One of the key ways hackers (or bots) use to hack your WordPress site is through your site’s WordPress User accounts.
If you think about your site, for a second, like a physical building, whether your home or an office, every user is a door into that building.
Poor security for just one user account can open up your entire building, or site, to vulnerabilities that lead to hacks.
For example, let’s say your site has 5 Admin users all using strong passwords (like 50-characters or more) and two-factor authentication for their secondary layer of protection to entry into the site. But ONE user has a weak password that has likely been published online (i.e. “password” or “pass1234”), or if their user account has sat dormant for months, giving hackers or bots enough time to potentially break their password, then the entire building, or site, is vulnerable by that one account.Good user-level security best practices are absolutely essential for protecting your WordPress sites.
Today, with iThemes Security Pro v. 2.8.0+, we’ve made it super easy for you to assess the security of all your WordPress user accounts at one time and take action on them if needed with a new feature called WordPress User Security Check.
WordPress User Security Check helps you see all your Users in one place, make quick assessments and take key, critical actions
With WordPress User Security Check, you can:
- Know which accounts have Two-Factor Authentication enabled or not — WordPress two-factor authentication is one of the best ways to lockdown your user accounts.
- See when Users were Last Active — get a quick view of dormant accounts, for say, that contract developer you needed to give access to your site for a time, but now is irrelevant
- See sessions of who’s logged in — and be able to log them out instantly, everywhere. Maybe a user logged in from a library, hotel or a conference setting and you can’t find that laptop or simply want to wipe the slate clean and have everyone log back in. Having a logged in session that isn’t currently attended is like having an OPEN door.
- Change their Roles (and thus Capabilities ) instantly — Admin and Editors roles in WordPress can do a lot of damage to your site. But not every user on your site may need Admin privileges, so you can bump them down quick with one click, and later upgrade them if needed easily, diminishing the opportunity for hacks by those accounts.
- Delete unused or unneeded user accounts — clear out unneeded and unnecessary user accounts.
All of this helps you lower the potential opportunities for an attack via your WordPress users.
Additionally, we’ll be adding even more useful, actionable information to WordPress User Security Check in the near future like: Listing the “strength” of each user’s password, how long since the password has been changed, reminding users to enable Two-Factor Authentication, and a “health” score for each user.
The security of your WordPress site depends heavily on the security of your site’s users. Make sure you’re doing everything you can to lower those opportunities by using iThemes Security Pro’s new WordPress User Security Check.
Perform a WordPress User Security Check with iThemes Security Pro
Now, with iThemes Security Pro, you can quickly get an overview of important security info for all the users on your WordPress site. See how your users might be affecting your security and take action when needed.
Information & Actions Available from the WordPress User Security Check
|Column Heading||Description + Actions|
|Username||Hover over the username to edit or delete the user.|
|Two-Factor||Lock icons indicate whether or not two-factor has been activated for the user.|
|Last Active||Displays the time the user was last active on the site. This information can indicate if a user has been compromised.|
|Sessions||Shows number of current login locations. Click the button to log the user out of all locations.|
|Role||Change the role of the user. This is helpful if a user has a higher-access role than necessary.|
How to Use the WordPress User Security Check
From the WordPress dashboard, navigate to the iThemes Security menu. Open the Settings page.
On the Settings page, navigate to the User Security Check box at the bottom of the page. Click the Configure Settings button.
From here, you’ll be able to see the details of the WordPress User Security Check. View a listing of users, along with more security information such as two-factor authentication status, last active, current sessions and current WordPress user role. As far as actions go, you can delete or edit users, change the role of individual users and log users out directly from this screen.
Keep Your WordPress Site Secure with WordPress User Security Check, Two-Factor Authentication & More
Add an extra layer of protection to your WordPress site with the iThemes Security Pro plugin. Along with WordPress User Security Check, add two-factor authentication, WordPress security scan, Google reCAPTCHA integration, and much more to your WordPress site.
Check out all the reasons to go Pro here.