Never email a password

Some unsolicited security advice for WordPress (and web security in general), since I was just emailed a login and password 😬

  • Never email/Slack/text a password.
  • Don’t share accounts. Set up each user with their own account.
    • If you do need to share credentials for some reason, use a service like
  • Use strong passwords.
    • Use a plugin to *force* strong passwords. (It’s hard for people to break bad password habits.)
  • Add a plugin to limit login attempts.
  • Don’t use ‘admin’ as username.
  • Don’t have a username that’s the same as the site URL/business name.
  • Keep everything backed up and updated.

There used to be a lot more* that I’d do to harden a WordPress site, but those items will get you a long way.

*Move the WP installation to a sub-directory, neuter the admin account, IP whitelisting, change the login URL, etc. Maybe for a future post…