We’ve been down that road before, and the developers don’t feel it’s their place to force users to have strong passwords on their own sites. They have done everything just short of that, including a new password generator which defaults to a strong password and plenty of words around it about why you need a strong password.
As a hosting provider, if you have a one-click WordPress installer, you could configure it to auto-install and auto-activate a plugin like https://ww.wp.xz.cn/plugins/force-strong-passwords/
Many hosts have done something similar with both that plugin and https://ww.wp.xz.cn/plugins/limit-login-attempts/
I don’t know about you, but I don’t make stupid passwords and on my site that I’m running now it does not allow me to make the password. You HAVE to use the stupid “Generate Password” option, that’s all you get. I’ve looked high and low for a way around that inside WordPress itself. I don’t want to have to use a plugin to do this, but it looks as though I have to now.
If people are getting their sites hacked because they’re too lazy and stupid to come up with a good password, that’s on them. That is purely their fault and let them have to suffer for it. If I were the IT Admin on a site where people were complaining about it, I would just tell them learn to make better passwords, stop being lazy.
After you generate your new password in WordPress, click on the generated password to reveal and editable text box where you can replace the generated password with your own.
Thread Starter
mscott
(@mscott)
@james Huff, thanks. I’ll look into that. But that still doesn’t solve the problem of people that just install WordPress on their own from source.
And as far as people using stupid password, you’re right, that’s on the user. Except, it’s the hosting company that bears the burden on this. I can’t police what stupid passwords people are using. Just today, I had a server that was shutdown by the datacenter because it was contributing a massive WordPress hacking botnet, because one of the WordPress sites on the server had been hacked. Do you want to know what the password to that hacked WordPress site was? “pass” That was the admin password.
ATTENTION PEOPLE! QUIT USING STUPID PASSWORDS!
You might want to look into tightening up mod_security too. People may be able to hack their way in through weak/common passwords, but mod_security can limit what they do.
