astounding to me that people would actually use such ridiculous passwords.  How do we know what people use as passwords?  Well, many times after a Website is hacked, the hacker will publish the user's passwords online.  Sometimes right before ( or after ) they use the same passwords to attack other popular sites.

When setting up your Website, you have to create a myriad of passwords.  Hosting, FTP ( or sFTP ), databases, and, of course WordPress itself requires a password.  There may be other places you need to create passwords, but one thing is certain if you want to be secure, they all need to be unique and strong.  You should never use simple passwords, things like names or common words, they should contain a combination of letters ( numbers capital and lower case ), numbers, and special characters, and make them as long as possible, at least 14 characters.  If trying to create strong passwords is tough for you, you can use this little tool we created to generate strong passwords and customized them to your needs.  And you should never use the same password twice.

We all hate passwords, and we really hate hard to remember passwords.  The good news is there are many great solutions.  Probably the best for most people is using some sort of password manager.  There are many on the market, I happen to love LastPass, but you can use any that has a good review.  The important thing is that your passwords be encrypted, never leave a password unencrypted.  This means post-it notes and basic files on your computer are unacceptable.  It also means never sharing passwords via email.

And when would you ever share a password?  Well, in most cases you shouldn't.  Even if you need to give someone, say your Web designer, access to your site or hosting, you should create a separate account for them with a unique password.  This is another one I see all the time, everyone in an organization sharing a password.  Think about it, if you give someone your password, what happens if they change it and lock you out?   Really, does this person truly need the keys to the castle, or could they do their job just as well with more limited access?  What if they aren't malicious, but are careless with it?  Just not worth the trouble.

When you create a separate user account for someone, you need a way to transmit the password to them.  No matter what, email is the wrong way to do this.  Email is sent in plain text, meaning anyone can see the contents of your email as it passes through the Internet, and someone or something is always watching.    If you are using a password manager as I recommend, there may be a built-in sharing feature, which is definitely your best option.  You could email the user name and call the person or even text them the password, as long as the password and user name are not sent via the same "channel".  Granted, this may not be considered truly secure, especially if they receive the password and text message on the same device, so I do recommend the more secure password sharing feature of a password manager.  

Here's what you need to remember about passwords:

  • Use strong passwords for everything.
  • Never use the same password twice.
  • If you are going to store your password, use an encrypted password manager.
  • Never share your password with anyone.
  • Do not send passwords via insecure method such as email.

Keeping your WordPress site secure is an ongoing task with many different layers.  Passwords are your first line of defense against the bad guys; you should pay close attention to how you manage your passwords.  If you are concerned about the security of your WordPress site, we can help.  To request information about securing or auditing your your WordPress site, contact our WordPress experts.