Password for
WordPress.com
WordPress.com requires a minimum of 6 characters and accepts uppercase, lowercase, numbers and symbols, but that minimum is far too weak for an account that can host and fully control live websites, their content and any connected commerce. A six-character password falls almost instantly from a leaked hash, letting an attacker deface or seize your sites. The practical recommendation in 2026 is a 14-character random string mixing all four character types, which delivers roughly 92 bits of entropy — enough to require centuries of GPU effort and remain computationally infeasible to crack offline. Generate one below — it is created inside your browser using the Web Crypto API and never sent to a server. Once set, enable two-factor authentication so a stolen password alone cannot grant access to your sites.
guesses / second
WordPress.com password rules
A strong, unique password combined with two-factor authentication is your best protection against account takeovers.
A 6-character password over a 94-character alphabet holds only about 39 bits of entropy, which a modern GPU rig clears from a leaked hash in under a second, and credential-reuse wordlists weaken it further. A 14-character random string lifts that to roughly 92 bits. NIST SP 800-63B measures memorised-secret strength through length and randomness rather than forced symbol rules, and its commonly cited 80-bit guideline for surviving offline attack is a bar that 39 bits sits far below while 92 bits clears with margin — moving a WordPress.com password from trivially recoverable to effectively uncrackable.
Why WordPress.com accounts are targeted
WordPress.com hosts live websites, so a compromised account hands an attacker control of your published content, visitor traffic and any store or membership features attached to it — valuable for injecting spam, malware or scam pages on a site readers already trust. The usual mechanism is credential stuffing: attackers replay email-and-password pairs leaked from unrelated breaches against the WordPress.com login, exploiting password reuse. A taken-over account can be used to deface sites, redirect visitors, harvest subscriber data or lock the real owner out entirely. Because a site is a public-facing asset with built-in reach, the incentive to seize it is high. A long, unique, randomly generated password never appears in leaked lists and stops the attack cold.
Source for WordPress.com's password rules: WordPress.com's official help page.
Common questions about WordPress.com passwords
More tech password generators
View all →More tools
Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.
Last reviewed: . Reviewed quarterly; primary sources re-checked each review.