In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover the User Security Check, an easy way for you to audit the strength of your user’s security.
Why Does The Security of My Website’s Users Matter?
Simply put: a single Admin user with a weak password could undermine all of the other website security measures you have put into place. That is why it is so important for you to audit the strength of security used by the Administrator users on your website.
The iThemes Security Pro User Security Check allows your quickly audit and modify 5 critical elements of user security:
- Two-Factor Authentication Status
- Password Age & Strength
- Last Time Active
- Active WordPress Sessions
- User Role
Why Should I Use the User Security Check in iThemes Security Pro?
The iThemes Security Pro plugin has a ton of tools that you can use to increase the WordPress user security on your website. The Two-Factor Authentication and Password Requirements features alone protect your WordPress users from 100% of automated bot attacks.
However, these two user security tools are only effective if the users on your website are actually using them. A single admin with a weak password could undermine all of the other security measures you have put into place.
That is why it is so important for you to audit the security of the Admins and Editors on your website.
What Does the User Security Check Audit?
The User Security Check in the iThemes Security Pro plugin allows you to audit 5 different security elements for each user on your website:
1. Two-Factor Authentication
The Two- Factor section of the User Security Check lets you view if a user has enabled two-factor authentication and whether it has been configured.
- Gray Padlock – If a user has a gray padlock, it means they have enabled and configured two-factor authentication.
- Orange Padlock – An orange padlock means that the user has enabled but not configured two-factor authentication. Even though this user has configured 2fa, they are likely being forced to use the email method of 2fa when logging in.
- Red Padlock – A red padlock means the user hasn’t enabled or configured two-factor authentication.
Hovering over a red padlock in the User Security Check will display an option to send that user an email reminding them to configure two-factor authentication.
2. Password Strength and Age
The Password section of the Users Security Check displays the strength and age of each user’s password.
If the password strength of a user is Unknown, that means the user hasn’t logged in since the User Security Check was enabled.
3. Last Active Time
The Last Active section of the User Security Check displays the last time a user was active on the website.
If the Last Active time for a user is Unknown, that means they haven’t logged in since the User Security Check was enabled.
If an Admin user hasn’t been active on the website for a long time, remove them. Every user on your website, especially Admin users, create an extra entry point for a hacker to exploit
4. Active Sessions
The Session section of the User Security Check displays the number of active sessions for each user.
WordPress generates a session cookie every time you log into your website. Having multiple active sessions could simply be from a user not signing out from their laptop before signing into the website from their phone.
However, a user with multiple active sessions could be a sign of a session hijacking attack. If a user has multiple unexpected sessions, you can click the Log Out Everywhere button to end all active sessions.
Tip: Enable Trusted Devices in iThemes Security Pro to protect your users against session hijacking attacks.
5. User Role
The Role section of the User Security Check allows you to view and modify each user’s role.
The easiest way you can protect your website is by only giving your users the capabilities they need and not anything more. If you see that a user has Admin capabilities but all they do is write blogs, give them the correct user role of Author.
How to Use the User Security Check in iThemes Security Pro
Enable the User Security Check on the iThemes Security Pro settings’ main page to get started auditing your user’s security.
Once enabled, click the Configure Settings button to view the User Security Check.
How to Manage User Security From Your WordPress Security Dashboard
The iThemes Security WordPress Security Dashboard is a dynamic dashboard with all your WordPress website’s security activity stats in one place.
There are 2 security cards that let you manage the User Security Check from your security dashboard.
1. User Security Profiles
See a list of every admin user on the site. Click on any username to get their user security check overview.
2. User Security Profile
Pin a single user’s profile to your dashboard, and see their user role, password strength and age, whether or not they have two-factor enabled and when they were last on the site.
Wrapping Up: Make User Security a Priority
Hackers have better tools, and the bar for minimum security has been raised. WordPress security starts with user security, and in less than a minute, you can audit the security of every user on your website with the User Security Check.
