PassLab
Tech

Password for
WordPress.com

WordPress.com requires a minimum of 6 characters and accepts uppercase, lowercase, numbers and symbols, but that minimum is far too weak for an account that can host and fully control live websites, their content and any connected commerce. A six-character password falls almost instantly from a leaked hash, letting an attacker deface or seize your sites. The practical recommendation in 2026 is a 14-character random string mixing all four character types, which delivers roughly 92 bits of entropy — enough to require centuries of GPU effort and remain computationally infeasible to crack offline. Generate one below — it is created inside your browser using the Web Crypto API and never sent to a server. Once set, enable two-factor authentication so a stolen password alone cannot grant access to your sites.

Generator
min 6
StrengthVery weak · 0 bits
Time to crack
instant
at 10 billion
guesses / second
14
664
Generated with crypto.getRandomValues() — never leaves your tab.

WordPress.com password rules

Min length
6 chars
Security note

A strong, unique password combined with two-factor authentication is your best protection against account takeovers.

The maths, specific to WordPress.com

A 6-character password over a 94-character alphabet holds only about 39 bits of entropy, which a modern GPU rig clears from a leaked hash in under a second, and credential-reuse wordlists weaken it further. A 14-character random string lifts that to roughly 92 bits. NIST SP 800-63B measures memorised-secret strength through length and randomness rather than forced symbol rules, and its commonly cited 80-bit guideline for surviving offline attack is a bar that 39 bits sits far below while 92 bits clears with margin — moving a WordPress.com password from trivially recoverable to effectively uncrackable.

Why WordPress.com accounts are targeted

WordPress.com hosts live websites, so a compromised account hands an attacker control of your published content, visitor traffic and any store or membership features attached to it — valuable for injecting spam, malware or scam pages on a site readers already trust. The usual mechanism is credential stuffing: attackers replay email-and-password pairs leaked from unrelated breaches against the WordPress.com login, exploiting password reuse. A taken-over account can be used to deface sites, redirect visitors, harvest subscriber data or lock the real owner out entirely. Because a site is a public-facing asset with built-in reach, the incentive to seize it is high. A long, unique, randomly generated password never appears in leaked lists and stops the attack cold.

Source for WordPress.com's password rules: WordPress.com's official help page.

Common questions about WordPress.com passwords

Reviewed by Marcin Lewandowski — product designer, 20+ years building digital products and privacy-respecting tools.

Last reviewed: . Reviewed quarterly; primary sources re-checked each review.