If you’re a WordPress site administrator, you know there’s a lot involved when it comes to security and maintenance. And in these days of disgruntled employees and cybercrime, keeping track of anyone and anything that has access to your site is imperative—and something of a challenge. Yes, this is where we need to talk about user management in WordPress.
This is especially true if your site allows for user registrations from people who will be an Editor, Author, Contributor, or something else. This doesn’t mean to imply that these users are and won’t be trustworthy, but from a security standpoint, you want to be prepared for anything.
WordPress does come with built-in functionality for our user management, but it’s limited, especially when it comes to the amount of control you’ll have over your users. In fact, other than making it possible for your site to accept user registrations, it doesn’t offer much of anything else.
That means a user could register to comment and then leave a dormant account sitting there indefinitely. If you have a busy site, imagine the extra time you’d need to spend administering dormant accounts.
So what options are available to you if you would like to better secure your site? Are you stuck with the minimal security that WordPress’ built-in User Management offers?
No.
Securing WordPress User Management
Fortunately, you’re not limited to what WordPress offers out of the box. The following will detail several options that will add security to user roles.
Adding Two-Factor Authentication
One of the easiest ways for a hacker to access your site is by using a brute force attack. This is simply an automated script let loose on your server that attempts to guess usernames and passwords. If you have a user that was foolish enough to register with an easy password, this is fairly simple.
The best way to protect against this is to have your users use 2FA (Two-Factor Authentication) when signing up.
Hopefully, you’re already using 2FA for your own sign-in. Let’s discuss how you can set that up for your users as well.
WP 2FA
As already mentioned, some sites have specific roles for positions like Authors and Editors. And there’s a good chance those users have been vetted before they can register. So let’s assume the Admin has some degree of trust in them.
However, there are many sites that require anyone who wants to comment on a blog post to register, and in this case, it’s pretty much an open-door policy. Open doors typically mean decreased security, and that’s the last thing you want.
This is where WP 2FA comes in. Authentication is added to all login pages, giving the administrator the means to better secure their website and data. To access your site, users will need to provide two forms of authentication, which protects their credentials and your data. You can even set this up so users don’t have access to your dashboard.
This is a great first step to moving beyond built-in WordPress functionality, but there’s more.
WP Admin Audit
Let’s say you’ve covered all your bases—or at least you think you have. You’re enforcing strong passwords and 2FA. But what about dormant user accounts? Someone who registered to leave a comment years ago, and they’ve never been back? And then there are current, long-term users. Sure they have a strong password, but is it getting changed regularly?
In this case, we have WP Admin Audit to come to your rescue. The Business and Enterprise levels of the plugin provide the functionality to deal with both user management issues.
Auto-Adjust / Auto-Disable Inactive Accounts
Based on a predefined period, the plugin can first, change the role of an inactive user. For example, you’ve assigned someone an Administrator Role but after a dormant period, you adjust that to a lesser role. Second, and again after a predetermined timeframe, you can simply disable that user account.
Once you’ve set this feature up, it means you’re not wasting precious time combing through and manually deactivating or adjusting old user accounts. This is a major element for enterprise-level user management in your WordPress installation.
Enforce Periodic Password Changes
Even if all your users have password managers where they store this crucial information, even they can be hacked. In fact, one of the biggest password manager platforms was just hacked recently.
The message there is that even the strongest password may be vulnerable. Which is why it’s recommended to regularly change them. And it’s probably true that most people don’t do that as often as they should.
WP Admin Audit has a password change enforcement feature that deals with that. A policy that will require users—depending on their role—to regularly change their password after a specified number of days. In addition to the change, the plugin also sends users an advance notification to let them know they’re due for a mandatory change.
Make Use of Other Out-of-the-Box WordPress Security Features
Of course, there are other means to secure your site that aren’t part of the user management feature.
Consider implementing or changing the following security fixes.
Edit and hide the WordPress login URL. Out of the box, every new WordPress site uses the same login URL. It’s your domain address followed by /wp-admin. This makes it remarkably easy for hackers to find the door to your admin area. But you can change and hide it.
Password protect your wp-admin directory. There is no authentication required to access your login page so changing, hiding, and password-protecting it is a good idea. This can be done via cPanel or whatever panel your host uses.
Limit login attempts. Hackers use bots to repeatedly try to crack your login username or password. Many security plugins have a feature to limit this, blocking an IP after a predetermined number of attempts.
Conclusion
While WordPress does offer User Management, it is lacking when it comes to securing it. Building an online presence or business can be difficult to begin with. Don’t make things harder on yourself by neglecting some simple security.
Why not check out the plugins mentioned above? Using WP Admin Audit means you can set and forget some very basic and very necessary, security functions. A huge step forward in achieving enterprise-level user management in WordPress.