Security

Password Security for Website Owners: Beyond the Basics

By ReadyWebs Published

Password Security for Website Owners: Beyond the Basics

Security Note: This article discusses website security concepts for educational purposes. Always consult a qualified security professional before implementing security changes on production systems.

Weak passwords remain the most common cause of website compromises. Automated tools can test millions of password combinations per second, making short and simple passwords effectively no protection at all. Strong password practices for your website admin, hosting, database, and FTP accounts are fundamental security requirements.

What You Need to Know

Use a password manager (Bitwarden, 1Password, or KeePass) to generate and store unique, random passwords for every account. Each password should be at least 16 characters with mixed character types. Never reuse passwords between services — a breach at one service compromises every account sharing that password. Change default WordPress admin usernames from “admin” to something unique. Use application-specific passwords for services that access your site.

How Password Attacks Work

Dictionary attacks try common words, phrases, and known passwords from previous data breaches. If your password is a real word or common phrase, it will be cracked in seconds. Credential stuffing uses username-password pairs leaked from other services. If you reuse passwords, a breach at any service compromises all your accounts. Rainbow table attacks use precomputed hash tables to reverse password hashes. Salted hashing (used by WordPress with phpass) defeats rainbow tables.

Setting Up a Password Manager

Choose a password manager: Bitwarden (free and open source), 1Password ($3/month with family sharing), or KeePass (free, local-only storage). Install the browser extension for auto-fill functionality. Import existing passwords from your browser password store. Generate new random passwords for every account, starting with your most critical services: email, hosting, domain registrar, and WordPress admin.

A strong generated password looks like “k8#mPq2$vR9nLx4” — completely random, impossible to guess, and impossible to remember. Your password manager remembers it so you do not have to. The only password you need to memorize is your master password for the password manager itself, which should be a long passphrase like “correct horse battery staple” — easy to remember, hard to crack.

WordPress-Specific Password Practices

Change the default admin username from “admin” during installation or by creating a new admin account and deleting the original. WordPress generates strong passwords by default during user creation — use these rather than creating your own. Enforce strong passwords for all user roles with a plugin like Force Strong Passwords. Set password expiration policies for sites with multiple contributors, requiring password changes every 90 days. Review and remove inactive user accounts quarterly.

Protecting Database and FTP Credentials

Your WordPress database password and FTP/SFTP credentials are stored in wp-config.php and potentially in your hosting control panel. Database credentials that are compromised allow direct access to your content, user data, and site configuration, bypassing every WordPress-level security measure you have implemented.

Generate database passwords with the same randomness and length requirements as your admin passwords — 24+ characters of random characters. Never use the database name or username as part of the password. On shared hosting, your database credentials may be visible in plaintext in wp-config.php, making file permission security critical. Set wp-config.php permissions to 600 (readable only by the file owner) to prevent other accounts on the same server from reading your credentials.

SFTP credentials should use key-based authentication instead of passwords when your host supports it. SSH keys provide stronger authentication than even the most complex password because the private key never leaves your computer and cannot be guessed through brute force attempts against the server. Kinsta, Cloudways, and most VPS providers support SSH key authentication natively.

Responding to a Password Breach

If you discover that credentials have been compromised — through a breach notification service like Have I Been Pwned, suspicious login activity in your security logs, or unauthorized changes to your site — execute a coordinated password rotation immediately.

Change your WordPress admin password first. Then change your hosting control panel password, database password (updating wp-config.php to match), FTP/SFTP password, and your email account password if it serves as the recovery email for any of these services. Check for and remove any unfamiliar administrator accounts that may have been created during the compromise.

Review the WordPress security keys and salts in wp-config.php. Generating new salts (using the WordPress.org salt generator at api.wordpress.org/secret-key) invalidates all existing login sessions, forcing any attacker who obtained session cookies to re-authenticate with credentials they no longer have.

Enable two-factor authentication on all accounts during this rotation if it was not already active. A breach that occurred because of a compromised password would have been prevented by 2FA, and implementing it during incident response prevents the same attack vector from succeeding again.

This content is for informational purposes only and reflects independently researched guidance. Platform features and pricing change frequently — verify current details with providers.

More in Security

SSL Certificates Explained: Why HTTPS Matters for Every Website Guide WordPress Security Basics: Protecting Your Site from Hackers Guide Website Vulnerability Scanning: Finding Weak Points Before Hackers Do Best WordPress Security Plugins Compared

View all Security articles →