13 WordPress Security Features that Protect Your Users

Nov 18, 2020 | Website Security, WordPress

Reading Time: 6 minutes
Kevin Fouche

13 WordPress Security Features that Protect Your Users

Posted by Kevin Fouche, Pixel Fish Director

Kevin handles the planning, design, launch and training of every website that Pixel Fish creates. He ensures that every website is highly engaging and aligned with our client’s goals. With over 20 years of design and web industry experience to draw upon, Kevin aims to pass on his knowledge to our clients and like-minded businesses wanting to grow their online presence.

Security for a business website is essential. Not only do you need a high-performing website that can’t be hacked or interrupted – you also need strong defences for your user accounts. Today, we’re here to highlight the top 13 WordPress security features available through today’s plugins that will protect your user accounts.

Customers need to know that they can trust you, from their home addresses to their favourite product type. A hacker breach involving a single user account betrays that trust. So it is essential that every modern website do everything they can to defend user accounts.

The good news is that if you’re running WordPress, new safety features are a breeze to implement. There are already dozens of plugins and feature sets inside top plugins that will help you secure your user accounts and protect your users’ data. The trouble is that initial WordPress installation doesn’t consider the accounts – just the server. You probably already have all the security your WordPress website needs, like a custom-configured firewall, virus scanning, and server data encryption. But do you know what is needed to defend your user accounts?

1. Two-Factor Authentication

All user account security conversation starts with two-factor authentication. A user’s first authentication factor is always their password. After that, the second factor is usually a one-time passcode sent directly via email or text message to the account holder. This ensures that if someone is trying to hack their account, an alert is automatically sent letting the account-holder know of the mischief.

The interesting thing about two-factor authentication is that it opens the door to multi-factor. After all, the second factor can be whatever you want, and there are many options. Picture passwords, bio-identification with eyes and fingerprints, security questions, and even picture drawing passwords. Each layer creates one more task that an account-holder can perform and a hacker cannot.

2. Captcha Bot Detection

To steal an account, a hacker’s number-one tactic is to use a bot to try many different account login attempts. This can be a password force push or a quick door-rattling on every account in your server. The bot method can be devastating for an unprotected WordPress website both because it’s faster and smarter than a human hacker and because bots can quickly cause DDOS attacks even when this isn’t the original goal.

A captcha is a simple device that forces the user to do tasks that a bot can’t do. From an organic mouse click to identifying every square with a bus, account-hacking buts just can’t do these human tasks. Even a simple captcha can detect and prevent many types of hacker attacks.

3. Unique WordPress User Roles

WordPress sites assign every account a Role. These roles fall into general categories and – most importantly  – are sorted by privileges to make changes to the site. The basic setup will help you understand the system, but a well-built website often features unique and customised user roles. For example, you may want to separate powers between your upper admins so that no one account is all-powerful if hacked. At the same time, you can even striate user accounts to control who can post, who can comment, and even who is worthy of being a community admin.

4. Spam and Phishing Message Filters

If you have on-site messaging or a domain email service, there’s a good chance that your users may receive the occasional spam or phishing message. Spam filters are old news and you may already have one in place. On the other hand, phishing filters take the latest in predictive and pattern-matching technology to protect your users’ inboxes from malicious, deceitful messages.

Spam and phishing filters are extremely useful in reducing the number of users exposed to malware or a data breach through your website. Even of your WordPress messaging system is only on-site, with no messages from external sources, hackers can still make on-site accounts to send their spam and often do. Filters ensure even these resourceful hackers are almost universally ‘muted’ for the community.

5. Hardened Admin Accounts

Admin accounts are the most vulnerable point in the WordPress account system. Not because they are less secure – they are the same amount of secure by default as other accounts – but because they are more powerful. Each admin account has granted role-based powers to change the website in ways that should be beneficial but , if used incorrectly, could be catastrophic to the brand.

Look for security plugins that harden your admin accounts with extra layers of protection, encryption, and password requirements.

6. Password Creation Guide Widgets

Everyone knows that users with strong passwords are more secure than users with weak or often-used passwords. One type of password feature on WordPress prevents users from making their passwords too simple. A new password won’t work unless it has a number, symbol, capital letter, and the right length of characters. But this method also challenges and frustrates your new members, not a good start to customer relations.

The upgraded method is to provide a friendly password guide and live widgets to help new users create (and remember) a strong password. The acronym method and phrase method are two approachable places to start. Then show users how to more creatively replace symbols and letters, and approve of their final password.  The widgets offer interactive bumpers and guides as users make their first password.

