Setting up Basic WordPress User

Account Security
Last Reviewed

5th April 2023

📄 Summary
When working with multiple admins and users on a website, such as Editors, Writers, and
Developers, the foundations of the WordPress account must be secure.

While the people working on the site may be fully trusted, if someone holding an Administrator
account has their details compromised, it can have devastating effects on the website.

This document will cover the best practices before granting other people account access. It
does not, however, go through more general WordPress protection.

Execution Time
10-30 Minutes

⏰ When To Run This Process

Before adding additional user accounts to WordPress

Outcome
A higher level of protection against compromised accounts

Tools & Services

N/A

SOP Series
This SOP is part of SOPs on setting up WordPress accounts.
 1. Current SOP
2. How to Add a New User in WordPress and Select Their Role
3. Setting up a Gravatar Profile Picture
4. How to Set up a Bio In WordPress

Process
Before granting other people access to the WordPress dashboard, multiple steps should be
taken. These will be broken into multiple steps. Not all are required, but the more things are set
up, the higher level of protection.

1. Super Admin Setup

2. Password Policy
3. Mandatory 2FA
4. Limit Login attempts
5. Account Role policy

Super Admin Setup

In the majority of cases, Super Admin is simply a theoretical term. The only instance where this
role is visible is when a multisite network is used in WordPress.

Otherwise, the Super Admin role is assumed to be the person who initially set up the website
via their hosting provider.

Suppose the current owner did not set up the site, for example, because an agency, site
building service, or another third party did this for them. In that case, ensuring full ownership is
transferred correctly is essential.

Ensure that the actual owner has access to the Hosting Admin Dashboard by discussing with
the person who set the site up initially.

Password Policy
As users at any level can set their passwords manually, it is a good idea to ensure that they can
only use secure passwords.

To do this, it is necessary to install a plugin. There are many plugins available with varying
levels of options. Search for “Password Policy” in the Plugin directory and select the best-suited
one.

Remember that even with best practices in place, no one can predict a password breach or
lapse in security across the many services you and your employees use.
As a rule of thumb, ensure passwords:

➔ Are not obvious, e.g. 123456, password, password123

➔ Are not based on personal information, for example, your first pet or mothers maiden
name
➔ Contain a selection of symbols, letters and numbers

For extra security, consider adopting Passphrases instead of Passwords. A passphrase could
be something like:

➔ “My favorite food is pizza!”

➔ “I have 14 dogs”
➔ “I like to stare @ the moon”

These are easier to remember yet add a vast security advantage to anyone attempting a brute
force attack.

Mandatory 2FA
2 Factor Authentification requires the user to generate a unique code every time they log in.
This means that if a malicious entity can somehow acquire the user's login credentials, they still
cannot log in without the code.

Again, many plugins exist to add this functionality, each with its own options. Simply search
“2FA” in the Plugin Directory to see available options.

Limit Login Attempts

This tool can limit the number of times someone can log in consecutively and freeze their
account. There are multiple options for unfreezing the account, which can be set in the plugin.

Add the “Limit Login Attempts Reloaded” plugin from the WordPress plugin directory to add this
functionality.

Account Role Policy

Consider who needs which role in the WordPress dashboard, and limit higher tier accounts to
those who only absolutely need them.

For example, a Writer does not need Editor access if they are not uploading and publishing the
content themselves.
When enabling Admin access to specific users, such as a developer, once the work has taken
place, remove their access as an admin.