8 Comments


  1. I think the concept of a “strong” password is a bit overrated. Yes, a long, hard to remember alphanumeric string is pretty secure. You won’t be able to hack my site just by guessing my password. But this kind of password is also hard to remember, so many users are tempted to either use the same “strong” password for everything, or outsource remembering their password to a 3rd party system.

    If you use the same password for everything, one website being hacked can open you up to problems. If you outsource to a 3rd party, once again one site being hacked opens you up to problems.

    I know it’s a comic … but the advice on http://xkcd.com/936/ is the best I’ve seen yet for creating truly secure (but still user-friendly) passwords.


  2. Unfortunately, this is one of those areas where there’s not a “one size fits all” solution. Blocking an IP that submits too many bad login attempts is a pretty common solution, but it has pitfalls. Many networks are behind NATted firewalls, so all connections appear to come from the same address. So in blocking an attacker, you may also be blocking innocent by-standers who are on the same network.

    This might be acceptable for some web sites, but in other cases it might not be.


  3. I have had client lock themselves out all the time. So if you are the only person who has access to wp-admin and you lock yourself out, then you are screwed. I have done this myself because I couldn’t remember which password I used. I deleted the plugin … took some more guesses and got it. Then re-installed the plugin back.

    I have blocked my wp-admin and wp-login.php by IP address, so no outsider can see that. on top of that, there is limit login attempt.


  4. There is a plugin: Google Authenticator that integrates Google’s multifactor authentication into WordPress. After installing the plugin and setting it up on your phone (iPhone and Android) you will have a third field on the WP login page that requires you to enter 6 digit number that is on from the phone app.

    Add another layer of security.


  5. These scripts almost always attack the account called ‘admin’, so simply changing the name of that account solves that problem. Personally, I just use a random word from the dictionary. I also try not to use my admin account to make posts, but if I do I set my user nickname to something else to help with the obfuscation, and then use the ‘Edit Author Slug’ plugin to further hide the login name. Lastly, the Limit Login plugin helps people trying to get lucky.


  6. Not to name nations, but a considerable amount of hacks & attacks are generated from specific countries where such illegal or unethical practices are common. If your website does not invite or require traffic from some of the largest offenders, like China and Vietnam, then you can save yourself a lot of grief and geo-block all access to your site via your .htaccess file. Very simple to do and a quick Google search will bring up numerous tutorials out there with the info you need to do it.

    As to password strength, one method of generating an apparently random string of letters and numbers… yet have it still easy to remember, is to follow the example we often see on customized vehicle license plates. Substitute numbers for words (4 = for, 8 = ate, L8 = late, LAFT4 = laughter etc) and create a password string you can easily remember. For example, a Shakespearean actor might use the password “2B4NOT2B”.


  7. While it definitely raises some good point on password security, hasn’t the essential vulnerability always been SQL injection with most CMS platforms? Even the best password isn’t going to do much when they inject a new user with their own credentials, unfortunately..

Comments are closed.