WordPress Password Scanner

WordPress Password Scanner Screenshot

The WordPress Password Scanner is a WordPress Plugin available at Envato’s CodeCanyon. It enables you to scan your users for the use of weak passwords to keep your WordPress site secure! On this page you will find information like the following:

  • Installing and/or upgrading the plugin
  • General information like dependencies for this plugin
  • A Frequently Asked Questions section
  • The changelog for this plugin

Installing

There are two ways of installing this plugin:

Upload via WordPress backend (fastest)

Simply upload the “wordpress-password-scanner.zip” file through the WordPress backend under Plugins > Add new > Upload. Then click the “activate” link. That’s it!

Upload via FTP

If you prefer uploading through FTP, you can unzip “wordpress-password-scanner.zip” and copy the unpacked “wordpress-password-scanner” plugin folder to /wp-content/plugins on your WordPress instance. Then navigate to your WordPress backend and click “Plugins”. Now click the “activate” link under “WordPress Password Scanner”.

Check installation success

In both of the above cases: after activating the plugin, you should see a “Pass Scanner” item in your menubar:

Pass Scanner in the menubar

Updating

Just as when installing, updating this plugin can be done via two ways:

Note: when a new update comes out, make sure you read the update description log at the bottom of the plugin’s page at CodeCanyon. After reading, you can decide if you need the update or not.

Update via FTP (easiest)

Unzip “wordpress-password-scanner.zip” and copy the unpacked “wordpress-password-scanner” plugin folder to /wp-content/plugins on your WordPress instance. Replace files that already exist.

Update via WordPress backend

Deactivate and delete the plugin on the Plugin’s administration page of WordPress and upload and active the updated files. This does not affect the entries you have already made.

Check update success

In both of the above cases: after updating the plugin, navigate to the plugin and perform a scan to check if everything still works as intended. Note: try to run scans on moments where the visitor numbers on the WordPress site are low.

Dependencies

This plugin requires at least WordPress v3.5 and has been tested until WordPress v4.4.2.

Other:

  • AJAX needs to be enabled on your WordPress instance
  • You need to be at least an administrator (user role within WordPress) or have the permission “manage_options” to use this plugin

Frequently Asked Questions

Why do I see “unknown” under “Last Login” in the results table?

After the installation of this plugin, user login timestamps will be logged. But if an user hasn’t logged in yet since the installation of this plugin, the plugin has no way of knowing when the last login of this user happened. That’s when it displays “unknown”.

How does this plugin work?

WordPress passwords are stored in a irreversible way, so it’s not possible to obtain the original / plain-text password for anyone (that’s a good thing). The only way to validate an users password, is to compare a password to theirs and let WordPress determine if they are the same. So the only way to determine if a password is weak or not, is to compare it to a (very long) list of most used passwords and/or weak passwords. That is exactly what this plugin does. Note that at the time of writing this is the only plugin of it’s kind available on the market.

Is it possible to add custom passwords to the “weak passwords list”

Yes, this is definitely possible. Just navigate to the backend of your WordPress instance and open “Plugins > Editor”. Now click the “Select plugin to edit:” dropdown and select “WordPress Password Scanner”. Look for the file “weak_passwords.txt” in the right bar. Add your passwords at the bottom of the file (separated by new lines / ENTER) and click “Update File”.

Important: this file will be overwritten in an update of the plugin. Please send us an email containing the password of list of passwords you added. This so we can add this to the original list and your custom list will not be overwritten on update, but also so we can keep extending the list of weak passwords and thus improve security of all our customers.

How to change the “admin” username

The “admin” user is the default WordPress user and thus exists on every WordPress instance by default. This is a security vulnerability (hackers need to know two things to get in: an username and a password. Now they already know one of the two). Also the majority of attacks will target your wp-admin / wp-login pages, trying to log in with an username (very likely “admin”) and a password. It’s very easy to change this username to something more original and thus less likely to be guessed by hackers:

  • Create a new user in your WordPress backend by navigating to “Users > New User”
  • Give this user administrator rights:

New Admin User

  • Log out of the WordPress backend and log in with your newly created administrator account
  • Remove the old “admin” user:

Remove admin user

  • Important: to not loose any content of the previous “admin” user, assign this to the newly created one:

Assign admin content

Suggestions / Ideas

Do you have any suggestions for future releases of this plugin? Don’t hesitate and send us an email!

Changelog

1.0.0 Initial Release