Subscriber Account Security

Hi @alexpetrie, thanks for getting in touch.

It might be worth seeing if “Enforce strong passwords” in Wordfence > All Options > Brute Force Protection > Additional Options will allow this message to be suppressed. The recommended setting is “Force admins and publishers to use strong passwords“.

Having said this, Wordfence does also check if users are using very common passwords during a scan. We perform an extended check on administrator accounts and just a cursory check on lower-level accounts. This can be disabled entirely by un-checking “Check the strength of passwords” in Wordfence > All Options > Scan Options > General Options. I would only recommend disabling this on smaller sites where the higher level users are limited and known to the main administrator and they don’t wish to be concerned with the subscriber account warnings.

Thanks,

Peter.

Hi Peter,

thanks for coming back to me.

So what risks does a hacked subscriber account open up?

I guess I’m just trying to work out if I should care. I feel like we don’t need to, but would welcome your opinion.

Cheers,
Alex

Hi @alexpetrie,

It’s quite a difficult one to answer for me as I would naturally recommend that no accounts on your site are compromized, but also appreciate a subscriber account has extremely low risk due to their limited permission level in WordPress.

So long as your hosting/FTP/database passwords are different/complex and your administrator accounts have similarly complex passwords with 2FA/reCAPTCHA used if possible, there should be no significant risk to your site if subscribers don’t exercise the same caution with their passwords.

Thanks again,

Peter.