Effectively managing your own passwords under any circumstances is hard work but managing your users\u2019 passwords on a WordPress installation can become the job from hell. Say you\u2019re the admin of a WordPress site and you have a variety of users with accounts on your system. You immediately have a problem because WordPress is insanely popular (it\u2019s used on almost one quarter of all Websites) and has roughly three times more bugs identified than the next largest content management system. Not surprisingly, WordPress is the most attacked CMS. So, unless you like having your WordPress installation hacked you\u2019d better get serious about security.\nWhile you can enforce user compliance to password standards through the use of plugins such as No Weak Passwords or Force Strong Passwords, users can still choose passwords that are weaker than you'd like. So, how do you check whether their passwords are \u201cgood\u201d? You use the Wordfence plugin published by Feedjit Inc.\nWordfence not only provides malware and firewall facilities for WordPress installations, it\u2019s also a password auditing subsystem. Before I explain how Wordfence works let me explain how hackers get hold of passwords.\nEverybody knows the concept of trying different passwords to break into systems but the reality of any credential checking interface is that it\u2019s implicitly or explicitly rate limited. In the latter case the rate limiting (the number of login attempts with passwords that can be tried against a known account name) is constrained by the target site\u2019s bandwidth and computing power while the former relies on tests such as the maximum number of attempts in a period or account lockout after so many failures.\nHardcore account cracking begins when a hacker gets hold of a server\u2019s password file that contains user login names and hashed passwords. Hashing is the one-way encryption of a string that creates a unique hash value for each unique input string. The \u201cone-way\u201d part means that given the hashed value, it\u2019s not possible to deduce the original input string. So when a user tries to login, the server takes the user name and computes the hash value from the entered password. The server then looks up the user name in the password file and finds the stored hash value. If the calculated hash value matches the stored hash value, the user is authenticated.\nNow if a hacker gets the password file and knows the hashing function (that\u2019s the algorithm used to calculate the hash value and there's only a few to choose from) then they can test millions or billions of passwords to see whether they can generate the hash value associated with a user name in the password file. Because they don\u2019t have to use the server to do this testing there isn\u2019t any kind of rate limiting and they can apply as much computing power to the task as they can muster.\nBut that\u2019s just the beginning of the methods used to crack passwords because out there on the \u2018Net there are lists of tens of millions of passwords and their associated hash values. Obviously searching for a known hash value in a password file is a smart place for a hacker to start but almost as useful is taking the commonly used passwords and hashing them to see if you get a match.\nServers can also use a number of techniques to make this kind of attack much harder but, as always, there are counter-techniques that ensure that perfect security is impossible.\nIn short, once a hacker gets access to a server\u2019s password file it\u2019s likely that user accounts will be compromised and the way that hackers get access if it\u2019s not through a software vulnerability is usually through a single compromised account.\nWordfence audits your WordPress passwords by accessing your WordPress password file, encrypting it with some serious, heavyweight encryption methods, then sends it to Feedjit\u2019s data center where it remains encrypted until testing begins. The testing process starts with decrypting the password file and then using the same techniques the bad guys use \u2026 except the Wordfence system uses a 40+ Teraflop cluster of industrial strength GPUs to simulate a cracking attack on site passwords using both a list of 310 million passwords from public disclosure of hacked accounts as well as brute force guessing.\nWhen a new password is created or a site administrator schedules an audit, Wordfence conducts the tests and notifies the admin of weak passwords and, optionally, emails the user, asking them to set a new (and better) password.\nThe free version of Wordfence is amazing! It provides scanning of the WordPress core, theme and plugin files searching for attacks, repairs compromised files, scans content for bad URLs, provides a real-time traffic view of hackers and crawlers, scans for known malware and backdoors, provides firewalling, rate limits rogue crawlers, intelligently blocks IP addresses and IP blocks, blocks fake Googlebots and brute-force attacks, monitors content leeches, monitors disk space, enforces strong passwords, audits existing passwords, scans for DNS changes, and tracks IP address to their source and acquires detaiedl IP information. Oh, and Wordfence includes a WordPress caching engine that, it is claimed, can increase site performance by up to 50 times!\nPremium service which starts at $39 per year for a single site and drops to as little as $3 per year for multiple sites adds two-factor authentication (cellphone sign-in), an advanced comment spam filter, checking to see if site is spamvertized or if the site\u2019s IP address is generating spam, remote scans, country blocking, frequent scans, scheduled scans, and premium support.\nThe password auditing combined with all of Wordfence\u2019s other security features is a really powerful combination and, as a consequence, the plugin has been downloaded over 5,500,000 times and currently has over 700,000 active installs. Currently Wordfence is rated on the WordPress site with a 4.9 out of 5 stars.\n\nOn the Wordfence site there\u2019s a world map showing events occurring to sites using the Wordfence plugin and, as of writing, they show 39,590 attacks per minute.\nI\u2019m just about to start using Wordfence "in anger" on one of my WordPress sites; drop a line to firstname.lastname@example.org if you\u2019d like to know what I find or, if you\u2019ve tried the plugin or have another you\u2019d recommend, please comment below.