Top Bad WordPress Passwords Never Change – Updated for 2019

By gordan on April 25, 2018; modified on March 26, 2019. Filed under: .

Why do I need another account? Another password? I’ll just use 123456 as usual. This account is not important.

As ridiculous as that seems it’s the way a lot of people think and the #1 reason they get hacked. We all hate passwords. They are not convenient. We have far too many and need to remember them all. However, things are getting out of control. Leaked passwords lists show that the situation is getting worse year by year. People are truly using 12345 more and more.

How can I check my WordPress passwords? Install Security Ninja, click “Scan Site,” and within a minute 50 security tests will be done, including password quality tests for all users on the site. It’s the easiest way to check your account and all others.

Things are getting worse

No amount of security experts, great software or any other protections will save you if you use one of the passwords listed below. In that case “hackers” will not hack into your account. They will simply log in after a few attempts.

Our internal data collected from hacked sites that Security Ninja helped clean and data from other security resources show that bad passwords don’t change nor does their usage go down. The table below paints a bleak picture. Seven years of data shows that people are stuck on 123456 and don’t intend to stop using it. More and more applications are forcing people to use better passwords and don’t let them create an account until they enter a good password, but then people complain. Conversion rates go down, revenues follow, and the rules get removed. We don’t have a global solution to this problem, but we do have a solution for you. Stay away from any password that’s remotely similar to any one of the ones listed below!

Top 20 most frequently used bad passwords – updated for 2019


Please STOP using terrible passwords!

We know you won’t use a 20 characters long password with lowercase letters, uppercase letters, numbers and special characters (although you should). However, there’s a huge difference between that “overkill” and using 123456. Please, come up with something that’s at least eight characters long, is specific to you, but isn’t your name. Add a few numbers and at least one special character in the middle. That’s already miles better than 95% of people use. If you continue to use, princess don’t complain that people are hacking into your site because they’re not. They’re simply logging in.

Install Security Ninja to check all account passwords on your site in less than a minute. Security Ninja will perform 50 security tests including password quality tests for all users.

Gordan runs Web Factory Ltd and has over 10 years of WordPress development experience. When not writing code, Gordan loves writing about WordPress and he's always thinking about the next WP project to get involved with.