In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover Privilege Escalation, the most underutilized feature in iThemes Security Pro.
Why We Developed Privilege Escalation
Anytime you create a new user, you are adding another entry point that a hacker could exploit. But there will likely be times you may need some outside help for your website, like when you are seeking support or after hiring an independent contractor. You need a safe, secure way to add temporary admin access to your website.
For example, let’s say that you run into some issues with one of the plugins installed on your website. After contacting support, they request admin access to your website so they can take a closer look. That seems like a perfectly reasonable request and you decide to grant them access.
So how do we give someone temporary administrator access to our WordPress website?
Granting Outside Access to your Website: The Two Options
Typically, you have two options to provide external access to your website…. and neither are great.
1. Share Your User’s Credentials
Your first and worst option is to share the username and password of your WordPress admin user.
Why Sharing Your Admin Credentials is Terrible
- Reduced Security – If you share your user’s credentials, you will have to disable two-factor authentication to allow the person using your credentials to login. Google shared on its blog that using two-factor authentication, or 2-step verification, can stop 100% of automated bot attacks. Disabling two-factor authentication, even for a short period of time, drastically reduces your website’s security.
- Inconvenient – Sharing your credentials requires you to change your password. If you forget to change your password, there are one or more people that have admin access to your website whenever they want it.
2. Create a New User for the Support Tech
While creating a brand new admin user for the support specialist is better than sharing your admin credentials, it still isn’t great.
Why Creating a User for the Support Tech is Terrible
- Increased Vulnerability – Creating a new administrator user adds another point of entry that could be exploited. If you don’t have a password policy in place, the support tech could choose a weak password, making your WordPress login more vulnerable to attack.
- Inconvenient – Going through the process of setting up a new user anytime you need outside help is time-consuming. You have to create the new user and then remember to delete the user when they no longer need access to your website. It is a WordPress security best practice to remove any unused users from your website.
What is Privilege Escalation?
The iThemes Security Pro Privilege Escalation feature allows you to grant a user extra capabilities temporarily.
Privilege Escalation makes it easy and safe to create a universal user that you can give to any outside developers or support techs that need temporary access to your website.
With Privilege Escalation, you can create a new user and name it Support and give it the Subscriber user role. The next time you need to provide temporary access to your website, you can bump the Support user from a subscriber to an administrator. We will walk through how to do this later in the post, but first, let’s talk about why Privilege Escalation is a better way of granting access to your website.
Why Privilege Escalation is Better
- Easy – You don’t have to create a new user every time you need to grant access to your website.
- Automatic – The privilege escalation only lasts for 24 hours. After 24 hours is up, the user automatically loses all the additional privileges. You don’t have to remember to remove users or change any passwords.
- No Sacrifice in Security – You can still require this universal support user to use the email method of two-factor to login, which means you have the same level of security as you do with your other admin users. Because the actual user role is a subscriber, you don’t run any real risk of leaving it on your website.
How to Use Privilege Escalation in iThemes Security Pro
To get started, enable Privilege Escalation on the Features menu of the security settings.
You can create a new user and name it Support and give it the Subscriber user role. The next time you need to provide temporary access to your website, navigate to your Support user’s Profile page.
Update the email address to allow the outside support person to request a new password. Then scroll down until you see the Temporary Privilege Escalation settings. Click the Set Temporary Role toggle, and select Admin. The user will now have Admin access for the next 24 hours.
If they don’t need the full 24 hours, you can revoke the privilege escalation from the user profile page. If you need more than 24 hours, you can set the exact number of days you need in the Days field.
Anytime you create a new user, especially an Admin user, you are adding another entry point that a hacker could exploit. But, there are times you may need some outside help for your website, like when you are seeking support.
The Privilege Escalation feature in iThemes Security Pro makes it easy and safe to grant temporary admin access to outside contractors and support technicians.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.