Ten Password Mistakes That Could Get Your WordPress Site Hacked
A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. From these common hacks, we have many cautionary tales of site security that could have been prevented by using strong passwords and good password hygiene as the first line of defense.
The Wordfence site cleaning team is seeing an increase in password reuse as an intrusion vector in compromised sites. As such, we’re covering the 10 worst password mistakes that can lead to your WordPress site being compromised.
You can review the common ways attackers compromise passwords in the blog post published here.
You can watch the video of Wordfence Live below.
You can click on these timestamps to jump around in the video.
- 24:30 Mistake #10: Not using a password manager
- 29:57 Mistake #9: Sharing passwords
- 34:39 Mistake #8: Not being aware of your surroundings
- 37:17 Mistake #7: Not monitoring and auditing passwords
- 41:32 Mistake #6: Using passwords that are not complex
- 46:19 Mistake #5: Using personal information in passwords
- 49:45 Mistake #4: Not removing ex-employee and/or developer and/or support user credentials
- 53:00 Mistake #3: Using passwords that are too short
- 57:27 Mistake #2: Not using multi-factor authentication
- 1:01:45 Mistake #1: Reusing passwords
Password Mistake #10: Not using a password manager.
This mistake is all too common. Some don’t trust password managers while others simply don’t know they exist. It is incredibly important to use unique, strong, and complex passwords for each account, and there is simply no better way to keep track of these passwords than a password manager.
Security is about minimizing risk as nothing will ever be 100% secure. Nonetheless, the evidence is clear. Reusing the same password across multiple accounts puts your accounts at significant risk. With new breaches announced regularly, such as the recent news that data from over 533 million Facebook accounts was being sold on the dark web, chances are high that at least one password you’ve used in the past has already been exposed in a data breach. If you use the same password across all accounts, even if it is a strong and complex password, all it takes is the compromise of one account to lead to all of your other accounts being compromised. If you use a password manager and unique, complex passwords for every account, and one password is compromised, then only that password is compromised. Using a password manager ensures that managing numerous unique complex passwords is much easier.
Then there is the question … What if the password management platform is compromised?
Luckily, password managers store customer passwords with advanced encryption algorithms like AES. If your passwords were compromised on their end, it would still take attackers years to crack any of the passwords they might obtain. This would give you sufficient time to change all passwords stored in the password manager to keep your accounts safe. We also recommend using a very strong and unique master password for your account that would take thousands of years to crack so that it would be unlikely an attacker could gain access to your password manager by brute-forcing your password. Make sure you also have two-factor authentication enabled, so that if your master password is somehow compromised the attacker will be unable to authenticate due to not having access to that second factor of authentication.
With that being said, there will of course be some residual risk of having all of your passwords in one basket. However, when balanced with the inherent risks of password reuse, we consider it much less risky to use a password manager to generate and store complex unique passwords than to use weak or similar passwords across platforms.
There are several password managers out there like LastPass, Dashlane, 1Password, and KeePassX that provide you with great systems to manage your passwords. Each has features that make managing unique complex passwords easier. We recommend checking them out and choosing one that will suit your personal requirements.
Password Mistake #9: Sharing passwords.
Never share your passwords with anyone if you can help it. By sharing a password with someone else, you are giving them the ability to act on your behalf for that account. Any person you share your password with can successfully claim your identity in terms of the site they are authenticating to. Most organizations have alternative methods of verifying your identity over the phone that do not require sharing passwords, such as PIN numbers, secret phrases, and other means, and any request for your password should be considered suspect.
A better alternative when you have to share access with someone on your WordPress site would be to create a second user account with the appropriate privileges for them to perform the work. For example, if you hire a writer to create content for your WordPress site, create a seperate contributor, author, or editor level user account so that they can perform their work and then revoke the privileges and remove the account once they are done. The goal is to provide the user with the least amount of privileges needed to perform the work while also ensuring that you do not share credentials for your account.
An alternative example would be that you need a reputable company support representative to take a look at your site for some issues you are having. The best way to handle this is to create a second user account with the minimal level of permissions needed. If they cannot access what they need to access in order to provide you with support, then increase the privileges for that user to administrative. Alternatively, you can use a user role editor plugin to create a custom role with only the required capabilities needed to perform the work. Once the work has been completed, make sure to remove the user account so the support no longer has access to the site. It’s not just about removing access for that support user, but also about removing an account that could be compromised at a later date.
When it comes to WordPress, you can create as many separate user accounts as you need and simply delete them once the access is no longer needed. As such, there is never a need to share passwords for your WordPress site.
For other accounts outside of WordPress that may require a single account for performing an activity, ensure you trust the person with whom you are sharing the password. Also make sure that you change the password immediately after the work is complete.
Password Mistake #8: Not being aware of surroundings when using passwords.
When you log in to a website in a public area over open WiFi your password is transmitted in packets that can be intercepted and read by attackers using a packet capture tool like Wireshark. Many people simply aren’t aware that this is possible, so they do not take the appropriate measures to protect themselves while using their computer or devices in public spaces.
