Ten Password Mistakes That Could Get Your WordPress Site Hacked

  • 24:30​ Mistake #10: Not using a password manager
  • 29:57​ Mistake #9: Sharing passwords
  • 34:39​ Mistake #8: Not being aware of your surroundings
  • 37:17​ Mistake #7: Not monitoring and auditing passwords
  • 41:32​ Mistake #6: Using passwords that are not complex
  • 46:19​ Mistake #5: Using personal information in passwords
  • 49:45​ Mistake #4: Not removing ex-employee and/or developer and/or support user credentials
  • 53:00​ Mistake #3: Using passwords that are too short
  • 57:27​ Mistake #2: Not using multi-factor authentication
  • 1:01:45​ Mistake #1: Reusing passwords

Password Mistake #10: Not using a password manager.

This mistake is all too common. Some don’t trust password managers while others simply don’t know they exist. It is incredibly important to use unique, strong, and complex passwords for each account, and there is simply no better way to keep track of these passwords than a password manager.

Password Mistake #9: Sharing passwords.

Never share your passwords with anyone if you can help it. By sharing a password with someone else, you are giving them the ability to act on your behalf for that account. Any person you share your password with can successfully claim your identity in terms of the site they are authenticating to. Most organizations have alternative methods of verifying your identity over the phone that do not require sharing passwords, such as PIN numbers, secret phrases, and other means, and any request for your password should be considered suspect.

Password Mistake #8: Not being aware of surroundings when using passwords.

When you log in to a website in a public area over open WiFi your password is transmitted in packets that can be intercepted and read by attackers using a packet capture tool like Wireshark. Many people simply aren’t aware that this is possible, so they do not take the appropriate measures to protect themselves while using their computer or devices in public spaces.

Password Mistake #7: Not regularly monitoring and auditing passwords.

This is a common mistake, often overlooked and neglected. Passwords should be monitored and audited regularly. Sometimes passwords can be compromised in data breaches, therefore it is important to monitor your passwords and accounts so that if they are found in a data breach they can be changed immediately.

Password Mistake #6: Using passwords that are too simple or contain dictionary words.

Simple passwords are one of the most common intrusion vectors for hacked accounts. Password complexity is very important when it comes to protecting your passwords against brute force attacks and other password cracking attacks. Password complexity refers to the addition of diverse characters in a password which makes them significantly harder to guess. This means adding numerical characters and special characters (e.g., $, %, #) along with a mixture of uppercase and lowercase letters. The more complex you make your password, the longer it would take for a brute force attack to be successful.

Password Mistake #5: Using personal information in passwords.

This is a common mistake as it is so much easier to remember passwords containing personal details. For example, if your dog’s name is charlie and your favorite number is 3, you may be tempted to use charlie3 as your password for all of your sites. However, that is a big mistake.

Password Mistake #4: Not removing ex-employee, developer, or support user credentials.

Leaving an employee’s account active on your WordPress site after they have been terminated could be a vector for site defacement if the employee is disgruntled from the termination.

Password Mistake #3: Using passwords that are too short.

This mistake ties in with some of the other mistakes that we have already discussed regarding password complexity and using a password manager. Passwords that are too short can easily be cracked just like a password with low complexity.

Password Mistake #2: Not using multi-factor authentication.

No one enjoys using multi-factor authentication, however, it is an important layer of protection. Passwords act as the first layer of authentication and if your password is somehow compromised then having a second layer of authentication makes it much harder for an attacker to successfully “spoof” the authenticity of your identity. Using certain authentication methods can make it next to impossible for an attacker to get in.

  • Something you know: This is the most common type of authentication and is something only you know. This will typically be your password or a pin code that you know.
  • Something you are. This refers to biometrics, such as a fingerprint, retinal scan or other physical attribute unique to you. This is less common when it comes to online authentication, however, it is a valid form of authentication and is difficult to compromise.
  • Somewhere you are. This form of authentication is based on your location. It’s typically not an explicitly selected form of authentication, however, several services will monitor your location when you log in and alert you, or block you, if a login is coming from an unusual or new location.
  • Something you have. This is the most commonly used second form of authentication for online sites. It’s authentication with something you have like an authenticator app on your cell phone that generates a time-based one time passcode. There are also physical token devices that generate random numbers or use a cryptographic certificate to verify your identity.
  • Something you do. This form of authentication is based on something you do. This would involve swiping a pattern on your phone screen or the analysis of patterns based on your personal typing behavior. This is most often used to distinguish human activities versus bot access attempts, such as seen with reCaptcha.

Password Mistake #1: Reusing passwords.

Reusing passwords is all too common. Years ago, before data breaches became frequent, password reuse was a common practice. We have all likely re-used passwords at some point in our lives. However, times have changed, and reusing passwords is now the number one password mistake we see. Doing so has led to some very high profile intrusions, along with further data breaches, and it has had a cascading effect on our digital lives. A survey conducted by LastPass found that 91% of people interviewed knew that reusing passwords was bad, yet 66% of the 3,250 respondents still reported that they re-used passwords.


In today’s post, we covered just how important it is to make sure you are following password best practices and why. This is applicable to not only your WordPress site but also your entire digital presence, including banking and financial accounts, social media accounts, email accounts and any vendor account that requires a username and password. If you follow best practices and avoid making these mistakes then you are on the fast track to ensuring your online world remains secure.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Emedia Hosting

Emedia Hosting

Our highly skilled team will configure, monitor and manage your hosting account 24/7 and be there for you should any problem arise.