Weak passwords are a leading cause of data breaches, and when it comes to WordPress, a strong password is your first line of defence. Password strength is determined by length, complexity, and unpredictability – the harder it is to guess, the harder it is to crack.
However, WordPress’s default password settings may not be enough to protect your users. That’s where password policies come in. They set strict rules for password creation, ensuring the security of your site and compliance with data protection regulations.
Implementing effective password policies can be challenging, but tools like Shield Security PRO and other plugins can help. In this article, we’ll explore how these tools can boost your WordPress site’s security and recommend best practices for enforcing strong passwords.
Creating and enforcing password policies
Creating and enforcing strong password policies is important for maintaining the security of your WordPress site. When developing your password policy, consider the level of complexity you need to enforce. Generally, the more complicated the password, the more secure.
However, it’s not enough to simply set a policy – you should also ensure that your users follow it. The easiest way to do this is by installing a security plugin that includes features for password management, such as Shield Security PRO.
But technical solutions are just one part of the equation. Educating your users on password and login security best practices is equally important, especially for those with access to your site’s backend, like employees, web developers, and designers.
When granting access, follow the principle of least privilege. This means giving users only the permissions they truly need to perform their tasks, reserving high-level access for those who truly require it and have the knowledge to handle it responsibly.
Managing passwords with Shield Security PRO
Shield Security PRO offers features to help with your password policy management. Here’s a step-by-step guide to accessing and configuring these settings:
- Install and activate Shield Security PRO.
- After activation, click the Shield Security PRO plugin in the left-hand menu of your WordPress dashboard.
- Within the Shield Security PRO dashboard, go to the Security Zones menu. From there, press Users → and then Password Policies. This will direct you to the dedicated section for managing password policies.
Let’s review the options here to tailor your password policies to suit your security requirements.
Enable password policies
Enabling password policies within Shield Security PRO is the 1st step in fortifying your WordPress site against unauthorised access. This option allows admins to toggle password policy settings on and off easily. Once activated, all user roles, including yours as the site administrator, must adhere to the specified requirements. Failure to meet these requirements will result in users being unable to fully log in, compelling them to reset their passwords.
Prevent “pwned” Passwords
Passwords are the frontline defence against unauthorised access. However, data breaches can often render many passwords vulnerable, leading to what are known as “pwned” passwords. This means that these passwords have been exposed and may be used by hackers when trying to gain unauthorised access to accounts.
Shield Security PRO’s Prevent Pwned Passwords feature can help protect against this. By checking this box, users are shielded from using passwords that have been exposed in previous breaches. This approach ensures that only secure passwords are permitted, removing the risk of account compromise due to reused or compromised credentials.
This defence is made possible by using the capabilities of Have I Been Pwned (HIBP), an API created by security expert Troy Hunt. HIBP maintains a database of compromised email address and passwords, allowing users to discover if their credentials have been compromised in previous breaches. Shield Security PRO integrates with HIBP, enabling it to cross-reference passwords against this database in real time.
Minimum strength
Shield Security PRO allows users to establish minimum password-strength criteria, offering options ranging from “very weak” to “very strong” based on the zxcvbn password strength calculator (the calculator used by WordPress, too)
The zxcvbn algorithm assesses passwords based on factors like length, complexity, and predictability, assigning them a corresponding strength level. Users can select their desired minimum strength level to ensure that only strong passwords are accepted, minimising the risk of unauthorised access due to easily guessable credentials.
Pro tip: We recommend a minimum strength level of [strong] for the best security.
Password expiration
While Shield Security PRO offers the option to set password expiration intervals, it’s important to consider whether this feature is something you might need. While password expiration can theoretically enhance security by prompting users to update their credentials regularly, it comes with drawbacks that may outweigh its benefits.
Firstly, password expiration can be inconvenient for genuine users, leading to frustration and potentially discouraging them from engaging with your site. Moreover, the security benefits of password expiration are limited, particularly when password strength minimums and pwned password prevention measures are already in place. Expirations are made even more redundant by measures like two-factor authentication. In such cases, the likelihood of compromised passwords posing a significant security threat is very small, rendering password expiration intervals less impactful.
However, if you still choose to implement password expiration, we recommend intervals no more frequent than every 90 days. This aligns with industry standards while minimising user irritation.
Apply to existing users
Enabling the Apply to Existing Users feature within Shield Security PRO makes sure that the password policies you’ve established extend to all existing users on your WordPress site. This means that users whose passwords do not meet the specified requirements will be prompted to update their passwords upon their next login attempt.
Like password expiration settings, applying policies to existing users may be perceived as an inconvenience, potentially leading to user frustration. However, when there’s a known credential leak or widespread unsafe password practices across the user base, this feature can be a valuable tool for boosting security.
Free password policy plugin alternative
While Shield Security PRO has advanced security features, including password policy management, budget constraints may lead some users to look elsewhere.
If you’re looking for a free password policy plugin, miniOrange Password Policy Manager is a viable option.
The free version of miniOrange Password Policy Manager has essential password security features, such as setting requirements for lowercase and uppercase letters, numerals, and special characters. Users can also establish minimum password lengths and implement regular password expiration periods. The plugin also offers the ability to enforce these policies on existing users at their next login and basic login activity monitoring capabilities.
Please note: The free miniOrange Password Policy Manager version lacks some advanced features in Shield Security PRO’s premium offer. Paid upgrades unlock additional features, like the ability to lock inactive users or prevent using previously used passwords. Furthermore, miniOrange Password Policy Manager does not include other cybersecurity tools adequate for full site protection.
While miniOrange Password Policy Manager may be enough for basic password security needs, investing in a full-featured cybersecurity plugin like Shield Security PRO offers protection against a broader range of threats.
Beyond passwords: Better tools for login security
While strong passwords and password policies form the foundation of login security, it doesn’t stop there. It’s important to recognize that additional layers of defence are necessary to protect your login system effectively. Tools such as 2FA and Passkeys offer crucial enhancements to user login security.
Shield Security PRO supports different types of 2FA, and will soon have passwordless login as well. 2FA makes it much harder for unauthorised users to access your website.
Shield Security PRO goes even further to protect your login page by automatically detecting and blocking bad bots from accessing your site. It looks for specific bot signals and, upon noting enough suspicious activity, blocks the IP address on suspicion of being a bot. This is an extremely effective defence against many types of malicious login attempts, including brute force attacks.
Take the next step in securing your WordPress site with ShieldPRO
We’ve highlighted the importance of strong password policies in protecting your WordPress site and users’ credentials. Plugins like Shield Security PRO make setting up and enforcing these policies easy, providing a solid foundation for your site’s security.
However, consider implementing additional measures such as Two-Factor Authentication (2FA) and bad-bot detection and blocking for optimal protection. These features work alongside strong passwords to create a solid defence.Get started with Shield Security PRO today and experience the peace of mind of knowing your site is protected by the best security features available.