It’s about time we had a talk about renewing your security vows to your website. When was the last time you looked your website in the login prompt and asked it if you were doing everything you could to keep it safe? Everybody knows and has heard what needs to be done to keep a site safe, but how often do you put those principles to use? How often do you actually audit your site and look for places where you could improve security?
November is Security Month (I’m pretty sure I just made that up) and we’ve decided to put up a series of security related blog posts to help provide some easy things you can do to help improve the security of your site and keep it safe. Some of them you know, some of them you forgot, and some of them you never thought about, but all of them are worth revisiting for the sake of safety.
The first part of this series, Login Credential Safety and Integrity, is also an important part of the security mindset and we advise taking a read over that as well.
Avoid Credential Sharing and Use Roles Effectively
Especially as it pertains to WordPress, there are very few good reasons to share your login credentials with another person. WordPress makes it terribly simple to add new users and provide them with their own login information. We see this often overlooked breach of security practices a lot when clients hire new developers, designers, or add new team members. It is always far simpler to send currently existing login information than to provide the new person with a set of their own.
As with all things security, though, the easiest thing is rarely the most secure. With this in mind, consider the following things next time you need to bring somebody in on a project/website:
- Always create new user accounts for new users. Sharing login information with a person is unnecessary with WordPress because of how easy it is to manage users. Providing new credentials for new users is especially useful because of how easy it is to deactivate/remove a user who no longer needs access to the project/site. It is also useful because you know that changes made by a user could only be made by a specific person, which is important when looking at the activity and usage on your site.
- Make effective use of WordPress built in roles and capabilities. There is a tendency to make every new user an administrator and rarely do they actually need to be. If you have somebody they only ever needs to be writing and publishing content, then they should have a role and capabilities that allow for that and nothing more. Not only does this help ensure security, but it also helps make sure that none of the site’s settings get changed by accident. Assigning roles properly also guarantees that users, passwords, and information on the site is available only to those have absolutely need it. Effective use of roles and capabilities is one of the most frequently overlooked forms of security. If the built in roles and capabilities are not robust enough for your need, consider using a role management plugin, such as User Role Editor.