Skip to content

10 WordPress Techniques to Increase Account Security for Your Users

Staying safe on the internet is a joint effort between users and providers. Even tech professionals rely on software and providers to ensure their own account security. Your general populace of website users are not all tech and security pros, which means they need all the technical help you can give to ensure their account security.

Securing an account is about more than protecting passwords and two-factor authentication. Account security is about protecting access, information, and even those who are allowed to message your users. Of course, an out-of-the-box WordPress website isn’t equipped with all the features and plugins you need to create account security. While every WordPress installation includes user accounts and some basic account security, advanced protections necessary to protect clients, employees, and your customer population requires a few more features than the WordPress starter package.

If your team is preparing to improve account security or provide great security right out of the gate, we’re here to help. Today, we’re diving into ten different WordPress website techniques to create better account security for your website’s users.

 

1) Account Privacy Settings

Let’s start with privacy. Normally, discussions of account security begin with passwords, but data security is just as important – if not more – than control of the account. Control can be restored with a password change, but stolen personal information cannot be retrieved. So it is vital that you install information protections for your user accounts.

One important tool is privacy settings. If your website has user profile pages, public posts, and/or social interaction then the content of each user’s account can become a mountain of personal data. Users may be comfortable sharing some, all, or almost none of the personal data they add to their accounts on your website. Give them the option to set their own privacy settings.

 

2) Guided Contact-List Clearing

On-site contacts can be important, depending on your type of website. Users meet each other to make friends, professional contacts, and sometimes even connect as professionals and clients. This can create a revolving door of active and trusted or semi-trusted accounts. These accounts are added to a user’s contacts list, creating “trusted” outreach points. Because users trust their contact-list to tell them if someone is real or possibly a scam, hackers can manipulate old contacts to scam everyone connected to one compromised account.

The ideal strategy for securing the revolving-door of trusted contacts is a list-clearing strategy. Once (or twice) a year, prompt your users to de-select every account they no longer remember or regularly talk to, or to give a nickname or title to those accounts they keep on the list. This will help define contact lists so they can be better trusted to combat scammer outreach methods.

 

3) Private Message Permissions and Requests

Many sites today include live chat, public message forums, and private messaging. Private messages have become a hot topic of discussion for both cybersecurity and social safety. You may (or may not) have heard the term “sliding into your DMs” which means romantically approaching someone through direct (private) messaging on-site through a shared website and platform. Hackers also like to slide into DMs either pretending to be known to their targets or cold-calling their scams through private messaging.

To protect your users while still providing a messaging system, introduce permissions. Let your users decide whether unknown contacts can private-message them, and send a request to receive messages from new contacts that can be denied without seeing the initial message. This simple one-layer shield provides an incredible layer of protection against from phishing, advertisers, poaching, and casual user-to-user harassment.

 

4) Create Public and Private Device Modes

Not all devices provide the same level of implicit account security. A user’s personal phone might be completely secure – or it might become a family device at home. A user’s work computer might be secure, or they might hot-desk with coworkers. Or a user might log into their account on a borrowed device and need to leave no trace of saved login information. It should be up to your users whether their login should trust each specific device.

A great way to do this is public and private device modes. When your app detects login from a new device, go through the two-factor security process – then ask the user if the device should be trusted, how much it should be trusted, and for how long. Let them indicate if they are using a public and shared device or if they are on a safe solo-use personal device that can be trusted with greater access and a longer app memory.

 

5) Annual Guided Password Recreation

We mentioned earlier that password security is the well-known cornerstone of account security and now it’s time to talk passwords. WordPress has a wide variety of password security features. But even the best-made and best-encrypted password can still be stolen if it’s the same year-on-year. So don’t let passwords get stale.

Choose a fun and interactive UI that guides users through making a new password at least once a year. Don’t just ask for something new; help them build an acronym or phrase, then cleverly replace letters with numbers and symbols to craft unique & memorable user passwords every time. Just don’t go overboard and require a new password for every third login, as that kind of tedium can test the patience and loyalty of regular users.

 

6) Form an On-Site “Neighborhood Watch”

The reason all this account security is necessary is because account theft and online scams are rampant today. Beyond password and account access protection, there are also “bad actors” to worry about. These are people who make their own accounts on your site in order to target the other users. They may be bot-accounts made to spam the forum and messages with advertising statements. They may be phishing hackers looking to reel in a few victims under the guise of your website community. Then there’s the usual type of cretin who tries to slide into user DMs without invitation.

You can audit, add permission layers, and install language filters, but the best way to police a community for bad actors is to involve the community. Build a phalanx of both hired admins and your good-faith users to keep an eye out for suspicious messages or account activity. Form a “neighborhood watch” by encouraging everyone to report anything they see, then publicly thank each one who finds a legitimate hacker or harasser.

Not only does this increase your site’s overall account security, it also makes your users feel involved and invested as a community. You are all a team keeping your branded corner of the internet safe together.

 

7) Creative and DIY Security Questions

Now let’s talk about security questions – a common feature of WordPress account security plugins. Security questions allow users to quickly recover their passwords and accounts by using personal information. However, standard security questions tend to cover information that hackers can easily research through social media. Mother’s maiden name, childhood street; these are now facts about a person that can be looked up with surprising quickness.

So let your users build their own security questions if they don’t care for the automatic drop down. Encourage them to get creative. If you’re worried about too-easy DIY security questions, use a mad-libs type system to help them build strong and unique security questions that hackers won’t be able to research so easily.

 

8) Replacing Auto-Fill Passwords with Art Passwords

Password auto-fill is the bane of accounts. Security browser-based password managers have made it simple for friends, family, and anyone else to log into a user’s accounts across the internet – just by letting the browser log itself in with saved values.

One option to protect from this kind of snoop hacking is to block auto-fill. There are methods to implement a text box that users can type into, but cannot auto-fill or even copy-paste. This method is sometimes used for access codes so it is necessary for human fingers to type the values. Of course, users hate typing their passwords every time and favor sites with quick-and-easy logins.

The answer? Artistic passwords. While your WordPress upgrade may block auto-fill passwords, you can make logging in just as quick with intuitive art passcodes instead. Some draw lines onto a grid – a unique picture or pattern that only they would remember. Some use a game of photo-memory, some include music. The important factor is that you provide a secure, unusual password type that is faster than typing a password and more secure than auto-filled logins.

 

9) Filter for Suspicious Messages

Though the neighborhood watch and admin moderation work well to protect online accounts, you should also add message filtering. There are several programs designed to detect spam-like messages when they come through by identifying the words, phrases, and format used compared to common scams. Just as you filter for spammy advertisements, you can also hone the detection to watch for common words and phrases used in phishing and harassment as well – often not terribly different.

Some messages that get too high a rating as probably-spam are prevented from sending. Others earn a warning flag that is visible to the recipient, should they choose to open the letter.

 

10) Lock Personal Documents by Default

Finally, never leave user documents or files open for public view, even if the link is private. Make all personal documents locked and closed without permissions by default. This ensures that every permission is added manually and no one unapproved has a chance to see the documents. Account security is an essential part of providing a high-quality business website. Locking personal documents is the first and last step to ensure that every scrap of data entrusted with your company remains safe by default.

 

Looking to improve the account security of your users across your site and features? We can help. Contact us today to explore the plugins, features, and site settings that will provide your users the greater account security assurance.

[optin-monster-shortcode id=”xzzfqbtytdw78gbx8gbq”]

About Jeff Collins

Experience and Expertise make the difference when searching for top cloud providers. Appliedi has provided managed cloud services since 1999.

Scroll To Top