Blocking very weak WordPress login passwords

Recently, we’ve been seeing more and more WordPress sites maliciously “hacked” because our customer chose a weak password like “admin”, “password”, “temp”, “test”, or “wordpress”.

If you use a password like this, “hackers” maybe able to guess it and login before rate-limiting stops them from guessing stronger passwords.

Hackers are using automated software to try to login to millions of WordPress sites every day with these passwords. Because so many sites are being compromised this way, we’ve taken the fairly radical step of blocking all WordPress logins that use them.

This will completely stop the problem, but the logins will be blocked whether the password is correct or not. So if you’re actually using one of those five passwords for WordPress, or if your password is the same as your WordPress username, you’ll see a message on the login screen telling you to use the “Lost your password?” link to reset it to something stronger.

This may be slightly annoying, but we promise it’s far better than what you’ll experience if we let hackers compromise your site (and it’s a question of “when”, not “if”, if you use these passwords).

As always, customers should contact us in the unlikely event you have any trouble as a result of this.

1 Comment

  1. Good for you!

    I worked at a site that was hacked (I wasn’t the admin) even though the log in should have been fairly hard to guess. But it was a big, popular site, so someone went to a lot of trouble. The nightmare resulted in the loss of tens of thousands of posts and necessitated a long, expensive rebuild.

    Everyone should use tough passwords (and tough usernames, too!)

    Thanks for looking out for us.