We’ve had a busy week in the security world! It’s been a weird sort of Murphy’s Law day. As we focus on security this week, the interwebs lit up with malware!
New York Times, CNN and many many more sites were attacked. It’s actually not so much that they were attacked, but their viewers were. I also had several clients call me today to deal with a big red screen of death like so:
Ugg. You work your cute patootie off to get visitors, thats the last thing we want them to see!
Here’s a list of Roles that are created by default in WordPress. Each links to more details on the WordPress.org site.
Administrator – somebody who has access to all the administration features within a single site.
Editor – somebody who can publish and manage posts including the posts of other users.
Author – somebody who can publish and manage their own posts.
Contributor – somebody who can write and manage their own posts but cannot publish them.
Subscriber – somebody who can only manage their profile
If the person is an author, they should not be given the same permissions as the site owner, right?
Sadly, this next bit is actually necessary. Want to know the secret to guessing passwords?
I know they’re impossible to remember, but random passwords are essential. See below for a total sanity saver.
Now that you know the roles, and you know that your passwords should be random, lets talk about the specifics for WordPress security.
Now that you have an idea of the Roles & Capabilities, let’s take a look at your users. Have a look at this screenshot of my user’s list.
#1 – you can see the number of each role here – I have 5 administrators and nothing of anything else.
Don’t give every user the keys to the farm.
#2 – email so you can change their passwords (I’ll explain below)
Every user must have a verified email.
#3 – Usernames.
No one should use the username, “admin”.
#4 – How to change a user’s Role: check the box and use the dropdown to assign a different role.
To be sure everyone is changing passwords, you can force the issue. Here’s how.
These are a really good idea. If you restrict the number of times a user can guess their password, you’ll prevent a few different kinds of forced login attacks. Use Login Lockdown plugin for WordPress sites. (search for it from your Plugins tab)
K, this is all good and dandy. BUT – how to remember all those random passwords? Use a password keeper. I use one attached to my browser: Chrome. On each computer, when I log into Chrome, this extension goes to work. And will auto-fill any login that I need. We use and recommend LastPass.
LastPass saves each password, it can create them for me, it saves profiles – including usernames, and even identification profiles for my multiple personalities.
I have used it for years. I have thousands of passwords on that account. The security of the site is on par with online banking software. So I trust it.