Password Auditing

This feature was removed in Wordfence 7.1.0.

This feature was removed in Wordfence 7.1.0.

Creating a Password Auditing Job

To start a password audit: Select whether you want to audit your administrative accounts, your regular user accounts, or both. Then, enter your email address and click “Start Password Audit”

The Audit Status will appear and will update every 10 seconds while the audit is running. Once complete it will be marked as complete and your results will appear. Once it completes you will also receive an email at the address provided letting you know that your audit completed. We send an email because if you have a large number of admin or user accounts, audits may take several hours. For under 10 accounts it should take just a few minutes.

What should you do about User Accounts with Weak Passwords?

Once you have a list of user accounts with weak passwords, you can select the accounts you want to fix.

You can then either:

Send your site members with weak passwords a friendly email informing them that a recent password audit detected that they have a weak password and to sign-in and change their password to a stronger one. The email includes a link to sign-into your WordPress site.

Alternatively, you can change the passwords for your members with weak passwords and send them an email containing the new password. This email will ask them to sign in with their new stronger password and suggests that they change their password to one of their choosing. This email also includes a sign-in link and tips to help them choose a stronger password.

How do we audit your passwords?

Wordfence Password Audit uses a much tougher auditing process on Administrative accounts compared to regular user accounts. This is because hackers almost never go after ordinary users and if your administrative account is compromised your entire site is compromised. However, we do include regular user accounts as a service to your user community because, for example, if your site is hacked and your customers are using easy to guess passwords, and those passwords are being used on other services like Gmail, a breach can have wide implications. Therefore, it is important that we audit both account types.

For regular user accounts we use several dictionaries containing common passwords. At the time of this writing we are using three dictionaries:

  • 10,000 common passwords. This contains 10,000 well known common and easy-to-guess passwords.
  • 450,000 english words. This contains over 450,000 english words and combinations of words.
  • 22 Million modified english words. This contains over 22 Million english words that have been combined with numbers, other words, symbols and use different case.

For admin accounts we use:

  • A dictionary with 38,000 common passwords that are easy to guess.
  • 450,000 english words. This contains over 450,000 english words and combinations of words.
  • 22 Million modified english words. This contains over 22 Million english words that have been combined with numbers, other words, symbols and use different case.
  • 269 Million known passwords. These are passwords that have been previously compromised when other sites like LinkedIn, eHarmony and others were hacked. They are often used in cracks by hackers hoping that you use the same admin password on your WordPress site as you do on another site that was hacked. Don’t be surprised if even your harder-to-guess passwords are cracked by this dictionary.

Why does this make my site more secure?

Even though we are only operating on password hashes rather than plain-text passwords, we take create care to not expose your data. The first thing we do is use RSA public key encryption combined with AES to securely encrypt your password hashes on your server. We then send that already-encrypted data via SSL (which itself is encrypted) to our servers in our data center.

Our servers are located in a secure facility which is staffed 24 hours and has biometric security. Even so, we store your data in the encrypted form and only decrypt it when we need to operate on the hashes we’ve received. Once the operation is complete, your data is deleted. If we do manage to reverse engineer a hash which indicates a weak password, we never store the password. We simply make a note of the password length and the first letter to prove to you that we have actually done some work. We then send you back the userID of the WordPress member that has a weak password, the first letter of that password and the password length. At that point the results show up on your Wordfence user-interface and you can alert the site member to the problem or change their password.

To put this in perspective, whenever you back up your WordPress database you are backing up an unencrypted copy of all your password hashes and storing it somewhere off your server, unencrypted. Because we are security geeks, we like to go the extra mile. Because we care about your security, rather than sending plain old hashes around, we double encrypt them and store them encrypted.


We were the first to offer this service for WordPress and we are excited to be offering it to our customers. No other content management system that we’re aware of has a self-service password auditing feature like this that makes a fast computing cluster available to consumers.

To provide this feature, we have worked with enterprise hardware manufacturers to build a custom cracking cluster in our data center in Lynwood, Washington. We have combined powerful leading-edge Nvidia graphics processing units (GPU’s) with enterprise hardware to create a password auditing cluster that has over 40 Teraflops of processing power. That is more processing power than the most powerful computer in the World in 2003.

Please note: Password Auditing is only available for Premium Wordfence customers.