The best way to secure your WordPress users in 2020 is by using a strong password and two-factor authentication. That seems pretty straightforward, right? The reality is that WordPress user security is a bit more nuanced.
Whenever we talk about user security, we often hear questions like, should every WordPress user have the same security requirements, and how much security is too much security?
Don’t worry. We answer all of these questions. But first, let’s talk about the different types of WordPress users.
What are the different types of WordPress users?
There are 5 different default WordPress users.
Each user has different capabilities. The capabilities dictate what they can do once they access the dashboard. Read more about WordPress user roles and permissions.
The Potential Damage of Different Hacked WP Users
Before we can understand how to secure our WordPress users, we must first understand the threat level of each type of compromised user. The type and level of damage an attacker can inflict varies greatly depending on the roles and capabilities of the user they hack.
Administrator – Threat Level High
Administrator users have the capabilities to whatever they want.
- Create, remove, and modify users.
- Install, remove, and edit plugins and themes.
- Create, remove, and edit all posts and pages.
- Publish and unpublish posts and pages.
- Add and remove media.
If a hacker can get their hands on one of your site’s Administrators, they could hold your website for ransom. Ransomware refers to when a hacker takes over your website and won’t release it back to you unless you pay them a hefty fee.
The average downtime of a ransomware attack is 9.5 days. How much revenue would 10 days of NO sales cost you?
Editor – Threat Level High
The Editor manages all of the website’s content. These users still have quite a bit of power.
- Create, delete, and edit all posts and pages.
- Publish and unpublish all posts and pages.
- Upload media files.
- Manage all links.
- Manage comments.
- Manage categories.
If an attacker took control of an Editor’s account, they could modify one of your pages to use in a phishing attack. Phishing is a type of attack used to steal user data, including login credentials and credit card numbers.
Phishing is one of the surest ways to get your website blacklisted by Google. Each day, 10,000 sites get on Google’s blocklist for various reasons.
Author –Threat Level Medium
The Author was designed to create and manage their own content.
- Create, delete, and edit their own posts and pages.
- Publish and unpublish their own posts.
- Upload media files
If an attacker were to gain control of an Author’s account, they could create pages and posts that send your site visitors to malicious websites.
Contributor & Subscriber – Threat Level Low
The Contributor is the lite version of the Author user role. They have no publishing power.
- Create and edit their own posts.
- Delete their own unpublished posts.
The Subscriber can read things that the other users publish.
While hackers with a Contributor or Subscriber role can’t make any malicious changes, they can steal any sensitive information stored in the user’s account or profile page.
7 Tips to Secure Your WordPress Users
Okay, so that is some pretty nasty stuff that hackers can do to our websites. The good news is that most attacks on your WordPress user accounts can be prevented with just a little effort on your part.
Let’s take a look at the things you can do to secure your WordPress users. The truth is that these security methods will help secure every type of WordPress user. But, as we go through each of the methods, we will let you know which users you should require to use the method.
1. Only Give People the Capabilities They Need
The easiest way you can protect your website is by only giving your users the capabilities they need and not anything more. If the only thing someone is going to do on your website is to create and edit their own blog posts, they don’t need the capability to edit other people’s posts.
2. Limit Login Attempts
Brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website. By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make.
Without a limit on the number of failed login attempts, an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.
The iThemes Security Pro Local Brute Force Protection feature keeps tracks of invalid login attempts made by IP addresses and usernames. Once an IP or username has made too many consecutive invalid login attempts, they will get locked out and will be prevented from making any more login attempts.
3. Secure WordPress Users with Strong Passwords
The stronger your WordPress user account password is, the harder it is to guess. It takes 0.29 milliseconds to crack a seven-character password. But, a hacker needs two centuries to crack a twelve character password!
Ideally, a strong password is a twelve character long alphanumeric string. The password should contain upper and lower case letters as well as other ASCII characters.
While everyone can benefit from using a strong password, you may only want to force people with Author level capabilities and above to have strong passwords.
The iThemes Security Pro Passwords Requirement feature allows you to force specific users to use a strong password.
4. Refuse Compromised Passwords
Even though 91% of people know reusing passwords is poor practice, 59% of people still reuse their passwords everywhere! Many of these people are still using passwords that they know have appeared in a database dump.
Hackers use a form of a brute force attacked called a dictionary attack. A dictionary attack is a method of breaking into a WordPress website with commonly used passwords that have appeared in database dumps. The “Collection #1? Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. That is billion with a b. That kind of score will really help a dictionary attack narrow the most commonly used WordPress passwords.
It is a must to prevent users with Author level capabilities and above from using compromised passwords. You may also think about not letting your lower level users use compromised passwords.
It is completely understandable and encouraged to make creating a new customer account as easy as possible. However, your customer may not know that the password they are using has been found in a data dump. You would be doing your customer a great service by alerting them to the fact that the password they are using has been compromised. If they are using that password everywhere, you could save them from some major headaches down the road.
5. Secure WordPress Users with Two-Factor Authentication
Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks. I really like those odds.
At the very least, you should require your Admins and Editors to use two-factor authentication.
The iThemes Security Pro Two-Factor Authentication feature provides a ton of flexibility when implementing 2fa on your website. You can enable two-factor for all or some of your users, and you can force your high-level users to use 2fa on each login.
6. Limit Device Access to the WP Dashboard
Limiting access to the WordPress dashboard to a set of devices can add a strong layer of security to your website. If a hacker isn’t on the correct device for a user, they won’t be able to use the compromised user to inflict damage on your website.
You should only limit device access to your Admins and Editors.
The iThemes Security Pro Trusted Devices feature identifies the devices that you and other users use to login to your WordPress site. When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.
7. Secure WordPress Users from Session Hijacking
WordPress generates a session cookie every time you log into your website. And let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Unfortunately for you, the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including the earlier-mentioned WordPress session cookie. This type of hack is known as Session Hijacking. So, an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes with your WordPress user.
You should have session hijacking protection in place for your Admins and Editors.
The iThemes Security Pro Trusted Devices feature makes Session Hijacking a thing of the past. If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
The popularity of WordPress makes it a target for hackers all over the world. As we discussed, an attacker can cause damage by hacking even the lowest level of WordPress user. The good news is that while there is no way to prevent attacks on your WordPress users, with a little effort on our part, we can prevent the attacks from being successful.