Secure WordPress

14 Tips to Protect Your Users

Blog Secure WordPress 14 Tips to Protect Your Users

Protecting your users is a point sometimes forgotten in the securing a Website flow, and it’s not good at all.

Plugins, themes and users are the 3 entry doors from the outside on your Website, this is why it’s important to protect at the same time the login page and your users or customers accounts.

Securing a WordPress Website need to follow these few steps, here come some done by the SecuPress plugin.

Add a Recovery E-Mail Address

Adding another e-mail address as a recovery one is an already known system used by Google for example. It allows in case of hacking to get security instructions on this recovery e-mail.

SecuPress Recovery Email Field

Adding this address is a non negligible point of security that SecuPress has done for you.

Add a Limit of Login Attempts

By default WordPress let the possibility to try any number of login attempts, this allows bots to force your password to find it, taking their time.

My tip is to limit these attempts to about 10, because 3 is a little too low, we can be wrong, but not 10 times in a row!

Ban these Bad Tentatives

Once the 10 attempts have been done, what should you do? Ban the IP address of this bot, this person for about 5 minutes. If it continues, try to ban few hours or days to discourage him.

Ban Attempts with Unknown Login Names

If someone if trying to log in with an unknown login name, admin for example, why do we even let him try one time? Useless, if a bot is trying different names to find one, ban his IP address like the previous tip.

Avoid Logins when you’re Sleeping

You know that you go to bed at 11pm, and wake up at 7am? So why let the possibility to log in during this time. Close the door to avoid anyone to connect in your WordPress dashboard when you’re not supposed to be up.

SecuPress Attempt Blocker Module

The 4 previous rules, in 1 option in a SecuPress module

Avoid Doubles Connections

When you’re already logged in on your admin account, why let someone else to login again with this account? Useless, avoid any attempt to use your account when you’re already using it, even if this person got your password.

SecuPress Avoid Double Connections Module

Anti-Double Connection module in SecuPress

Delete Multiples Sessions of your Users

Do you got doubts about a member connected 5 or 10 times with his account? Do you have doubt about someone connected on your account? Cut the users’ sessions or yours to force them to reconnect using a password.

SecuPress Sessions Control Module

Users Sessions Control module from SecuPress

Don’t Type Any Password Again

Let’s imagine that you don’t have to remember and type your password to log in. It’s possible with the double authentication method called PasswordLess.

SecuPress includes this module allowing you to only use your login or e-mail (or recovery e-mail), then you’ll receive by mail a special link, only valid once which will allow you to be logged in.

Even if someone got your password, he won’t have the ability to log in.

SecuPress Double Authentication Module

Double Authentication module in SecuPress

Let Bots at the Door

Using a captcha on the login page, you’ll disallow the usage of the form to bots on your Website is know botproof.

SecuPress Captcha Module

CAPTCHA module in SecuPress

Don’t let Password Be Old

A password should always be young, what a chance! I strongly recommend to reset it from time to time. Limit the lifetime of a password is a good solution to do this.

SecuPress Passwords Lifetime Module

Passwords Lifetime module in SecuPress

Use a Strong Password

We already talked about that, a password should resist to attacks when bots will come at your door (or is it closed?) Read our post again, then force the usage of a strong password to your members.

Forcer un mot de passe fort pour les utilisateurs avec SecuPress

Force Strong Passwords module in SecuPress

Ask for Old Password

When you’re changing your password, WordPress won’t ask you the actual one. For us, it’s a lack of security.

This is why SecuPress adds a “Old Password” field, filling this will let you continue. This disallow anyone near you to modify your password if you go for a little moment, or if your session has been stolen.

SecuPress Ask Old Password Module

Password Changement module in SecuPress

Forbid the Usage of Strange Login Names

By default WordPress allow any possible name as login. But it could be good to avoid names like “www”, “admin”, “administrator” etc These names could be used to usurp a staff member of your Website, or fake the system if the login name is used as a subdomain (image www…).

SecuPress Forbid Usernames Module

Forbid Usernames module in SecuPress

Block the usage and creation of user with strange names is a good security point for your WordPress site.

Move the Login Page

Bots already knows where to hit to find the login page of a WordPress Website. This is why you should move it using the SecuPress module “Move Login”.

You got the possibility to hide it from bots, but also from humans (you should have a good memory!).

SecuPress Move Login Module

The Move Login module in SecuPress

14 tips to apply, 14 security rules to protect your users and your Website. SecuPress can do this for you in a few clicks.