Many of the ways people hack into WordPress sites is via usernames. Keeping control of the different usernames and user roles is vital in protecting your website both from exterior and interior threats. While people you have given access to might not intentionally do something horrible to your site, they might accidentally change settings or delete things if they have too much access to areas they do not need access to. Here are some tips for keeping WordPress secure through usernames and roles.
Make Sure All Users Use Strong Passwords
This should be ingrained into everyone who uses a computer for anything – everyone needs to use a strong password. Their passwords need to be at least eight characters long and should include an upper-case letter, lower-case letter, and a number. You may also require users to include a special character, but some people feel as if that’s going a bit too far. It all depends on what your WordPress blog includes and how secure you need to make it.
Change your WordPress Administrator Username
When you install WordPress, the default administrator username will be admin. Since this is the default, everyone knows it. In fact, there are certain viruses and other hacks that target the admin username, so it is a very good idea to change that username as soon as you can. Even adding a number on to the end of it will help keep your site relatively secure.
Control Access to Your Site
Create user roles and limit them in scope. Not everyone needs to be able to access the entire WordPress site. For example, people who are only contributing blogs to the site should only be able to add or modify their own entries. They should not be able to change other users’ blogs, change the site’s theme, or add/delete different widgets. No one other than the site administrator should have full administrative privileges. Also remember that there is no need to give everyone access to the site, so if someone does not need to have a login, there is no reason to give him or her one.
Delete Old Logins
When someone leaves your company or otherwise no longer needs to have access to your WordPress site, delete their login as soon as you can. This will help keep your login list under control, and it will prevent anyone who is no longer associated with the site from gaining access and changing anything.
Protect your Site with .htaccess
Utilizing the .htaccess ability will help you protect your site from unauthorized login attempts. It is actually possible for your site to become unavailable due to the number of unauthorized logins that are being attempted one after another. Using an .htaccess file can help block some of these unauthorized logins. For example, you can specify that only users from a specific IP address can login to the server. You can also create trusted referral logins (those that come from your domain). The method that works best for your site will depend on several factors, including whether you have a static IP address or a dynamic one.