7 Tips to Secure WordPress Users in 2020

• Updated on: 2020-08-30
• Read original article here

Written by Michael Moore on
August 28, 2020
7 Tips to Secure WordPress Users in 2020
The best way to secure your WordPress users in 2020 is by using a strong password and two-factor authentication. That seems pretty straightforward, right? The reality is that WordPress user security is a bit more nuanced.
Whenever we talk about user security, we often hear questions like, should every WordPress user have the same security requirements, and how much security is too much security?
Don’t worry. We answer all of these questions. But first, let’s talk about the different types of WordPress users.
What are the different types of WordPress users?
There are 5 different default WordPress users.
Administrator
Contributor
Subscriber
Note: WordPress multi-sites have a sixth user. The Super Administrator has all access to the site network administration features and all other features. They can create new and remove sites on the network as well as manage the network’s users, plugins, and themes.
Each user has different capabilities. The capabilities dictate what they can do once they access the dashboard. Read more about WordPress user roles and permissions .
The Potential Damage of Different Hacked WP Users
Before we can understand how to secure our WordPress users, we must first understand the threat level of each type of compromised user. The type and level of damage an attacker can inflict varies greatly depending on the roles and capabilities of the user they hack.
Administrator – Threat Level High
Administrator users have the capabilities to whatever they want.
Create, remove, and modify users.
Install, remove, and edit plugins and themes.
Create, remove, and edit all posts and pages.
Publish and unpublish posts and pages.
Add and remove media.
If a hacker can get their hands on one of your site’s Administrators, they could hold your website for ransom. Ransomware refers to when a hacker takes over your website and won’t release it back to you unless you pay them a hefty fee.
If a hacker can get their hands on one of your site’s Administrators, they could hold your website for ransom. Ransomware refers to when a hacker takes over your website and won’t release it back to you unless you pay them a hefty fee.
The average downtime of a ransomware attack is 9.5 days. How much revenue would 10 days of NO sales cost you?
Editor – Threat Level High
The Editor manages all of the website’s content. These users still have quite a bit of power.
Create, delete, and edit all posts and pages.
Publish and unpublish all posts and pages.
Upload media files.
Manage comments.
Manage categories.
If an attacker took control of an Editor’s account, they could modify one of your pages to use in a phishing attack. Phishing is a type of attack used to steal user data, including login credentials and credit card numbers.
Phishing is one of the surest ways to get your website blacklisted by Google. Each day, 10,000 sites get on Google’s blocklist for various reasons.
Note: The iThemes Security Site Scan performs daily checks on your website’s Google blocklist status.
Author –Threat Level Medium
The Author was designed to create and manage their own content.
Create, delete, and edit their own posts and pages.
Publish and unpublish their own posts.
Upload media files
If an attacker were to gain control of an Author’s account, they could create pages and posts that send your site visitors to malicious websites.
Contributor & Subscriber – Threat Level Low
The Contributor is the lite version of the Author user role. They have no publishing power.
Create and edit their own posts.
Delete their own unpublished posts.
The Subscriber can read things that the other users publish.
While hackers with a Contributor or Subscriber role can’t make any malicious changes, they can steal any sensitive information stored in the user’s account or profile page.
7 Tips to Secure Your WordPress Users
Okay, so that is some pretty nasty stuff that hackers can do to our websites. The good news is that most attacks on your WordPress user accounts can be prevented with just a little effort on your part.
Let’s take a look at the things you can do to secure your WordPress users. The truth is that these security methods will help secure every type of WordPress user. But, as we go through each of the methods, we will let you know which users you should require to use the method.
1. Only Give People the Capabilities They Need
The easiest way you can protect your website is by only giving your users the capabilities they need and not anything more. If the only thing someone is going to do on your website is to create and edit their own blog posts, they don’t need the capability to edit other people’s posts.
2. Limit Login Attempts
Brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website. By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make.
Without a limit on the number of failed login attempts, an attacker can make, they can keep trying an endless number of usernames and passwords until they are successful.
The  iThemes Security Pro Local Brute Force Protection feature keeps tracks of invalid login attempts made by IP addresses and usernames. Once an IP or username has made too many consecutive invalid login attempts, they will get locked out and will be prevented from making any more login attempts.
3. Secure WordPress Users with Strong Passwords
The stronger your WordPress user account password is, the harder it is to guess. It takes 0.29 milliseconds to crack a seven-character password. But, a hacker needs two centuries to crack a twelve character password!
Ideally, a strong password is a twelve character long alphanumeric string. The password should contain upper and lower case letters as well as other ASCII characters.
While everyone can benefit from using a strong password, you may only want to force people with Author level capabilities and above to have strong passwords.
The iThemes Security Pro Passwords Requirement feature allows you to force specific users to use a strong password.
4. Refuse Compromised Passwords
Even though 91% of people know reusing passwords is poor practice, 59% of people still reuse their passwords everywhere! Many of these people are still using passwords that they know have appeared in a database dump.
Hackers use a form of a brute force attacked called a dictionary attack. A dictionary attack is a method of breaking into a WordPress website with commonly used passwords that have appeared in database dumps. The “ Collection #1?  Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. That is billion with a b. That kind of score will really help a dictionary attack narrow the most commonly used WordPress passwords.
It is a must to prevent users with Author level capabilities and above from using compromised passwords. You may also think about not letting your lower level users use compromised passwords.
It is completely understandable and encouraged to make creating a new customer account as easy as possible. However, your customer may not know that the password they are using has been found in a data dump. You would be doing your customer a great service by alerting them to the fact that the password they are using has been compromised. If they are using that password everywhere, you could save them from some major headaches down the road.