4 Best Practices for Password Security on your WordPress Site

The FBI warned this week that private sector businesses and citizens should remain vigilant for a potential increase in malicious cyber activity. Cyber threats are, of course, not new to the online world, but recent world events such as the Russia-Ukraine war certainly increase the possibility of hackers’ desire to cause problems for U.S. based organizations. For that reason, we believe this is an important time for organizations to review their password and basic security policies.

In addition to reviewing and recommending password policies for our clients, Materiell has also taken the added precaution of adding redundant backups for all our hosting clients. Additional backups stored in a separate location are an easy way to ensure data security and peace of mind.

Of course, the best way to mitigate risk is to avoid or prevent it. And we know that one of the most common ways websites are hacked is through compromised passwords.

Passwords are an integral aspect of site security. A poorly chosen password may result in unauthorized access and/or exploitation of resources. Organizations of all sizes should require all staff, including contractors and vendors with access to your business systems, to be responsible for taking the appropriate steps to select and secure their passwords.

Here are a few recommendations we provide our clients:

1. Use strong and unique passphrases

Long passwords should be required these days. Consider a passphrase instead of a password to make it easier to remember.

Generally speaking, at a bare minimum, we follow the NIST 800-63B, which recommends memorized passwords be longer than eight (8) characters. That is quite a short password length, but the goal here is to have users without password managers to memorize passwords rather than write them down. Since memorized passwords can be hard to remember, we also recommend creating a passphrase made up of several words that is easy to remember and longer. For example, users could use a passphrase like “CorrectHorseBatteryStaple” to meet a longer character length requirement but that isn’t hard to guess.

That example is from the webcomic XKCD, and as a specific password it’s likely to be in a dictionary of common passwords used by attackers. To avoid that problem, NIST also recommends that ”that passwords chosen by users be compared against a ‘black list’ of unacceptable passwords.” Plugins such as Carl Alexander’s “Passwords Evolved” allow you to safely check user passwords against a large list of popular broken passwords.

Finally, it is very important to select a unique password for each and every system a user accesses in order to mitigate risk. That way, if one password is compromised, only one system is compromised. If you use the same password for multiple systems, all of those systems are compromised. https://haveibeenpwned.com is a good resource for seeing accounts that have been compromised.

2. Use a password manager

If all that advice about memorized passwords seems difficult to follow, consider using a password manager like LastPass or 1Password. Password managers make using long, unique passwords much easier. They integrate with web browsers and devices like phones so that passwords are easily shared across devices. Instead of remembering dozens of accounts, you only need to be able to access a single, main password and the manager does all the rest. Web browsers often integrate some of this functionality, but in addition to being less secure they are often a bit harder to manage. Firefox, for example, will manage passwords and Apple’s Keychain provides similar functionality. However, neither of these solutions is very portable across devices or browsers. For holding secrets in the long term, specialized managers are one of the easiest solutions.

Storing a basic text or spreadsheet file on your computer with all the passwords is not recommended unless it is very well encrypted. If you choose to do this, consider using a separate logical or physical drive that is encrypted and which requires its own password for access.

3. Treat passwords as confidential information

All passwords should be treated as sensitive, confidential information. If your organization does not already have a policy documented for protecting this type of information, consider creating one that includes an incident management protocol should any user’s password be compromised.

Avoid the use of “Remember Password” features of applications (for example, web browsers).
Passwords should not be inserted into email messages, issue tracker cases or other forms of electronic communication, nor revealed over the phone to anyone. We recommend organizations create a policy for their employees if sharing passwords is common in your work. Some password managers, like 1Password also have an option to share passwords.

4. Use multi-factor authentication (MFA)

Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work related accounts but personal accounts also. Most large providers have MFA solutions and simply need to have these enabled.

Typical second factor authenticators (2FA) are SMS text message or email; however, this is the least secure of the various methods of MFA. While unlikely, it is possible for attackers to gain access to these accounts. If your second factor is email, then an attacker who has your email could have access to all your accounts simply by resetting passwords. Similarly, SMS messages have been intercepted in the past and used to compromise accounts.

A better MFA method is the One Time Password. This method involves creating a key that can generate a time-sensitive password and then storing that key on a second device. Materiell recommends either the Duo or Google Authenticator applications for 2FA.

Additional MFA solutions do exist such as physical hardware like Yubikey that acts much like the fingerprint reader on some phones. These physical, hardware keys allow a user to just push a button but have the same level of security as a One Time Password.

While all these options do require upfront set up time, it’s definitely worth the extra security. We recommend comparing the options carefully to find the best option for your organization.

Get started with a secure managed Google Cloud™ hosting solution today for your WordPress site.

With Materiell, you can leverage our team of experts to power your WordPress site on a secure Google Cloud™ hosting environment. The Materiell team can help you secure and manage your WordPress site on the Google Cloud™ with experienced web and dev operations teams along with an end-user dashboard to help you create, develop, and manage WordPress sites.

If you’d like to learn more about how you can get started with Google Cloud™ for your enterprise WordPress site, contact us today.