Five WordPress Security Mistakes Your Nonprofit Is Making

#4 of 5: Using Short and Weak Passwords

Five WordPress Security Mistakes Your Nonprofit Is Making #3: Using Short and Weak Passwords

May 23, 2019

Last week we learned why it’s important to change the default username on your nonprofit’s WordPress website so hackers can’t get in through the login page.

This week, you’ll be learning about a fourth mistake your nonprofit might be making, which is using passwords that are too short and easy to guess.

You’re probably thinking: I can’t remember complicated passwords so I’m going to make something simple.

The problem with going too simple is that hackers use software that can scan your website to find weaknesses that can be exploited, like your username and plugins.

Once they get hold of a weak username, they’ll perform what’s called a “brute force attack” to sniff out your password using a word reference list.

Website security hacking passwords

Examples of weak passwords to avoid using:

  • admin123
  • abc123
  • 123456
  • pass
  • Ilovemydog
  • letmein

Use WordPress to strengthen your passwords

I love my cat too. Luckily in version 4.3, the WordPress team added an easy way to make a strong password or reset an existing user’s password.

WordPress password reset

Here’s how to create a new password:

  • Go to Users > All Users
  • Select a user and click Edit
  • Go the user’s profile and scroll to Account Management
  • Under New Password, Click the Generate Password button

If you try to manually enter something that’s short and generic, WordPress will let you know it’s a problem.

WordPress weak password security

So remember to either manually create a new password that’s strong or use the built-in generator.

WordPress strong password security

Ack! I can’t remember that complicated password.

Most people can’t remember WordPress’ automatically generated passwords.

The good news is that Arnold Reinhold created an open source password generator called Diceware.

He believes in a new technique where you create a chain of six or more words is a stronger solution to password management:

“It is based on the principle that truly random selection of words from a wordlist, can result in easily memorable passwords that are also extremely resistant to attack.”

Examples of longer, chain passwords:

  • facing-backward-riding-beaches-dance-moves
  • charity-happier-smile-faces-forty-three
  • sitting-pretty-swanky-summer-suns
  • brewing-utility-pale-sliver-factor-august

Nonprofit organizations, in particular, are susceptible to password “leakage.” In addition to phishing attacks, nonprofits also often see a lot of turnover. The roles of volunteers within a nonprofit organization may change regularly, making website password security a challenge. Changing your passwords often should be part of your website security strategy."

~ Jim Walker, website hack repair specialist

Why should you create strong passwords on your website?

If a hacker gets inside your site, they can delete your theme and plugins, record everything you type, take your site down permanently, and install malware that collects sensitive user information over time.

It’s an expensive and time-consuming mess that you don’t want in your life. So it’s important to create passwords that are hard for sniffing software to find.


  • Create longer passwords - create passwords that are made up of six or more random words that are divided by hyphens or underscores; include numbers that are spelled out.
  • Delete old user accounts - if you have any old and unused user accounts on your WordPress site, delete them to reduce extra ways for a hacker to sniff around your website.
  • Use a password manager - if you're finding it difficult to remember long passwords, consider a password manager like LastPass or 1Password. They're easy to use and have mobile apps.

By Chuck Spidell, a Nonprofit WordPress Security Expert who helps women-led communications teams free up their time and lock down WordPress from getting hacked.