In 2017 a cyberattack lasting 12 hours hit the British Parliament. At the time, an attack of this magnitude was unprecedented. In the end, nearly 100 email addresses of MPs & their staffers had been compromised. Eventually, it was determined that hackers had gained access due to weak account passwords.
Fast forward to 2020, and we know that these types of cyberattacks, known as brute force attacks, are happening more & more every day. In their most recent Threat Report, McAfee showed a significant increase in such attacks in 2019.
So, how can you help prevent a brute force attack from compromising your website? The answer is as simple as good user management practices. Read the five mistakes you’re likely making, and learn how to tighten up your website security with just a few simple steps:
1. Not checking for out-of-date users
As your business grows and changes, you’ll likely add new users to your website’s WordPress dashboard. Over time, the increasing number of people with access can become a liability. When I start working with an existing website, one of the first things I do is to send the owner a list of all the current website users. I ask them to go over this list carefully, asking themselves, “does this person need access to the website dashboard?”
Any employee who does not need to access the backend of your website should not have a user account. I’ve heard site owners say, “well, I want to leave them, just in case…” But, the reality is that the risk of having extra users generally outweighs the benefit of leaving someone on for a rainy day– especially when it only takes 30 seconds to re-add them if necessary.
This audit is useful for weeding out other users who should no longer have access. You’d be surprised at how often I hear “this person doesn’t work for the company anymore,” and “I don’t even know who this person is!” It’s easy to forget that you added a username for a support tech, and leave that user access active for years. It’s also common to forget to delete access for an employee who has left your business. It’s especially risky if that person parted from your company on bad terms; don’t leave yourself vulnerable to someone who thinks they have a score to settle!
2. Letting employees share a user account
While you don’t want unnecessary users to be able to access the backend of your website, you do want to make sure everyone who does need access has their own account. Letting your employees share a user account is never a good idea for the following reasons:
- Shared passwords are notoriously bad; they tend to be short and simple, and people distribute them via email or leave them on post-its around the office– all of which are lousy security practices.
- If your team shares access, when a member leaves, they will still be able to log in (re-read Mistake #1 above).
- If something does go wrong on your website, it is a lot harder to track down where the issue initiated and who made the changes that caused the problem.
If you have staff sharing access, have them stop this practice ASAP; your site will be safer for it!
3. Not utilizing available user permission levels
I also frequently see websites where all users are WordPress Administrators. Administrator permissions give people nearly unlimited access to your site. And while you might trust all of your employees, that leaves a lot of potential gateways for brute force attacks. While there are some scenarios where it’s not possible, my recommendation is to have no more than 2-3 Administrators on a single site.
Out of the box, WordPress has five different user roles. The lowest level of permission is “Subscriber,” and it applies to users who log in to your website to leave a comment. Subscribers do not have access to the backend of your website, so they don’t pose a threat. Below is an outline of the four other user roles, and their capabilities:
What's the Difference Between WordPress Account Types?
Please note: there are plugins you can use to override the default user permissions, and certain plugins (i.e., WooCommerce & BuddyPress) may create new permission levels.
Do you have someone who oversees your blog posts? Consider making them an Editor. Do you have an employee who contributes a post once in a while? Make them an Author. Reduce the level of access wherever it makes sense for your users.
As a bonus, the WordPress dashboard is less overwhelming as an Editor, and even less so as an Author or Contributor! It’s an excellent option for your website users who aren’t very familiar with WP.
4. Not adding extra security to user accounts
- Require everyone to use a “strong” password. There are many plugins available that will force users to set strong passwords; check out Password Policy Manager for WordPress, or see if your hosting company can make a recommendation.
- Enable two-factor authentication. I love two-factor authentication and use it whenever I can. For more info, check out this great article straight from WordPress.
- Limit login attempts. Brute force attacks rely on computers to try many username/password combinations in rapid succession. Stop them in their tracks by limiting the number of login attempts from a single IP address. Try the very popular (and free!) Limit Login Attempts Reloaded, or check to see if your hosting company includes it in your package.
- Consider hiding your login page. Instead of the standard “/wp-admin” URL for your login page, you might want to consider protecting it by using a different URL.
- Don’t use obvious usernames. Avoid creating usernames like “admin” or “webmaster,” which are easier targets for brute force attacks.
5. Not installing/checking an activity log
If your website has multiple users, an activity log is a must! An activity log shows you all of your user’s interactions on the WordPress dashboard. They can keep track of when users are logging in (or trying to log in), multiple failed attempts can mean an attempted brute force attack! They can also tell you when users are publishing posts or pages, updating/adding/deleting plugins, and much more.
If you don’t have an activity log installed on your site, get one! I typically use this one, aptly named Activity Log.
This post is not sponsored by Activity Log.
And if you already have an activity log installed, be sure you’re checking it regularly! It’s easy to set one up, and then forget that it exists until you have an obvious problem. But regularly checking the logs will help you spot an increase in attempted logins or other suspicious activity. I recommend reviewing the log at least once a week.
Are you interested comprehensive website security? Check out our monthly Care & Maintenance plans, all of which include advanced security features- including daily malware scans & user activity log monitoring!