Securing Wordpress & Passwords
Posted 16th April 2013 at 09:08 AM by RobinInTexas
For any wordpress installation, Wordfence is as far as I am concerned the ultimate defense. It has several settings that need to be adjusted for best protection, although the defaults are almost good enough.
Another plugin to add is bulletproof security
The best thing we can do is secure passwords. you can take something easy to remember, add a twist only known to you and have one virtually impossible to crack. My favorite is dog
But you have to personalize how you write "dog" when you use it for your password.
one solution is
D0g.....................
Upper case D
0 for o
lower case g
add 21 periods
and according to How Secure Is My Password?
It would take a desktop PC about
50 octillion years to crack it.
That is the time for a pc to crack crack it locally trying millions of passwords per second, an online brute force attempt is probably not capable of more than several hundred attempts per second.
Pick your own word, your own substitution and your own padding character and the length of the password. I'd suggest a total length around 10-14 characters, as some places don't let you use longer passwords.
You could even use the site name for a password.
facebook could become
Face++++++++book
Citibank could become
Citi++++++++bank
you would be using the same password everywhere, sort of.
How Secure Is My Password?
How Secure Is My Password?
Create a new user with a name other than admin, then log out and back in as the new user delete the user named admin.
If you go to one of my sites it would take you a century or so just to come up with the admin user login name I use which is somewhere between 8 and 11 random characters and looks something like this "x525t2o2rr8"
the actual password is also longer and includes symbols.
Just for grins on some blogs I use a display name of Admin. An IP will have 1 chance to attempt a password before being locked out for 60 days by Wordfence options:
which include
1. Immediately lock out invalid usernames (if admin is gone, 1 try locks the IP out)
2. Don't let WordPress reveal valid users in login errors
Impossible for an online brute force attack to crack the site.
https://www.grc.com/haystack.htm
You can further use .htaccess to block all but your IP from the wp-admin files.
It you are on a dedicated server or VPS you can take steps (not for the faint at heart tho) to mitigate Brute force attempts or DDOS bots. See Fail2Ban
Another plugin to add is bulletproof security
The best thing we can do is secure passwords. you can take something easy to remember, add a twist only known to you and have one virtually impossible to crack. My favorite is dog
But you have to personalize how you write "dog" when you use it for your password.
one solution is
D0g.....................
Upper case D
0 for o
lower case g
add 21 periods
and according to How Secure Is My Password?
It would take a desktop PC about
50 octillion years to crack it.
That is the time for a pc to crack crack it locally trying millions of passwords per second, an online brute force attempt is probably not capable of more than several hundred attempts per second.
Pick your own word, your own substitution and your own padding character and the length of the password. I'd suggest a total length around 10-14 characters, as some places don't let you use longer passwords.
You could even use the site name for a password.
facebook could become
Face++++++++book
Citibank could become
Citi++++++++bank
you would be using the same password everywhere, sort of.
How Secure Is My Password?
How Secure Is My Password?
Create a new user with a name other than admin, then log out and back in as the new user delete the user named admin.
If you go to one of my sites it would take you a century or so just to come up with the admin user login name I use which is somewhere between 8 and 11 random characters and looks something like this "x525t2o2rr8"
the actual password is also longer and includes symbols.
Just for grins on some blogs I use a display name of Admin. An IP will have 1 chance to attempt a password before being locked out for 60 days by Wordfence options:
which include
1. Immediately lock out invalid usernames (if admin is gone, 1 try locks the IP out)
2. Don't let WordPress reveal valid users in login errors
Impossible for an online brute force attack to crack the site.
https://www.grc.com/haystack.htm
You can further use .htaccess to block all but your IP from the wp-admin files.
It you are on a dedicated server or VPS you can take steps (not for the faint at heart tho) to mitigate Brute force attempts or DDOS bots. See Fail2Ban
Total Comments 0
