We will explain the latest password policy (how to determine a unified password) when using WordPress with multiple administrators and editors (contributors).
How to determine WordPress passwords, password policy
The way passwords are determined has changed over time.
Until a few years ago, periodic password changes were recommended, but now it is believed that once a strong password is created, it does not need to be changed, and double authentication is also becoming more popular.
Current Recommended Password Policies
Length Priority Minimum 12-16 characters. Length is the most important factor for security.
Passphrase A combination of words such as correct-horse-battery-staple is effective
Change only when a leak is suspected. Change only if you suspect a leak. Unnecessary forced change is counterproductive.
Combination of 2FA and MFA (multi-factor authentication) Reduce reliance on single passwords
Use of password managers Manage long, random passwords without using them repeatedly for each service.
Match against compromised lists Match against databases such as Have I Been Pwned and block
In the case of WordPress, the use of passwords similar to user IDs is also a major cause of hacking. For this reason, we recommend that you do not use passwords that contain a string of characters that includes your user ID!
Why is it not necessary to change my password on a regular basis?
When people are told that they must change their password every 90 days, many try to keep it to a minimum so that it is easy to remember. Here is a typical pattern we have observed in practice
Sakura2024! → Sakura2025! → Sakura2026!
What is the use of a password manager?
The idea here is to have the application remember complex passwords, rather than having a human remember them.
Browsers have a function to record passwords, but this is a password manager.
There is also software that encrypts and stores passwords, such as https://keepass.info/.
What is a check against a compromised list?
Hackers also use the list of compromised passwords in a brute force attack to enforce login.
This means that even if the passwords are long enough and random enough, the compromised passwords will not be used.
One site to check for compromised passwords is
https://haveibeenpwned.com/
and others.
What happens if my WordPress password is weak?
It is said that 20% of WordPress sites are hacked and tampered with due to weak passwords, which can lead to the loss of administrative privileges.
Hackers use a list of commonly used passwords and mechanically repeat login enforcement thousands and thousands of times to try to log in. This is called a brute force attack.
Please use the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal], a security plugin that can detect and suppress brute force attacks.
It is important that you use an appropriate password policy to prevent such brute force attacks and reduce the possibility of WordPress hacking.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
