We’ve had a busy week in the security world! It’s been a weird sort of Murphy’s Law day. As we focus on security this week, the interwebs lit up with malware!
New York Times, CNN and many many more sites were attacked. It’s actually not so much that they were attacked, but their viewers were. I also had several clients call me today to deal with a big red screen of death like so:
Ugg. You work your cute patootie off to get visitors, thats the last thing we want them to see!
Security Week Review
- Backups: How to Find the Right Plugin for You
- Updates: How to Update your Site Without An Ulcer (Enter to Win a Year of Sucuri Firewall)
- Plugins: The Newbie Mistake Everyone Still Makes
- Today: Users & Access
- Friday: Tech Stuff (simplified)
If you have done the first three assignments from our 5 Days 5 Assignments Security Week, you’re already ahead of most webmasters.
You darling geek, you!
We’re on to Assignment #4 out of 5! Almost there!
But first 2 things to know:
1. User Role & Capability Primer:
Here’s a list of Roles that are created by default in WordPress. Each links to more details on the WordPress.org site.
Administrator – somebody who has access to all the administration features within a single site.
Editor – somebody who can publish and manage posts including the posts of other users.
Author – somebody who can publish and manage their own posts.
Contributor – somebody who can write and manage their own posts but cannot publish them.
Subscriber – somebody who can only manage their profile
If the person is an author, they should not be given permission to decide the paint color on the walls, y’know?
2. The Guessing of Passwords
Sadly, this next bit is actually necessary. Want to know the secret to guessing passwords?
- use kids names or birthdays
- use spouse’s name
- use some combination of words found in the domain name of their site
- use a combination of their industry: travel, foodie, author, book, etc
- replace “o” with zero
- replace “E” with “3”
- replace “I” with “1”
- any of the above with ! at the end
- try “[email protected]”
- try “admin” (for the amount of times I see this, its totally worth a try)
- and if you’re a computer, just whiz through the dictionary and you’ll be golden in 2 seconds flat for 99% of passwords.
See where I’m going with this? I know it’s a tough pill to swallow, but random passwords are essential. See below for a total sanity saver.
On to the good stuff – your assignment for today!
1. Managing Roles & Passwords
Now that you have an idea of the Roles & Capabilities, let’s take a look at your users. Have a look at this screenshot of my user’s list.
#1 – you can see the number of each role here – I have 5 administrators and nothing of anything else.
Don’t give every user the keys to the farm.
#2 – email so you can change their passwords (I’ll explain below)
Every user must have a verified email.
#3 – Usernames.
No one should use the username, “admin”. I did that just so you could see what it looks like. I’m sacrificial like that.
#4 – How to change a user’s Role: check the box and use the dropdown to assign a different role.
2. Force a Password Change *evil grin*
To be sure everyone is changing passwords, you can force the issue. Here’s how.
- Go to users >> username
- Go to the Account Management section, Password.
- Click “Generate Password” to generate a random strong password.
- Click update on the profile.
- If you want to be nice, you can email your user and let them know that the password is changed.
- DO NOT COPY the password. They can click the ‘forgot password’ link on next login and generate their own unique password.
- Voila! That user has a new password that no one knows except them.
3. Restrict The Number of Login Attempts
These are a really good idea. If you restrict the number of times a user can guess their password, you’ll prevent a few different kinds of forced login attacks. Use Login Lockdown plugin for WordPress sites. (search for it from your Plugins tab)
TIP: How to Save Your Sanity Amongst Stupid Difficult Passwords
K, this is all good and dandy. BUT – how on earth do you have stupid difficult passwords, with stupid characters that are stupid long? And for each site you log into? Gah!! It’s frustrating until you use something like LastPass.
LastPass saves each password, it can create them for me, it saves profiles – including usernames, and even identification profiles for my multiple personalities.
It has a browser for your phone or tablet. You can put it on any desktop browser. I have used it for years. I have thousands of passwords on that account. It is completely safe. And completely necessary.
Try it. You’ll love me even more!
And that my friends is the END of Assignment 4!!
Tomorrow is a super simplified version of the techy stuff needed for security. I have typed out a few scripts for you to take to your dev or host and give to them. Easy as handing over the script and giving them a questioning look.
Don’t forget to enter the Year’s Worth of Website Firewall from Sucuri Security.