4 – Secure Users & Passwords

We’ve had a busy week in the security world! It’s been a weird sort of Murphy’s Law day. As we focus on security this week, the interwebs lit up with malware!

New York Times, CNN and many many more sites were attacked. It’s actually not so much that they were attacked, but their viewers were. I also had several clients call me today to deal with a big red screen of death like so:

Screen Shot 2016-03-16 at 5.56.04 PM

Ugg. You work your cute patootie off to get visitors, thats the last thing we want them to see!


1. User Role & Capability Primer:

Here’s a list of Roles that are created by default in WordPress. Each links to more details on the WordPress.org site.

Administrator – somebody who has access to all the administration features within a single site.

Editor – somebody who can publish and manage posts including the posts of other users.

Author – somebody who can publish and manage their own posts.

Contributor – somebody who can write and manage their own posts but cannot publish them.

Subscriber – somebody who can only manage their profile

If the person is an author, they should not be given the same permissions as the site owner, right?

2. The Guessing of Passwords

Sadly, this next bit is actually necessary. Want to know the secret to guessing passwords?

  • use kids names or birthdays
  • use spouse’s name
  • use some combination of words found in the domain name of their site
  • use a combination of their industry: travel, foodie, author, book, etc
  • replace “o” with zero
  • replace “E” with “3”
  • replace “I” with “1”
  • any of the above with ! at the end
  • try “[email protected]
  • try “admin” (for the amount of times I see this, its totally worth a try)
  • and if you’re a computer, just whiz through the dictionary and you’ll be golden for 99% of passwords.

I know they’re impossible to remember, but random passwords are essential. See below for a total sanity saver.

Now that you know the roles, and you know that your passwords should be random, lets talk about the specifics for WordPress security.

Secure Role Management

Now that you have an idea of the Roles & Capabilities, let’s take a look at your users. Have a look at this screenshot of my user’s list.

Users ‹ WordPress Barista — WordPress

#1 – you can see the number of each role here – I have 5 administrators and nothing of anything else.
Don’t give every user the keys to the farm.

#2 – email so you can change their passwords (I’ll explain below)
Every user must have a verified email.

#3 – Usernames.
No one should use the username, “admin”.

#4 – How to change a user’s Role:  check the box and use the dropdown to assign a different role.

Regularly Force a Password Change

force password change

To be sure everyone is changing passwords, you can force the issue. Here’s how.

  1. Go to users >> username
  2. Go to the Account Management section, Password.
  3. Click “Generate Password” to generate a random strong password.
  4. Click update on the profile.
  5. If you want to be nice, you can email your user and let them know that the password is changed.
  6. DO NOT COPY the password. They can click the ‘forgot password’ link on next login and generate their own unique password.
  7. Voila! That user has a new password that no one knows except them.

3. Restrict The Number of Login Attempts

These are a really good idea. If you restrict the number of times a user can guess their password, you’ll prevent a few different kinds of forced login attacks. Use Login Lockdown plugin for WordPress sites. (search for it from your Plugins tab)

TIP: How to Save Your Sanity with Random Passwords

K, this is all good and dandy. BUT – how to remember all those random passwords? Use a password keeper. I use one attached to my browser: Chrome. On each computer, when I log into Chrome, this extension goes to work. And will auto-fill any login that I need. We use and recommend LastPass.

LastPass saves each password, it can create them for me, it saves profiles – including usernames, and even identification profiles for my multiple personalities.

I have used it for years. I have thousands of passwords on that account. The security of the site is on par with online banking software. So I trust it.


  • use the lowest necessary role
  • enforce random passwords
  • regularly force password changes
  • grab a password keeper