7. Hashed and Encrypted Password Storage

Never store plain-text passwords. Passwords are traditionally protected in layers. Your WordPress server and password table can each be encrypted by security software. But if a hacker gets through that, a hash is a final layer of defense. Hashing passwords is using a private encryption key separate from your security software that changes the way passwords are stored. Even if a hacker can see plain-text displayed passwords, the hash will also ensure this is gibberish encryption text.

8. Customer Service Portals

Human users may be the leading source of breaches, but they are also your best defence. A community of alert and responsive users can spot suspicious behaviour that has escaped the website filters. This is why a customer service portal is essential. Modify your WordPress website’s help centre to take quick security reports from the user community.

9. Responsive User Banning and Appeals

When a user account is identified as malicious, don’t hesitate to mute, ban, suspend, and investigate them. However, always include an appeal process. Sometimes a legitimate user’s account was stolen or borrowed for the malicious use. Sometimes the malicious activity was inexperience or a one-time outburst in the forums. If a user is willing to contact you and ask for an appeal, be sure to consider retracting a ban after investigation.

10. Log Out Idle Users

One of the most common ways for an account to be misused is always-active logins. Security breaches happen when users are left logged in for too long, from shared workstations to at-home devices used by family members.

Fortunately, idle log-out is a common and easy-to-implement WordPress feature. You can find it in many security plugins, both general and built specifically for enhancing user security.

11. IP Address Location Tracking

Each of your users is a person with a routine, habits, and common locations. Your users may log in from home, work, and their favourite park but suddenly logging in from a location halfway across the world should be flagged as suspicious. You can track the generalised location of a user with their IP address – something learned when they connect to the website.

IP tracking makes it possible to send security alerts when users log in somewhere new – especially if that login is outside their usual area code. That said, hackers are getting savvy and have started geolocating their victims, so you may want to flag every new location login on principle.

12. Suspicious Activity Monitoring

Suspicious activity is any pattern that indicates hacker behaviour. For example, posting one reply to every single forum topic or trying to log in 500 times in a single minute. These behaviours indicate either a bot or a malicious user. In truth, there are thousands of possible indicators because there are thousands of possible forms of malicious behaviour – from programs or people.

Monitoring can track everything from your server’s temperature to the bits travelling in and out of the network. Once suspicious activity is detected, you can either implement or devise a defence response strategy.

13. Login Attempt Limitations

Speaking of trying to log in a few hundred times, login attempt limitation is one of the most basic WordPress user defences.  Hackers will pick an account or email address that they know and try an infinite combination of passwords. It’s a methodical process of testing all possible letters, numbers, and characters that have since been honed to try the most-likely combinations first.

This can crack passwords, but only if your website allows the rapid multiple attempts. A simple WordPress plugin upgrade means you can limit both total attempts and how fast attempts can be tried.

WordPress websites come out-of-the-box as simple and not secure. They are easy to work with but they are not yet ready for business levels of cybersecurity. The good news is that your WordPress website and users can be made industry secure with a plan and the right collection of well-configured plugins. Contact us today to consult on your WordPress user account security.

Take your business to the next level with a Pixel Fish Website.

Check out some of our latest Website Design projects.

Further Reading
10 Ways to Make Sure Your WordPress Theme is Secure and Malware-Free
Getting to know the different types of SSL Certificates

Read More
Better E-Commerce Website Tips: 4 of The Best
Does Packaging Design Matter For Online Shopping?
5 Steps to Boost Sales With Your eCommerce Website Customer Support
Why Combining E-commerce and Social Media is the Key to Success
Top 9 Key E-Commerce Product Page Fundamentals You Must Have On Your Website
6 Reasons Why You Should Use WordPress for eCommerce
Top 8 Advanced WordPress Features and Plugins to Beat Your Competition
WordPress Website Security: How to Avoid Getting Hacked
Tips for Making Your WordPress Site Secure
Hidden Hacks: How to Check if Your WordPress Website Has Been Hacked
7 Top Ways E-Commerce is Changing for Business
How regularly should my business publish on Social Media?

Stand out from your competition with a Pixel Fish website!

Contact us today on 02 9114 9813 or email info@pixelfish.com.au

Small Business Website Packages   | Custom Website Design   |   Ecommerce Websites

Related Blogs

Contact Pixel Fish - Website Design Agency

Get Started with a new Pixel Fish Website

We would love to hear about your upcoming website project

Kevin Fouché, Pixel Fish Director