Wordfence Premium Adds the Ability to Audit User Passwords in WordPress

By utilizing the power of graphical processing units and partnering with Netriver, Wordfence can simulate a password cracking attempt using a library that contains more than 260 million passwords.

The library is made up of previous hacks on major websites and services. For example, if your password was leaked during the LinkdIn hack in 2012, Wordfence will inform you that it’s no longer safe to use.

WordFence Password Auditing
Wordfence Password Auditing

I audited the passwords of all users on the Tavern test site and no weak passwords were discovered. I changed my password to password and within seconds, Wordfence detected a weak password.

Weak Password Detected
Weak Password Detected

When a weak password is detected, you can email selected users and request that they change it to a strong one. Alternatively, you can let Wordfence change it to a strong one automatically and email it to the user.

Wordfence explains how the auditing process works.

Internally this feature uses a double layer of encryption to protect your data during the audit. First, we encrypt the hashes we are going to operate on using a combination of AES encryption and RSA public key encryption.

Then we send your encrypted data via SSL to our servers which provides a second layer of encryption. Once on our servers, the data is stored encrypted until it is audited and we never return sensitive data to your website.

Although WordPress 3.7 added an improved password strength meter, WordPress doesn’t enforce password strength for new users. After performing an audit, I recommend turning on the option in Wordfence to enforce strong passwords for new users. This way, you’ll know that all passwords from that point forward are strong.

Enforce Strong Passwords
Enforce Strong Passwords

Earlier this year, SplashRiver released its list of the 25 worst passwords used in 2014. The passwords include, 123456, password, and 12345. Password auditing in Wordfence is a convenient way to make sure none of the users on your site are using weak passwords like those in the report.


5 responses to “Wordfence Premium Adds the Ability to Audit User Passwords in WordPress”

      • Thanks Jeff for a great article and a great site. Interesting conversation here so I thought I’d weigh in.

        I think the first thing that’s important to note is that if you install a plugin on your WordPress site e.g. Akismet, Wordfence, WordPress SEO or any of the other great plugins out there, you’re essentially giving them admin access to your site. So worrying that Wordfence or Norton or some other anti-virus product is going to hack you is like giving someone front door keys and worrying they’ll break down a wall to get in.

        To perform a password audit we double encrypt your data and analyze it on our servers. To put this in perspective, if you’re using one of the many backup plugins out there, they take that same data and store it externally but without doing the level of encryption we do. So we really are going above and beyond to keep you and your data secure.

        Once we find a weak password we never store the password – instead we just make a note of the password length and first letter and send that back to you securely. We do this so that you know we’re not lying about having cracked a password.

        Then we clean your data off our servers.

        So that’s it – super secure and a useful feature.

        I’d like to just clarify something else because it really helps you to understand the power of Wordfence Password Auditing: We are telling you not only which ‘admin’ level passwords are weak, but we’re giving you a way to warn your users about weak passwords they use. Of course it’s bad practice to use the same password across multiple websites, but unfortunately many users do, especially those with weak passwords. So this feature gives you a way to alert those users that they have a problem with the way they come up with passwords.

        The result is that not only will you force them to use a stronger password on your website, but it’s quite likely they will use better and unique passwords across the other websites and services they use.

        So by installing Wordfence and doing a password audit, you’re doing your user community a service.


        Mark Maunder – Wordfence Founder/CEO.

    • It doesn’t really sound like brute force, but rather a dictionary attack. It makes sense, really, especially in a time where everybody in the WordPress community are focused on the recent hacks/vulnerabilities.

      If you want to see how long it would take to crack your password by brute force, see https://howsecureismypassword.net/ (if you trust the site not to save what you enter)
      Note that Wordfence already has measures built-in their free version to limit login attempts.

  1. I guess it could be useful for people who use weak passwords and I suppose just given numbers of scale that WP sites do get hacked via password. Not sure I’d call that “hacked” but more like, “oops”.

    Traditional hacking does not attempt go through the front door (Mathew Broderick 101 LOL).

    The theory is quite simple. Find a plugin that has considerable usage which the WP site or ThemeForest etc. readily display: “Downloaded 14 quadbillionzillion times”. Install it. Throw hackers tools at it and/or security penetraion prevention – ware and see what turns up.

    Some of the better commercial based penetration testing software is AMAZING. They are created to attack Enterprise level applications be they Internet, Intranet, stand alone etc. They are built for industry and thus are quite adapt at what they do.

    A hacker finds the flaws. They then look at source code to find a signature. Data that comes back to a browsing session. It can be as little as a exposed comment, HTML, Javascript basically using these aspects as signatures of a potential targeted site. Just as “search engine bots” identify site applications so as well can any bot. I am sure that some hacker out there made a bot that does nothing but thus a list exists of who knows how many WP, Joomla whatall installations.

    Its relatively easy if a hole is discovered in some plugin to automate action against it.

    Running a zillion passwords against a zillion sites most assuredly can identify sites with weak passwords. Or, WP could by code enforce string passwords. Thats not hard to do. Maybe hard to remember for a user, but not hard to do.

    The general “web” concept (those automated thingies that have “Weak” or “Good” or “Excellent”
    password choice are usually pretty dumb.

    Instead concepts such as data pairs tend work better. AKA: Password must contain two Upper,Lower and Numeric data pairs: “wF3” and “Y2p” for example at the least or they can of course be larger. Regex wise, not real difficult to parse against.

    Instead sites say, “Must have at least 1 uppercase or 2 and a numeric” etc.

    Other ways include (but not limited to via automation) having a user password and partial password generated and concatenated. Simple “Enter an important date you will remember” which is then mashed by code, indexed across a datastore of buckets of 3-5 letter words and is attached.

    Actually I know a way come to stink of it (errr think of it) that protecting insecure admin logins can essentially be virtually completely eliminated. Perhaps I should create that.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.