Human error is one of the biggest sources of website security breaches and vulnerabilities. Security issues frequently arise when there aren’t enough controls or restrictions around access to your website’s back end.
In order to set useful access restrictions, you need to figure out who needs what kind of access to your website. It can be useful to imagine placing your users in a series of buckets. If you have a fairly small team, you can start with maybe 2 or 3 buckets. For example:
Once you’ve created a few buckets, you need to define these access levels. As we talked about in our WordPress admin security article, WordPress currently offers 6 different tiers of back end access. At the top end, a super admin account gives a person the ability to manipulate the core code, plugins, firewall settings, and even other user accounts. At the bottom end, a contributor account gives a person enough access to log in and create content within the content editor, but very little else. They may not even have publishing abilities.
Who on your team needs super admin or admin-level access? Hopefully, it’s going to be one or two, maybe three people, depending on the size of your company. We can’t stress this enough — you want to keep access to a minimum. The more people who have access to your site, the less control you have over it. And losing control of your website means you’re vulnerable to security breaches at any time. Having only one person with full access can be slightly risky, because if that person is away or otherwise occupied you may not be able to access crucial systems in case of an emergency. More than three, and it becomes harder to control who sees and does what. Two people is the “Goldilocks zone” of top-tier access. On the other end of the spectrum, your “minimal access” bucket should contain as many people as possible.
Yes, it’s the same advice you’ll read at the top of almost any article on any cybersecurity topic. But if your company is still using the name of your accountant’s dog as the shared password for all your website accounts, make it your resolution to change that. Like, yesterday.
It’s also important to change your password from time to time. The best website admins and professional users will change their password about once every six months. More than this is probably overkill, especially if you’re using good security practices in general, but the longer your password stays the same, the more time hackers have to guess it using sophisticated brute-force techniques.
We can’t overstate the degree to which just having a sufficiently complex password can reduce the risk of website security breaches. Why are you still using a simple one?
Password managers like LastPass and 1Password are designed to do the job of remembering your passwords. If you enable a password manager browser extension, you can securely auto-fill all your passwords. You don’t have to remember anything — in fact, you don’t even have to know your password.
Set yourself a reminder to change your password every six months. If you’re using a password manager, you can auto-generate a secure alpha-numeric password with a couple clicks. What’s more of a hassle — taking 10 minutes to reset a password, or spending days trying to track down and fix a cybersecurity vulnerability?
Allowing multiple people to log in on the same account is not only a recipe for a disorganized, Frankenstein-esque website — it’s a gigantic security risk. Audit your user logins asap, and assign separate, secure login credentials only to those who need access.
Even a strong password can be cracked if a hacker is intent on brute-forcing their way into your website. Using two-factor authentication almost eliminates the risk of an unauthorized person getting into your website via the login page.
2FA basically serves as a cross-check that the person logging in is really who they say they are. Say your blog writer, Jim, was careless one day and let an unauthorized person know his login credentials. This slip-up might allow someone to get into the website and make changes. Luckily, Jim has two-factor authentication set up. When this unauthorized person tries to log in using his credentials, Jim gets a message from an authenticator app on his phone. Because Jim knows he’s not the one trying to access the site, he immediately denies the login request. The unauthorized user is denied entry.
No matter how many attempts they make, the unauthorized user won’t be able to get into the website without Jim’s phone. Jim can take 5 minutes to change his password when he gets back to his computer, and a potential security crisis is averted.
You can configure your WordPress website to automatically log out inactive users. You can also adjust the timeframe in which this happens. We don’t always recommend automatic timeouts, especially when a site is being actively worked on, because they can become inconvenient when someone is spending a full day working on a website. But, if your site has a lot of users or users that tend to access the back end from shared computers or computers in public locations, timeouts can be a good addition to your complete defense arsenal. If you do choose to configure these, however, make sure that the time limit is clearly communicated to anyone working on the site. No one wants to lose an hour’s worth of work by getting kicked out of their login after taking a break.
If you see something suspicious — don’t click on it. This can include links on website comments, images, and email content that isn’t coming from a trusted source. Report anything strange or unusual on your website as soon as you notice it, and coach your entire team to do the same. Good website security best practices are, in general, pretty easy to stick to, as long as you’re doing what works best for your workplace. You don’t have to remember a complex password — just use a reputable password manager. You don’t configure kickouts if they don’t suit your style of work. Do a criminal record check on anyone who might be interacting with the back end of your site, and don’t give access to people who you don’t trust.
It’s a great idea to block off some time — maybe a few hours, spread out over a couple days to a week — to ensure every member of your team has adequate website security training. If you don’t feel confident providing this training yourself, consider booking a third-party security consultant or a team workshop. Proper website security practices are easy to implement, but they’re most effective when everyone on your team is following them to a tee.