This section describes the character strings that should not be used in the administrator password of a WordPress site.

WordPress administrator passwords

Around 20% of the time WordPress is hacked, the password for administrator privileges is analyzed and the hacker logs in as an administrator.

Hackers have a dictionary of commonly used passwords and repeatedly log in to WordPress thousands of times to try to figure out the password for administrator privileges.

For this reason, it is a very important security measure to avoid using passwords with the following characteristics

Reference: The most commonly used passwords are 10,000 (Wikipedia)

Passwords with a simple rule
Examples
123456 qwertyuiop 7777777

Password that is too short
Example
a6ru7

Password with meaningful words
For example
password wordpress baseball

Password that is the same as the user ID, or just slightly changed
Example (User ID is admin)
admin admin1234

Such passwords should not be used just because the site is a staging site (a site in the process of creation) or a site that is not in use. In one of our client’s cases, a weak password was used for convenience on a staging site that was in the process of being created, and the staging site was hacked.

Hackers use a large number of mechanical hacking tools to attack any site, so we recommend that you use a strong administrator password even if you are not using a staging site or a site that is not in use.

What is a strong password?

A strong password is a password with the following characteristics

At least 14 characters
At least one alphanumeric character string.
A string of characters that does not contain any meaningful words.

Such a password will take 7,000 years to analyze by brute force, so it is unlikely to be broken without strengthening the WordPress login screen by capturing, etc.

Reference Password strength check site

WordPress passwords can be generated automatically and strongly from the admin profile screen. We recommend that you generate your password here.

Prevent hacker dictionary attacks

Although a strong password can prevent the administrator privileges from being taken away by a brute force dictionary attack, it cannot prevent the dictionary attack itself, because hackers attack WordPress sites randomly, as mentioned above.

The following measures are effective in preventing dictionary attacks (brute force attacks).

Introduce a captcha (a quiz that can only be solved by humans) on the login screen.

Change the URL of the login screen.

Prevent dictionary attack by XMLRPC, a remote update mechanism of WordPress.

Detecting dictionary attacks and blocking IPs

The above measures can also be easily set up with the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
We hope you will try it.

Introduce basic authentication on the login screen.

Restrict the IPs that can access the login screen.

Restrict the IPs that can access the login screen, etc. We hope this helps.