Strong Passwords for WordPress Admins
At WP Engine we want to do everything we can to help give you the most secure WordPress hosting experience. Requiring the use of a strong, unique password is one of the most impactful security steps any website manager can make.
Strong passwords are only required for Administrator, Editor, and Author roles. It is not required for “weaker” roles, or roles without wp-admin access, like Subscriber and Contributor.
Choose A Strong Password
WP Engine “strong password” criteria favors chains of words, making passwords easy to remember and harder to crack. To create a password that meets our strength requirements, it’s recommended to use a mix of at least four random words along with the following requirements:
EX: starbucksportalmonitorstormtrooper
or correcthorsebatterystaple
.
This password style might not be very common, but it will be much more difficult for computers to crack. It also allows for your passwords to be memorized easily.
If your password still falls below the required Strong password strength level, you may need to add some special characters or numbers to strengthen it further.
The password strengths meter may seem random, but the “zxcvbn” library is actually recognizing and rejecting common patterns. These patterns include dates, phrases, names, keyboard patterns (EX: 123456789), and even pop culture references, which can weaken passwords.
Added Convenience
Another way to ease password worries is to keep your strong passwords in a password vault. This helps you by auto-filling strong passwords for you, so you don’t have the burden of remembering them.
Software like LastPass and 1Password are written with security in mind. They make saving and recalling unique passwords simple.
To lessen the friction of using a password vault, both pieces of software have browser extensions that auto-fill login forms. These tools make setting a complex password for every site super easy — even ones not hosted with WP Engine.
Disable Strong Passwords
Setting a strong password is a security measure that exists to protect the administrative portion of your site. Only Administrator, Editor, and Author level users have this requirement. You can lower a user’s WordPress role to Subscriber or Contributor to remove this restriction.
If a Administrator, Editor, or Author user still requires an insecure password, you can manually set an insecure password using the database. This is highly inadvisable and will make your entire website insecure.