Managing a website is a bit of a balancing act. You need to allow your employees, web designer and marketing team access to the back-end so that important updates and maintenance activities can occur. But you also don’t want to grant too much access to too many people, as this can make your website more vulnerable and make it more difficult to track changes or find the root cause of a given issue.
WordPress currently offers six different user roles with varying levels of back-end access and editing capability. These admin and user accounts are powerful tools, but they can also represent a big vulnerability for brute force attacks. In fact, brute force logins are one of the top three ways that hackers gain entry to websites, just behind security vulnerabilities in themes and plugins. Implementing security best practices at the login level can go a long way toward ensuring that your website stays secure.
It seems like a no-brainer, but insufficient access restrictions are a frequent security issue in business websites.
It’s very easy to provide login credentials to a low-level employee or contractor when some minor thing needs to get done. This can lead to problems when it’s not done with the correct foresight.
As a website owner, it’s a good idea to audit user access to your site on a regular basis to ensure that all the current accounts are valid. One of the first things that we do when we take control of a website is to find out who currently has, or could have, access to the site. We go through all of the current user profiles and ask:
- Do you know who has the credentials to log in to this account?
- Is this person currently working for you? If so, do they currently require access to the site?
- Does this person require the level of access stipulated by the account role?
If the answer to any of these questions is a “no,” then it’s important to either remove that user account, or change the access level. Revoke access for anyone no longer working for the company or no longer contributing to the site, and keep permissions to a minimum (a person writing posts for your blog probably doesn’t need to be able to access your firewall settings, for example).
There’s no trick to this, and though a website security expert can walk you through the process, as the owner or manager of the company, you’ll know best who is working on your website and for your organization.
Use Strong Passwords
By now we should all know that using the same simple password across multiple platforms is a bad idea, but plenty of people still do it. It’s understandable — nobody wants to have to remember 20 complex alpha-numeric passwords on top of everything else.
Luckily, there’s an app for that. Several, in fact. Password managers have been around for years and are a proven method that makes it quite easy to step up your online security. Apps like LastPass and 1Password can securely store numerous passwords, auto-generate secure passwords, and even work as browser extensions to auto-fill passwords when you log in to a site or application.
Regardless of what password manager you go with, we recommend using passwords that are at least 16 characters long and contain at least one of each of the following:
- Uppercase letters
- Lowercase letters
You’ve been hearing this advice for years, but seriously — this is tried and true web security 101. If you do this, your login will be almost impossible to guess.
And to cover that final “almost,” we also highly recommend using two-factor authentication. 2FA or 2FV (2-factor verification) usually takes the form of a code sent to your phone via SMS or an authenticator app. This ensures that even if a hacker is able to guess your login credentials, they’ll still be locked out unless they manage to steal and unlock your phone at the same time.
These kinds of measures are very basic and very easy to implement and they are in use even among the top tech companies. In early 2017, Google implemented two-factor authentication in the form of individual secure USB keys for all of its 85,000 employees. Phishing issues dropped to zero. Don’t you want to be able to say that your company uses the same security standards as Google?
Limit Login Attempts
While login behaviour might be the number one thing in making sure your website is safe and secure, there are other settings that you can configure to add an extra layer of security.
One WordPress security feature that we recommend is configuring a maximum number of login attempts. We usually allow between 5 and 10 login attempts depending on a few variables. You want to strike a balance here — too few logins, and innocent but forgetful users might be consistently locked out of their site. Too many, and sophisticated bots might have just enough of an opportunity to get in.
Set the Idle Time
It’s also possible to configure your WordPress website to kick users out if they sit idle for a period of time. We like to keep these settings under 90 minutes, though it’s important to evaluate this on a case-by-case basis — nobody wants to leave for a coffee break and find that they’ve been kicked out of their website and lost all their changes just because the lineup at Starbucks was a bit longer than usual. In a post-COVID world, these kinds of settings are a little less necessary — if you’re working from home, the chances of someone unauthorized getting a peek at your computer are pretty minimal (pets and children notwithstanding).
Occasionally, we’ve used WordPress change logs and other tools to track what changes were made by what users. If a bug arises, this can be a helpful tool for tracking when certain changes were implemented and how they may have contributed to an issue. Fewer users with narrower access makes this process a lot easier.
Securing your WordPress admins and logins is a moot point if you don’t have other security measures in place. Make sure you have proper backups, a firewall, use a CDN, run regular malware scans, monitor uptime…you get the message. Give our blog a read for more tips and advice on how to secure WordPress websites.
Website security starts with you and your employees. Treat website login credentials like the key to your home or business. You should only provide access to people who you trust, and who have some reason to be in there.
Regularly auditing users and access credentials, using tiered access controls, and modelling good login behaviour can do wonders for your web security and your peace of mind. If you’re not sure who currently has access to your website, why not take a few minutes right now to check? It might save you a lot of detective work down the road.