11 comments

[ 2.9 ms ] story [ 38.8 ms ] thread
Weak passwords still remain WordPress's Achilles’s heel, as admin:admin remains common administration login and password combo
Perhaps one mitigating fix may be to add some code that checks password complexity and if the check fails the admin must either remediate the bad password, or be forced to add a configuration directive that says "I_KNOW_I_AM_DOING_SOMETHING_SILLY_AND_RECKLESS=true".

Is something like this possible in PHP?

WordPress has a built-in password strength meter which helps users choose strong passwords.
They tried something else before but the "password strength meter" said it is too short so they were left with "admin".
Why haven't the WordPress developers just hardcoded something like "until you change the password to something other than admin, your site is only accessible from localhost"?
(comment deleted)
They need to sell their product.
One of the best security Auth configurations for WordPress is:

+ Change login URL from /wp-admin/ to something unique such as /custom-login. This stops the majority of bots as they usually only target /wp-admin

+ disable “admin” username

+ automatically block the IP address of any attempt to log in using “admin” username.

+ block IP address of x failed login attempts for y minutes.

This can be achieved by many free and commercial WordPress security plugins.

Or don’t do any of those things and use an adequate password instead.
They deserve it.