Passwords - Good practices for WordPress site owners

Website Access Control

1. Use a strong password and keep it secret. The stronger your password, the better you can defend against brute force password guessing attacks. Don’t reuse passwords.
2. Avoid Social Engineering, such as Phishing. For example, Phishers can create fake web pages like your login page to collect your credentials. Check where a URL points before you click it.
3. Change your password regularly. Immediately change your password if you think your website has been attacked. Always use a strong password. Change your password every 3months.
4. Follow a “Least Privileges” approach to access rights. It’s best to limit who can modify your site and what they can change to minimize the entry points available to a malicious person.
5. Use the various WordPress User levels (Subscriber, Contributor, Author, Editor, Administrator). Appropriate User levels can contain the damage a malicious person can do if they get access to an individual account.
6. Limit who has administrator rights on your website.
7. Use a two-factor password on your website.

Two-Factor (Two-Step) Authentication

1. There are three ways to identify yourself uniquely:
   1. Things You Are: A unique feature to identify you, such as fingerprints, retinas, voice, or face.
   2. Things You Have: A physical device or item you can prove is in your possession, such as a smartphone or keychain fob.
   3. Things You Know: Information that only you will remember, such as a password or an answer to a specific question.
2. Logging in with a password is a single-step authentication. It only relies on something you know.
3. Two-step authentication is a system in which you use two of the three possible factors to prove your identity instead of just one.
4. Most two-step implementations rely on a password you know and use your smartphone or another device to authenticate with something you have.

Plugins for Two-Factor (Two-Step) Authentication

You can search for two-step authentication plugins available in the WordPress.org plugin repository.

Website Software Updates

Developers continually release updates to address new security issues. 

1.  Update WordPress to the latest version. WordPress now has an auto-update feature. You can check that auto-updates are enabled at WordPress -> Dashboard -> Updates.
2. Keep your Plugins and Themes updated to the latest version.

How to Change Your WordPress Password

To change your password when already logged in to WordPress:

1. In the Administration Screen menu, go to Users > All Users.
2. Click on your username in the list to edit it.
3. In the Edit User screen, scroll down to the New Password section and click the Generate Password button.
4. If you want to change the automatically generated password, you can overwrite it by typing a new password in the box provided. The strength box will show you how good (strong) your password is.
5. Click the Update User button.
6. Your new password becomes active immediately. 

How to Reset Your WordPress Password

If you know your username or the email account in your profile, you can use WordPress’s “lost password” feature.

1. Go to your WordPress Login page (something like http://yoursite.com/wordpress/wp-login.php)
2. Click on the “Lost your password?” link.
3. Enter your username or the email address on file for that account.
4. Once you get your new password in your email, log in to your profile page and immediately change this password to a strong password you can remember.

Avoiding Attacks

See our article “Malware – Good practices for WordPress site owners” for more details on reducing the risk of attacks on your website.

References

https://developer.wordpress.org/advanced-administration/security/