While most popular websites use TLS/SSL to encrypt the information being sent and received from your computer or device to their servers, we still recommend using a virtual private network, also known as a VPN, when logging in to sensitive sites in public spaces. The VPN will encrypt all of your data in transit. This makes it significantly harder for an attacker to steal sensitive information like passwords or personally identifiable information when you are logging in to sensitive websites in public areas over a public network.
In addition, you never know who may be watching you from behind, and an attacker can easily steal your password or other sensitive information just by observing you as you login to a website. We recommend using a privacy screen if you work in public areas where it may be easy for someone to look at your screen. We also recommend assessing your surroundings and looking behind you when you’re entering passwords or working with sensitive information that might be visible on screen.
If you must log into an account on a public computer, be aware that the computer you’re logging into could have a keylogger or other malware installed. Protect your accounts by not logging into public computers, and if you must, ensure you log off once you’ve completed your tasks on that computer and change your passwords the next time you’re at a known clean computer.
Password Mistake #7: Not regularly monitoring and auditing passwords.
This is a common mistake, often overlooked and neglected. Passwords should be monitored and audited regularly. Sometimes passwords can be compromised in data breaches, therefore it is important to monitor your passwords and accounts so that if they are found in a data breach they can be changed immediately.
Have I been Pwned? is a great resource to ascertain if a password has been compromised or found in a breach. You can sign up for “Notify Me” which will send you an email if any passwords or other personal data associated with your email have been found in a breach. They have also recently added monitoring of telephone numbers. Acting quickly on the data provided by this free service can keep you one step ahead of attackers.
Today, it’s easier than ever to monitor your passwords, so there is no excuse not to. Many browsers including Chrome, Safari, Firefox, Edge and others have implemented features to analyze passwords to determine if those have been a part of a data breach. In addition, some password managers like 1Password have integrated password checkers into their management platforms so that you can easily determine if one of your passwords or account data may have been found in a breach. This is another reason why you should be using a password manager.
For WordPress site owners, monitoring passwords to make sure your site users are not using weak passwords is also incredibly important to make sure that they do not create an intrusion vector on the site. Wordfence has a built-in free feature to check for breached passwords and prevent them from being used.
It is considered a best practice to change your passwords every so often, so we highly recommend taking the time to change your most critical passwords once every 90 days. This is significantly more important if you are not using multi-factor authentication. If you are using WordPress and have users on your site, we recommend forcing a password update around every 180-365 days, since you can’t know what passwords they are using on your site. A large number of recently discovered vulnerabilities require subscriber-level privileges, so even ensuring that WordPress site subscribers are using strong and unique passwords is important to protect your site against attacks that escalate from compromised subscriber-level access.
Password Mistake #6: Using passwords that are too simple or contain dictionary words.
Simple passwords are one of the most common intrusion vectors for hacked accounts. Password complexity is very important when it comes to protecting your passwords against brute force attacks and other password cracking attacks. Password complexity refers to the addition of diverse characters in a password which makes them significantly harder to guess. This means adding numerical characters and special characters (e.g., $, %, #) along with a mixture of uppercase and lowercase letters. The more complex you make your password, the longer it would take for a brute force attack to be successful.
Here is an example of a non-complex password that would take a computer 46 microseconds to crack: susy
Here is the same password that is just a tad more complex by adding a special character and would take a computer 12 milliseconds to crack: susy!
Here is the same password that is even more complex by adding an uppercase letter and would take a computer 1 hundred milliseconds to crack: Susy!
And here is an even more complex password with all of the characteristics that would take a computer 21 seconds to crack: Susy3!
Cracking source: https://www.comparitech.com/privacy-security-tools/password-strength-test/
Now, you may have noticed that this sample password is incredibly short and contains personal information that could be very easy to guess, therefore, the estimated time to crack is still incredibly short. However, the important thing is that you can see that the time to crack the password increases a little bit with each added character, demonstrating why password complexity is an incredibly important defense mechanism against password cracking techniques. Most attackers also perform dictionary attacks, meaning that if your password contains commonly-used words it will take significantly less time to guess.
Password Mistake #5: Using personal information in passwords.
This is a common mistake as it is so much easier to remember passwords containing personal details. For example, if your dog’s name is charlie and your favorite number is 3, you may be tempted to use charlie3 as your password for all of your sites. However, that is a big mistake.
In today’s world, it’s incredibly easy for an attacker to find your personal information, including your preferences, on social media, or to obtain it by social engineering. Any personally identifiable information from your social media accounts, such as combinations of pet names, children’s names, street names, or even postal codes can all be fodder for brute force attacks by an attacker targeting your accounts. These passwords can also be incredibly easy to crack given their simplicity, which is another component that makes using personal information in passwords dangerous.
Long and complex passwords with no personal information may be difficult to remember, however, your favorite password manager can ensure they’re readily accessible.
Password Mistake #4: Not removing ex-employee, developer, or support user credentials.
Leaving an employee’s account active on your WordPress site after they have been terminated could be a vector for site defacement if the employee is disgruntled from the termination.
