Recently I watched a TED talk by Lorrie Faith Cranor entitled “What’s wrong with your pa$$w0rd?”(see below).
In it, she discusses her research, based on studying 1,000’s of real passwords.
While her TED talk doesn’t directly relate to WordPress, it should make you pause and reassess your password for WordPress.
Brute Force Attacks
A Brute Force Attack is just what it sounds like. Like the Big Bad Wolf, it tries to get access to your site by huffing and puffing again and again until it knocks your door (password) down.
These attacks tries usernames and passwords, over and over again, until it gets in.
Since many people set up an “admin” account for their site, these attacks slam sites with the username admin and try cracking your password.
Password & Username Protection
So how does some one protect their WordPress site from these types of attacks?
The most obvious is to avoid the “admin” username.
If you want to keep “admin” as a username, make sure you have a secure password. Avoid passwords like “password”, “iloveyou”, “monkey” etc.
If you are still using the “admin” username and want to change or delete it, make a new account, transfer all the posts to that account, and then delete “admin” or change it to a subscriber role.
Some other bad passwords from Slate.com are “123456”, “12345678”, “qwerty”, “abc123″,”123456789”, “adobe123″,”admin”, “letmein”, “shadow”, “sunshine”, “password1”, “princess”, “azerty”, and “trustno1”.
- Things to avoid when choosing a password:
- Any permutation of your own real name, username, company name, or name of your website.
- A word from a dictionary, in any language.
- A short password.
- Any numeric-only or alphabetic-only password (a mixture of both is best)
There are also a number of plugins for WordPress that will limit the number of login attempts before it locks the account. One of them is “Limit Login Attempts”.
Another plugin that works a bit differently is “Login LockDown”. This plugin limits the maximum login retries to 3. So like in baseball, 3 strikes and you’re out (at least for the next 5 minutes). After sitting out for 5 minutes you can try again. If your password is entered wrong again, the delays will keep growing until you are finally totally locked out for an hour.
Take action today. If you haven’t changed your password in a while. Change it today.
If you have a Word Press site and don’t know how to make these changes, give us a call.
The last thing you want is for some hacker or bot to wipe out your site or bank accounts.