Websites can allow visitors to register as users in order to help better serve them, giving them limited access to content or some incentives. This type of user access and data that comes with it is important to most websites and businesses and should be protected.
Who has access to your website?
When it comes to giving people access to your site, often overlooked are the staff and vendors that help you maintain your website. They are generally granted levels of access to help complete the tasks and maintenance required to run a website and business. As the site changes, staff and vendors come and go so it is important to have a process for handling their user accounts. Like giving keys to a brick-and-mortar business, you need to keep track of who has them and make sure they are safe.
In this post, we will be going over best practices for auditing and managing user accounts for your website using WordPress as an example.
Who can create user accounts?
Review all the different ways a user can create an account on your website.
User accounts are often created by registering through the front end. This method is usually offered to help store users’ information so they can do things like contribute content, participate in commenting, use forums or social communities, or purchase and manage order history in the case of eCommerce.
WordPress has a general setting to allow anyone to register for your site. This is disabled by default but recommended if you have users contribute to content or comment on posts. These settings also determine the default user role which sets permissions for the account.
Accounts can also be manually created and managed from the back end. This is generally the method used for adding administrative accounts with additional permissions.
Manually adding a user in WordPress is done through the Add New Users screen accessed through the dashboard.
Who has a user account?
Review the current accounts on the site, especially the administrative accounts. Are there any that shouldn’t be there, such as accounts from a former employee or vendor? Periodically reviewing and cleaning up user accounts should be done as part of an off-boarding process. Leaving these inactive users can act as a vulnerability to your site.
In WordPress, account updates can be done through the Users Screen. From there you can set up all the user accounts you need, change user information, or delete users. Also, you can specify your, and others’, personal information, such as name, email, etc. from these user administration screens.
Review User Roles and Capabilities
For your current users, you should always limit their account access to just what they need. If users don’t need to alter the settings, they should not have access to do so. Limiting this access reduces your site’s vulnerability if the account is compromised. This can also help the user by giving them more clear pathways to items they have access to and reducing UI clutter.
WordPress comes with a preset set of Roles that have set capabilities from fully administrating the site to editing and contributing content, to just being a subscriber. There are additional resources and plugins for adding other roles if more options are needed.
Spotting Suspicious Accounts and Activities
If you think an account on your site has been compromised or if you would like to conduct a general review of all your site’s accounts, there are some basic steps you can follow to detect suspicious accounts and activities.
Check the Name
Usually you can find accounts created by bots, users entering fake information, and old testing accounts by looking at the user name, first and last name, or email associated with the account. Depending on the account’s role it may have a harmless intent but should still be dealt with.
In WordPress, you can search for fake accounts using the search feature on the User screen. Use terms such as “test” or “fake” in your searches to find excess accounts.
Review User Activity
Often just looking at user account logs and actions reveal if they are potentially dangerous. If an account can log in and leave a comment in just a few seconds you know something is up. Reviewing an account’s Registered Date, Last Login Date, and Last Modified Date for inconsistency can tell you a lot about if the account is compromised. Something like activity on a long-dormant account, or a recent registration with a lot of rapid modifications are just some examples.
WordPress provides most of this information, but additional plugins can be used to add more useful information and logging.
Review Email Logs
Typically, once someone’s email account has been compromised, rather than breaking into their other online accounts, the perpetrator can simply request a password reset. If you find an account with a high frequency of password resets, it can be an indicator the account has been hacked.
WordPress has a Lost Password process that will email a unique one-time use URL. An additional plugin or use of the STMP mail server can help you monitor this activity.
Check Server Access Logs and IP Addresses
Looking up the IP’s general location and/or checking if the user is logging in from multiple locations can indicate suspicious activity. This is especially useful for monitoring administrative accounts.
WordPress offers most of this information, but additional plugins can be used, or you can look at your hosting server access logs to review these IP addresses and locations.
Using these tips to limit who and how users can access your site will greatly help secure your site’s content and data. Steps can be taken to help automate a lot of these processes, but periodically performing these tasks will reduce your site’s liability and improve compliance with privacy laws. For more assistance improving your website’s security, contact the experts at Hall.