Insecure WordPress Password

Introduction

Every night the WordPress Hosting platform runs a check against all administrator accounts on your WordPress hosting account/s, looking for insecure passwords.

We use a password list containing the most common 100,000 passwords and we test each password against each administrator user. If a password matches, it’s flagged as insecure and the user receives an admin notification to change their password, the next time they login. Once the password is changed, the message is removed.

Currently we only check user accounts with the "administrator" role within WordPress.

I have received an insecure password message

If you have received the message please take the following steps.

1. Login to your WordPress admin area
2. Click Users -> Your Profile
3. Scroll down and click Generate Password
4. Either use the pre-generated password or add your own password
5. Click update profile

Use a secure password/passphrase

A secure password should be at least 12 characters long but longer is better. Adding special characters and numbers is also advisable but the important aspect is the length overall.

Your password should be unique, don’t use your password on more than one account.

Our recommendation is to create a passphrase, select 4 or more random words to create a unique passphrase. If you will struggle to remember a passphrase then consider using a password manager software such as 1password, lastpass or KeePass.

In addition to a strong passphrase or use of a password manager, consider enabling two factor authentication to provide an additional layer of protection.

User Privacy

We respect users privacy and security, and as such the scanning tool does not store which password is set, only that the password was found on the list. While we only notify the user affected,we do store this flag in the database. In some circumstances it is possible for those with database access to identify the user password has been flagged. We collect anonymous statistics on the number of insecure passwords the tool has found, but don’t centrally store which user accounts are affected.