WordPress Security: People & Logins

We’re rolling out a few blog posts on WordPress security. Over the years we’ve seen more than a few compromised websites. It can get ugly. It can get costly. It is almost always stressful.

This post focuses on a few things you can do to increase security around user logins. TL/DR:

  1. Strong usernames and passwords
  2. Custom login URL
  3. Two-factor authentication
  4. Effective permissions

1. Strong usernames and passwords

In this day and age this should go without saying. Alas, here we are. The two most stolen passwords of 2018 were: 123456 & password. Wow.

First username policy: never use the default admin account. Further, if it is in your user list, delete it. As the name suggests, it is an administrative account and it is a default account. Nothing says vulnerability like ‘default admin.’

Heads-up: Boom12 hosting requires a strong password for all users. If you need to come up with a password and can’t get “123456” out of your head, check out the Secure Password Generator.

2. Custom login URL

One thing that makes life easy for hackers is when everyone’s website is the same. What I mean here is that almost every WordPress site has the same URL to login to the dashboard. If, like many, you are logging in to your site using ‘wp-admin’ or ‘wp-login.php’ then you can tighten your security by simply setting a custom login URL. You can do this by adding the WPS Hide Login plugin.

3. Two-factor authentication

If you haven’t heard of two-factor authentication yet, you will. It’s gaining prominence and many online services have already adopted voluntary two-factor authentication options. Some are planning to make it mandatory. Here’s your chance to be ahead of the curve.

Google Authenticator is a reliable two-factor authentication tool you can easily setup for free with the help of the Google Authenticator plugin.

4. Effective user permissions

Another simple way to avoid a compromised site is to ensure that your users can do what they have to and nothing more. Too often I see sites doling out administrative privileges to users who post news and events and nothing more. Administrative permissions are often granted to users because it’s the easiest way to set it up. Sadly, it ensures they can do what they have to but it does so by letting them do whatever they want.

Most users do not need administrative permissions. If you’ve tried other options and there seems to be no obvious way to cover a user’s tasks without administrative privileges, fear not there are options. You can setup custom user roles. Simply install the User Role Editor plugin and create the custom roles that suit your needs but won’t compromise security. It can get a little complicated in there, so please reach out if you need a hand.

Boom12 WordPress Security Services

If you’re ready to lock down your site without the hassle, get in touch or check out our security service plans.

More Reading

Thinking Green

When choosing a communications partner, it’s important to know where they stand on sustainability. At Boom12 we take environmental stewardship seriously. Here’s what we guarantee

On reasonableness, good beer, and a good robot

Social media can be a tool for good. Today, all this energy could have been used for good. Let’s focus on fighting racism and avoid jumping to conclusions that have no place in the conversation.

Ready to win at the internet? Get in touch here or text (902)402-2962 to start the conversation.

Almost every day since 1857, a boom echoes, at 12pm, through Halifax’s downtown. Boom, 12. Boutique digital born from a love of Halifax and her grit.

We deliver the power of the internet at a local scale.

Print

Web

Digital+

Get Started