hosting-handbook icon indicating copy to clipboard operation
hosting-handbook copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Security page changes (5): Redoing Users

Open javiercasares opened this issue 4 years ago • 2 comments

Users (in general) are usually the weak link in the chain, so, we should merge some sections about users in a big one.

OLD TEXT:

Throttling Multiple Login Attempts

One of the most common kinds of attacks targeting internet services is brute force login attacks. With this form of attack, a malicious party tries to guess WordPress usernames and passwords. The attacker needs only the URL of a user site to perform an attack. Software is readily available to perform these attacks using botnets, making increasingly complex passwords easier to find.

The best protection against this kind of attack is to set and recommend and/or enforce strong passwords for WordPress users.

It is also recommended for hosts to throttle login attempts at the network and server level when possible. It's helpful to throttle both maximum logins per site over time, and maximum attempts per IP over time across server or infrastructure to mitigate bot password brute-force attacks. This can be done at the plugin level as well, but not without incurring the additional resource utilization caused during these attacks.

A Note About Usernames

Some WordPress security guides recommend using unique usernames for WordPress administrator accounts. While well-intentioned, WordPress's REST API allows anyone to view many of the users for your WordPress website. You can see this for yourself by sending a request to the endpoint at /wp-json/wp/v2/users.

The WordPress project doesn’t consider usernames or user IDs to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.

Two-Factor Authentication

Two-factor authentication, also known as 2FA or two-step authentication, is a login scheme that uses a separate, second form of authentication when a user attempts to log in to a service with two-factor authentication enabled. The exact two-factor authentication setup varies from service to service, but it usually involves entering a code or interacting with an application on a smartphone when attempting to log in to a service. WordPress does not have two-factor authentication by default; however, there are several plugins that provide two-factor authentication for self-hosted WordPress websites.

WordPress Users and Roles

WordPress itself defines 5 default types of users (6 if WordPress Multisite is enabled). They are:

  • Super Administrator (If WordPress Multisite is enabled) - a superuser with access to the special WordPress Multisite administration features and all other normal administration features.
  • Administrator (slug: 'administrator') - a superuser for the individual WordPress website with access to all of the administration features in the website.
  • Editor (slug: 'editor') - a user who can publish posts and manage the posts of other users.
  • Author (slug: 'author') - a user who can publish posts and manage the user's own posts.
  • Contributor (slug: 'contributor') - a user who can write and manage the user's own posts but cannot publish them.
  • Subscriber (slug: 'subscriber') - a user who can manage the user's own profile only.

Super Administrators, Administrators, and Editors are all considered "trusted" users, meaning they have capabilities that could be abused to damage or compromise a WordPress site.

When WordPress is first installed, an Administrator account is automatically set up.

Plugins and themes can modify existing, as well as add additional types of, users and capabilities to WordPress beyond the defaults. These additional options are commonly used by plugins and themes to manage the functionality they add to WordPress.

NEW PROPOSAL:

Users

In general, when we talk about security, one of the most important factors is the users. This is something that is often difficult to control, since you cannot (usually) force them to do what you would like (such as setting a password with uppercase, lowercase, symbols, numbers and 36 characters). Still, there are always some recommendations to avoid being the weakest link in security.

User Roles

In WordPress, by default, there are 5 user roles:

  • Administrator / SuperAdministrator: as the name suggests, you have permissions for everything.
  • Editor: can fully manage the editorial part of the site.
  • Author: you can create, publish, and manage your own content.
  • Contributor: you can create and manage your contents, but not publish them.
  • Subscriber: you can manage your data and profile.

Administrators and Editors must be people you trust on the platform, taking into account that an Administrator must have minimum knowledge of all WordPress, since they can alter settings that compromise the system.

The best thing is to have only administrator users who really need it, and as a rule, work only with users at the Editor level and below.

We must also take into account that WordPress can openly allow the registration of users, so we should never allow these new users to have a higher level than Author.

Username

Usernames are public data that identify you, but not because they are public, they are less secure. For example, it's very easy for you to know my email address, my Twitter account or my name, but that doesn't make access to my email or Twitter less secure.

By default, WordPress can display through the APIs the identifiers and usernames.

Secure passwords

WordPress by default generates secure passwords for users both when it generates them automatically and when it suggests them to users.

If a password is not very secure, it will automatically inform you and tell you to check a field to confirm that you agree to it, at your own risk.

Second Authentication Factor (2FA)

In any case, to avoid possible data leakage or the use of basic passwords, the use and obligation of a second authentication factor is highly recommended.

In this case, after entering the username and password in the login screen, you will be asked for a second code to be generated in a specific way.

You may be interested in the Two Factor plugin for managing authentication by mail, OTP and other systems.

javiercasares avatar Jun 06 '20 07:06 javiercasares

About the users capabilities and roles, we should link to the Roles and Capabilities page, so we don't over explain or duplicate information.

javiercasares avatar Jun 06 '20 07:06 javiercasares

#15

javiercasares avatar Jun 06 '20 07:06 javiercasares

Moved to: https://github.com/WordPress/Advanced-administration-handbook/issues/154

javiercasares avatar Feb 17 '23 07:02 javiercasares