This is the second part in a series of articles about security and how it affects your business. There is no doubt that fully handling website security requires technical skills. However, there are basic habits and practices you can follow to prevent the worst from happening.
Poor management of user accounts is one of the main sources of security issues.
So many users have been hacked simply because they were not taking the security of their account seriously. Many, despite all the buzz around it, are using the infamous admin account for everything.
And hold on tight… they also use passwords such as Password123. Oh, you’re one of them?
Ok, let me give you some easy tips on how to handle your accounts well. As a matter of fact, it’s not only applicable to WordPress but to any application or website that you use.
Admin is not a proper administrator username
Username are like passwords, the more complicated they are the better it is.
How simple is “admin”? Well, it’s the first thing a hacker will try. Using the default admin account is like publishing in the newspaper where you hide your safe. So, be sure you replace the default admin account with your own, as soon as you login into a brand new WordPress website. In a perfect world, you want to set a strong username and password.
Don’t use your administrator account for everything
Now that you have a fully setup administrator account, you need to prevent yourself from abusing using it. I know it’s hard, having 1 account for everything is convenient but this should be avoided.
Keep your admin account for administrative tasks like the management of the themes, plugins and users only. If you also blog, create a user with an author role.
The reason is WordPress doesn’t make a much effort to hide usernames. So, even if you have a strong password, you don’t want the administrator username to be visible or found.
password123 has never been a legitimate password
Ideally, all passwords should be strong. The more complicated they are, the safer they will be. But here is the problem: the more complicated your password is, the harder it is to remember.
Here is the trick!
I personally like to use a pass-phrase when possible. It consists of defining a phrase I can easily remember and then replacing few characters with some special ones. The result you get is a password that’s easy to remember but very secure.
Start with a 4 word sentence:
Complex Passwords are Safer
Turn words into shorthand, intentionally misspell a word or replace some characters with special ones. I just replace all
- “a” with “@”
- “l” with “|”
- “e” with “[“
- and finally “i” with “1”
C0mp|[x P@ssw0rds @r[ S@f[r
You can also add a meaningful number at the beginning or the end.
C0mp|[x P@ssw0rds @r[ S@f[r2014
You can remove the spaces if they’re not allowed by your application, but on WordPress you should be fine.
Simple right? Just to be sure you can always test your password on some online Secure Password Checker like this one: http://blog.kaspersky.com/password-check/ .
Remember your website will always be as strong as your weakest link, so don’t hesitate to ask all your users to set strong passwords.
If you’re already worried about remembering it, you may want to look at the possibility of using a password manager application which saves all your passwords in an encrypted storage.
The proper role for the proper usage
You will quickly see that WordPress has some built in roles which have predefined permissions:
- Super admin (multisite only) – Can do everything on the entire network of sites
- Administrator – Can do everything on a single website
- Editor – Can publish and manage posts and pages including the ones coming from other users
- Author – Can publish and manage their own posts
- Contributor – Can write and manage their own posts but cannot publish them
- Subscriber – Can only manage their profile (usually visitors)
As you can see, you have quite a lot of options already. In most scenarios, you will end up with 1 administrator, 1 editor, several authors and eventually I hope many subscribers. For more details you can visit the official WordPress page concerning Roles and Capabilities: http://codex.wordpress.org/Roles_and_Capabilities.