Whenever you provide access to an employee, contractor, or developer, keep a detailed record of the access you provide them. If they have admin access to your WordPress site and hosting account, keep records of their access level in a safe location, such as an internal document or even a spreadsheet detailing access provided. Make sure you update your records with any additional gained access throughout the duration of their employment or contract so this can easily be reviewed in the future. Once their contract or employment has ended, this detailed list of access you initially provided becomes the list of revocation actions that must be taken for those accounts. It’s best to do this as a regular protocol immediately before or during termination.You should never wait until after someone has been terminated to revoke their access.
Having an access list from the start makes it easier for you to remember what credentials need to be removed at the end of the road so you don’t miss one.
Password Mistake #3: Using passwords that are too short.
This mistake ties in with some of the other mistakes that we have already discussed regarding password complexity and using a password manager. Passwords that are too short can easily be cracked just like a password with low complexity.
A general rule of thumb is to use a password that is at the very minimum 10 characters, however, when using a password manager we recommend using as many characters as each account allows. Some password managers can generate passwords up to 100 characters, so why not use them? If anything, it makes brute forcing passwords more difficult. In the unlikely event that the password manager holding your passwords is compromised, it would also be incredibly hard for an attacker to decrypt the stored password to obtain the plaintext password.
Password Mistake #2: Not using multi-factor authentication.
No one enjoys using multi-factor authentication, however, it is an important layer of protection. Passwords act as the first layer of authentication and if your password is somehow compromised then having a second layer of authentication makes it much harder for an attacker to successfully “spoof” the authenticity of your identity. Using certain authentication methods can make it next to impossible for an attacker to get in.
There are 5 core authentication methods:
- Something you know: This is the most common type of authentication and is something only you know. This will typically be your password or a pin code that you know.
- Something you are. This refers to biometrics, such as a fingerprint, retinal scan or other physical attribute unique to you. This is less common when it comes to online authentication, however, it is a valid form of authentication and is difficult to compromise.
- Somewhere you are. This form of authentication is based on your location. It’s typically not an explicitly selected form of authentication, however, several services will monitor your location when you log in and alert you, or block you, if a login is coming from an unusual or new location.
- Something you have. This is the most commonly used second form of authentication for online sites. It’s authentication with something you have like an authenticator app on your cell phone that generates a time-based one time passcode. There are also physical token devices that generate random numbers or use a cryptographic certificate to verify your identity.
- Something you do. This form of authentication is based on something you do. This would involve swiping a pattern on your phone screen or the analysis of patterns based on your personal typing behavior. This is most often used to distinguish human activities versus bot access attempts, such as seen with reCaptcha.
Multi-factor authentication uses two or more combinations of the above authentication methods. The most common form of dual-factor authentication is the use of something you know, such as a password, and something you have, which is typically your phone that has an authenticator app or uses text-messages to receive a special code. Please note that “security questions” are not actually a form of multi-factor authentication, as they are something you know, just like your password.
We highly recommend enabling two-factor authentication on your WordPress site with Wordfence’s built-in two-factor authentication and enabling two-factor authentication on all of your personal accounts when available. If your passwords are ever compromised, this layer of security will make it much harder for an attacker to get in as they usually don’t have access to the second form of authentication.
Password Mistake #1: Reusing passwords.
Reusing passwords is all too common. Years ago, before data breaches became frequent, password reuse was a common practice. We have all likely re-used passwords at some point in our lives. However, times have changed, and reusing passwords is now the number one password mistake we see. Doing so has led to some very high profile intrusions, along with further data breaches, and it has had a cascading effect on our digital lives. A survey conducted by LastPass found that 91% of people interviewed knew that reusing passwords was bad, yet 66% of the 3,250 respondents still reported that they re-used passwords.
Re-using passwords means that if your password is compromised on one site, then an attacker with access to your password can then use it to login to your accounts on other sites. They can steal sensitive information retained in certain accounts or use credit cards through your compromised accounts if you have them saved in shopping sites. Worst of all, if your email is compromised, they can make use of password reset functionality on all of the accounts using that email address and take over your entire digital identity.
The Wordfence site cleaning team frequently finds that compromised WordPress sites are using the same password for their hosting account, FTP credentials, and WordPress dashboard area, which can lead to a complex compromise. There have been many instances where an attacker has been able to get access to the wp-admin area of a site, either from a compromised and re-used password or from brute-forcing the password, and then used those same credentials to log into the compromised site’s hosting account since they shared the same credentials.
In today’s post, we covered just how important it is to make sure you are following password best practices and why. This is applicable to not only your WordPress site but also your entire digital presence, including banking and financial accounts, social media accounts, email accounts and any vendor account that requires a username and password. If you follow best practices and avoid making these mistakes then you are on the fast track to ensuring your online world remains secure.
We often recommend you share our posts with any colleagues and friends that are affected. With today’s post, it’s clear that password best practices affect us all. Today we are asking that you share this post with everyone as passwords affect everyone. We hope we’ve given you ample evidence to spread awareness about password security and its importance in making the online world a better and safer place for everyone.
If you check your Wordfence reports, you might notice that an admin login that is attempted is the same as the one used to write all your content. For critical sites I use an Editor-level user name for writing content, as it makes password guessing harder.
It still baffles me why users in 2021 don't use a password manager to generate random secure passwords for each site and enable 2FA!