wordpress login security

Beef Up Your WordPress Login Security with These Policies

By Princess Jones

WordPress is one of the most diverse, complex, and capable content management systems available to businesses right now. Its popularity means that your business can almost always find resources for whatever goal you’re trying to accomplish with it. It also means that it’s a popular target for those who would like to exploit security weaknesses in sites that use it. Account logins are often targeted in these attacks. Your best weapon against them that sort of exploit is to beef up your WordPress login security.

Limit Your Users

Most websites don’t need to accept new user registrations from anyone who visits it. Remove the meta widget that shows up with every WordPress installation from the widgets area in the dashboard. Also, uncheck the “Anyone Can Register” box in the setting panel. You can manually add new users as you add personnel that need login credentials.

When you do add those users, make sure that they have the least amount of access necessary to do their jobs. Currently, WordPress installations can have the following roles: Super Admin, Administrator, Editor, Contributor, Author, and Subscriber. Subscriber is the lowest role and has very little responsibility. Editor, Contributor, and Author all have various abilities to create and publish content. Administrator and Super Admin can make changes to the set up. If you install a plugin like User Role Editor, you can customize them even further.

Certain types of websites can’t do this because it’s a usability issue. E-commerce sites, membership sites, and others that depend on user registrations have to accept higher numbers of users. However, you can require CAPTCHAs during registrations and limit registration to the lowest level of security possible.

Have a Password Policy

By default, WordPress doesn’t place any real requirements on your account passwords. This security flaw allows users to create weak passwords and if those users have access to administrative or superuser privileges, it puts your entire setup at risk. Since WordPress doesn’t have a password policy, create your own for your organization.

Start by requiring your users to have strong passwords with numbers, letters, and capital letters. You can use a strong password generator and assign passwords to users yourself. Another good addition to your password policy is that users change theirs periodically without repeating the same one. A WordPress plugin like Login Security System can help you set a password policy and enforce it.

Create a Backup Plan

There’s a reason that Facebook, Twitter, Google, and a host of other user platforms encourage users to enable two-factor authentication. Passwords are only so secure. Two factor authentication also adds in the extra layer of requiring a code if you log onto the website from an unrecognized device. If someone steals your login info, they’ll also need access to another account or device to access your website information. Lower level users who can’t make any changes to the installation may not have to enable this but higher level users should consider it. And a WordPress plugin like Rublon Account Security: Two Factor Authentication can help you add it to your business website today.

Subscribe to the Small Business Bonfire Newsletter
And get your free one-page marketing plan template.
Princess Jones on DeviantartPrincess Jones on FacebookPrincess Jones on GooglePrincess Jones on LinkedinPrincess Jones on Twitter
Princess Jones
Princess Jones is the evil genius behind P.S. Jones Copy & Design, where she helps food and drink businesses speak the language of their audiences. For more talk about copywriting, design, and the tools to pull them off, follow her on Twitter @imprincessjones.

2 comments

Get RSS Feed
  1. Those are good points – lots of hacked websites I fixed were hacked through brute force attack.
    But also important – have everything updated (plugins, themes, WP), uninstall all themes and plugins you don’t use and use plugin like Sucuri to add some additional protection!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.