Passwords, Usernames & Website Security – a primer

A great question was posed on the Why WordPress? post regarding the security issues of using WordPress.

Part of my answer (long winded as always – sorry about that) was:

Frankly, any website can get hacked, and WP is no exception. I had someone call because their Joomla website got hacked (Joomla is another website software similar to WP). There are steps you can take to make it more difficult to hack your WP site: have a strong login password and a username other than “admin”, keep the WP and plugins updated (this is very easy to do via WP admin page), and a few other tricks that are a little too technical to explain here. You should also log into your hosting account and check your logs for unusual activity. I found a German site trying some crap on one of my websites, so I simply blocked that IP from being able to see the website.

Today, I’m going to talk to you a bit about the biggest step you can take to protecting your website, email, bank accounts, facebook account, and any online profile you might have.


The most common password used on Facebook? “Password” Well, duh, of course it’s easy to hack your account and start all kinds of mischief.

The most common username used on WordPress? “admin”. There’s half of the information I need to break into your page and screw things up.

What you need is a password that’s hard for a machine to guess and easy for you to remember. Something that includes:

  • Upper case letters
  • Lower case letters
  • Numbers
  • Symbols (within limits)

An easy way to remember something hard

While it’s easy to generate a strong password, it’s not so easy to generate one that is easy to remember. Here’s a little trick: make it a mnemonic. A common mnemonic is “Every Good Boy Does Fine”. Those are the note names associated with the lines on music staff paper: E G B D F.

So let’s try an example. A strong password is going to be a minimum of 8 characters long and preferably more than 14. We’ll use this lyric to generate our password:

What the world needs now, is love sweet love

The first letter of each word would give us the following 9 character password: wtwnnilsl

Well, it’s long, but it’s not strong. Let’s do some substitution of numbers for letters. The letter “l” looks a lot like number “1”. The letter “S” looks a lot like the symbol “$”. So making the password: wtwnni1$1

Better, but still not strong. Let’s emphasize the words “World” and “Needs” by making them upper case letters. Our password is now:


Now that’s pretty, although it could be longer. As it is, it would take approximately 299 days for a computer to guess. And it’s easy to remember. If you need a reminder, just write the mnemonic you used.

What about a strong username? WordPress allows for numbers and symbols in the username, but not all accounts do. Some will only allow letters and numbers. Do what you can, but don’t make your user name your name – it’s too easy to guess.

If your name is Marty Black and your dream car is a 67 Mustang, you could have a username: M@rtyB67. Here, we’ve used the “@” to substitute for the “a”. This would take 162 days for a computer to guess.

The point of making strong usernames and passwords is make breaking into your account difficult. Many automated hacking programs simply start with the most common: admin, password, 1234, etc and then start generating them in numerical sequence.

Your task: make your passwords stronger!

Free Ebook: Your Website Is Ugly

Join the mailing list to get your copy and discover 10 free or low cost ways to make your website more attractive to visitors. Plus, you’ll get access to all of my free materials and blog updates.

Sorry, comments are closed for this post.

"Act as if it were impossible to fail." - Dorothea Brande