WordPress Security: People & Logins

We’re rolling out a few blog posts on WordPress security. Over the years we’ve seen more than a few compromised websites. It can get ugly. It can get costly. It is almost always stressful.

This post focuses on a few things you can do to increase security around user logins. TL/DR:

  1. Strong usernames and passwords
  2. Custom login URL
  3. Two-factor authentication
  4. Effective permissions

1. Strong usernames and passwords

In this day and age this should go without saying. Alas, here we are. The two most stolen passwords of 2018 were: 123456 & password. Wow.

First username policy: never use the default admin account. Further, if it is in your user list, delete it. As the name suggests, it is an administrative account and it is a default account. Nothing says vulnerability like ‘default admin.’

Heads-up: Boom12 hosting requires a strong password for all users.¬†If you need to come up with a password and can’t get “123456” out of your head, check out the Secure Password Generator.

2. Custom login URL

One thing that makes life easy for hackers is when everyone’s website is the same. What I mean here is that almost every WordPress site has the same URL to login to the dashboard. If, like many, you are logging in to your site using ‘wp-admin’ or ‘wp-login.php’ then you can tighten your security by simply setting a custom login URL. You can do this by adding the WPS Hide Login plugin.

3. Two-factor authentication

If you haven’t heard of two-factor authentication yet, you will. It’s gaining prominence and many online services have already adopted voluntary two-factor authentication options. Some are planning to make it mandatory. Here’s your chance to be ahead of the curve.

Google Authenticator is a reliable two-factor authentication tool you can easily setup for free with the help of the Google Authenticator plugin.

4. Effective user permissions

Another simple way to avoid a compromised site is to ensure that your users can do what they have to and nothing more. Too often I see sites doling out administrative privileges to users who post news and events and nothing more.¬†Administrative permissions are often granted to users because it’s the easiest way to set it up. Sadly, it ensures they can do what they have to but it does so by letting them do whatever they want.

Most users do not need administrative permissions. If you’ve tried other options and there seems to be no obvious way to cover a user’s tasks without administrative privileges, fear not there are options. You can setup custom user roles.¬†Simply install the User Role Editor plugin and create the custom roles that suit your needs but won’t compromise security. It can get a little complicated in there, so please reach out if you need a hand.

Boom12 WordPress Security Services

If you’re ready to lock down your site without the hassle, get in touch or check out our security service plans.