With the news this week that hosting providers worldwide are reporting that they’ve been seeing systematic attempts to breach blogging platforms, particularly WordPress, it serves as a timely reminder to check your WordPress password and strengthen it if necessary.
The cybercriminals are using a method known as dictionary attack – a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.
Check out this list from Brian Krebs of sample WordPress usernames and passwords used in this attack to see if you are compromising your password security.
The username admin, has been used in 90% of the login attempts, because it’s the default WordPress administrative username, so if you are still using this default username, change it right now.
Select A Strong Password
We strongly recommend updating your web application admin passwords to something very secure, if they’re not already. WordPress have advice on how to do this.
Think about what you are entering as your password. Does it contain any information people could easily guess? Does it contain a name or number that have strong connections to you? The name of a pet, family member, or favorite sports team? The date of an anniversary or birthday? It’s pretty likely that someone who knows you well enough or can find this information about you—even in your own blog posts—could then guess your password.
What NOT to Do When Selecting a Password
Don’t use single words or numbers. Avoid using anything found in a dictionary or simple numbers like a birthdate or a phone number. Even if the word is in a different language, it can be easy to guess or brute force.
Don’t use any personal information. Even when combined with letters and numbers, someone who knows you or can research you online can guess a password with this information easily.
Don’t just substitute look-alike numbers for letters in a word. For example, don’t just change “Steve” to “St3v3″.
Don’t invert words. It’s not hard just to reverse a word and find a password. For instance, don’t change “password” to “drowssap”.
Don’t write down your password. If it’s written down somewhere and someone can find it, it’s not secure.
Don’t use the same password for every website you visit. If you use the same password everywhere, a single guess or defeat of the password can expose your information everywhere. By taking the time to separate your passwords, you can limit any damage caused by a break-in.
Basic Steps to Selecting a Strong Password
Make the password at least eight characters long. A longer password means it’s harder for someone to guess. 12 or 16 characters is even better.
Use a mix of upper and lower-case letters. Passwords are case-sensitive, so alternate your caps occasionally throughout the password to increase its strength.
Throw in some numbers—especially in the middle. Numbers at the beginning or end of a password are easier to guess or crack than those stuck right in the middle.
Throw in some symbols, punctuation, or spaces. You can use symbols like &, $, and % to greatly increase the strength of your password. Using spaces is also a great way to do this—and it can be easier to remember.
Use a password manager or generator. There are lots of free or low-cost options for password management. Two good examples are the open source application KeePass or a password generator like this one.
Consider changing your passwords regularly. The more often you change it to another strong password, the harder it will be for someone to guess or break it.
Don’t share your passwords. Even if you share your password with only one person, there is no telling who else might then gain access to it. If you suspect that someone else knows your password, you should change it immediately.
Don’t send your password to anyone in an email. WordPress.com staff will never ask you for your password.
Don’t save your passwords or use “Remember Me” options when using a computer that’s not yours. And make sure you log out or close your browser when you are done.