Strong Passwords for WordPress Admins

At WP Engine we want to do everything we can to help give you the most secure WordPress hosting experience. Requiring the use of a strong, unique password is one of the most impactful security steps any website manager can make.

Strong passwords are only required for Administrator, Editor, and Author roles. It is not required for “weaker” roles, or roles without wp-admin access, like Subscriber and Contributor.

Choose A Strong Password

WP Engine “strong password” criteria favors chains of words, making passwords easy to remember and harder to crack. To create a password that meets our strength requirements, it’s recommended to use a mix of at least four random words along with the following requirements:
EX: starbucksportalmonitorstormtrooper or correcthorsebatterystaple.

This password style might not be very common, but it will be much more difficult for computers to crack. It also allows for your passwords to be memorized easily.
If your password still falls below the required Strong password strength level, you may need to add some special characters or numbers to strengthen it further.

The password strengths meter may seem random, but the “zxcvbn” library is actually recognizing and rejecting common patterns. These patterns include dates, phrases, names, keyboard patterns (EX: 123456789), and even pop culture references, which can weaken passwords.

Added Convenience

Another way to ease password worries is to keep your strong passwords in a password vault. This helps you by auto-filling strong passwords for you, so you don’t have the burden of remembering them.

Software like LastPass and 1Password are written with security in mind. They make saving and recalling unique passwords simple.
To lessen the friction of using a password vault, both pieces of software have browser extensions that auto-fill login forms. These tools make setting a complex password for every site super easy — even ones not hosted with WP Engine.

Disable Strong Passwords

Setting a strong password is a security measure that exists to protect the administrative portion of your site. Only Administrator, Editor, and Author level users have this requirement. You can lower a user’s WordPress role to Subscriber or Contributor to remove this restriction.

If a Administrator, Editor, or Author user still requires an insecure password, you can manually set an insecure password using the database. This is highly inadvisable and will make your entire website insecure.

NEXT STEP: Learn how to reset your WordPress admin password

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.