Strong Passwords for WordPress Admins

At WP Engine we want to do everything we can to help give you the most secure hosting experience for WordPress. Requiring the use of a strong, unique password is one of the most impactful security steps any website manager can make. Learn about choosing a strong password and why we require one.


About Strong Passwords

One of the most common areas for security failure is unfortunately the human one. We’ve made the decision to require strong passwords for your wp-admin login to help your account and website stay secure.

Strong passwords are only required for Administrator, Editor, and Author roles. It is not required for “weaker” roles, or roles without wp-admin access, like Subscriber and Contributor.


Choose A Strong Password

WP Engine “strong password” criteria favors chains of words, making passwords easy to remember and harder to crack. To create a password that meets our strength requirements, it’s recommended to use a mix of at least four random words along with the following requirements:
EX: starbucksportalmonitorstormtrooper or correcthorsebatterystaple.

This password style might not be very common, but it will be much more difficult for computers to crack. It also allows for your passwords to be memorized easily.
If your password still falls below the required Strong password strength level, you may need to add some special characters or numbers to strengthen it further.

The password strengths meter may seem random, but the “zxcvbn” library is actually recognizing and rejecting common patterns. These patterns include dates, phrases, names, keyboard patterns (EX: 123456789), and even pop culture references, which can weaken passwords.


Added Convenience

Another way to ease password worries is to keep your strong passwords in a password vault. This helps you by auto-filling strong passwords for you, so you don’t have the burden of remembering them.

Software like LastPass and 1Password are written with security in mind. They make saving and recalling unique passwords simple.
To lessen the friction of using a password vault, both pieces of software have browser extensions that auto-fill login forms. These tools make setting a complex password for every site super easy — even ones not hosted with WP Engine.


Disable Strong Passwords

Setting a strong password is a security measure that exists to protect the administrative portion of your site and therefore we will not remove the password requirements.

However, only Administrator, Editor, and Author level users have this requirement. Therefore you can lower a user’s WordPress role to Subscriber or Contributor to remove the restrictions.

If you simply don’t like having to use a strong password or have trouble remembering it, try seamless login! Seamless login securely generates and stores a strong password on your behalf, letting you log in to your wp-admin with just one click from the WP Engine User Portal. Seamless login is totally free to use and can be enabled account-wide for all users on your account in one simple step. Check out seamless login.


NEXT STEP: Learn how to reset your WordPress admin password

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.