User management is a difficult task and it is a webmasters’ and systems administrators’ nightmare. If not done properly, it can lead to a number of security issues. For example there have been cases where employees still had access to confidential business data, months and sometimes even years after leaving their job.
These type of user management issues also apply to websites, especially when using multi user platforms such as WordPress. This article highlights five WordPress users management guidelines that will help better manage your WordPress users, thus improving the security of your WordPress website.
Delete Unused WordPress Users
As a WordPress website owner most probably you have created an account for your developer, an account for your designer, one for your accountant, a few for your contributors, and the list goes on. Keep a record of all the users you create, so when they are no longer needed you can delete them straight away. If there is content associated to the user you want to delete, assign it to another user which does not have administrative rights. The less users you have, the easier it will be to manage them and to keep a track of the changes they make on your WordPress.
Use the WordPress Contributor Role for Guest Authors
If you have contributing authors, create WordPress users with contributor roles for them. Contributors cannot publish any content without you approving it. By using the contributor role for guest bloggers, attackers have very limited options to what damage they can do to the website should a guest / contributor blogger account be hacked through a weak password.
Create a Common Contributor Account for All Guest Authors
An even better and more restrictive solution than the above is to create a single common contributor account for all your guest authors. With one common user there is much less to manage and it is even easier to monitor the WordPress user’s activity. If you want to give recognition to the author who wrote the blog post, use a footer text on every post to mention the guest author.
Use WordPress Users Roles
Use the principle of least possible privileges when creating new WordPress users. In other words, do not assign any privileges to users if they do not need it. For example a guest blogger’s WordPress user does not need to have an administrator role. Read Using WordPress roles to improve the security of your WordPress website for more detailed information on how to use them.
Related to WordPress roles; if you have WordPress users that are not being used but you cannot delete them, maybe because they will be needed in the near future, change their roles to No Role For This Site. At least when they login they cannot do anything, so if such WordPress users are hijacked, the damage they can do is very limited.
Keep an Audit Log of All the Changes that Happen on Your WordPress
You should also keep a WordPress audit trail in which all the changes that happen on your WordPress website are recorded. You can do so with a plugin such as WP Security Audit Log. When you keep an audit trail in it there will be information such as:
- Which, when and from where users log in to your WordPress,
- All the content and WordPress setup changes (including plugins and themes changes),
- WordPress user profile changes such as passwords or email addresses changes,
- And much more!
Visit the plugin’s page on the official WordPress plugin repository for more information on the plugin’s capabilities. Also, visit the WP Security Audit Log plugin website for more details on the premium add-ons and the additional functionality they provide.
This is a Security Bloggers Network syndicated blog post authored by Robert Abela. Read the original post at: WP White Security