How to Restrict WordPress Access

Here is some tactical advice for you to implement in your WordPress site so that you can restrict access and put better controls on your system.

  1. Create an author or editor role for yourself and use this account for all your posting.
  2. Don’t use the admin role for posting content. Only use the admin role for specific administrative functions such as upgrades.
  3. Only allow your WordPress web server to access the WordPress database. Don’t allow everyone on the internet to even be able to get to the front door of your database and attempt a login.
  4. Restrict login attempts and protect your site against brute force attacks with a plugin. Limit Login Attempts works well for this.

Three Additional Access Control Strategies

Below are some some additional access control strategies that are commonly in use.

  1. Limit access to networked systems by IP. Example would be if you have a database server online, does all of the internet have a need to access that system? Or does really only your webserver(s) need access to it?
  2. In the case you don’t limit access by IP, you should at least have a system to block brute force attacks. If you have a system online and don’t restrict access after x attempts, then an attacker can spend an unlimited amount of time trying to break into your system by brute force guessing an account.
  3. Log out of the system when you are done and don’t just close the browser window. If an attacker had access to your machine for whatever reason, they would be able to instantly gain access to those same systems without even knowing your password because you were still logged into it!

What is Least Privilege?

Best practice when using a system that has multiple levels of permissions or roles, is to use the account with the least amount of privileges to perform the action required.

You see this in Windows and Apple OSX machines by default now where you have a regular user account, and then when you want to perform an administrative function, you will get prompted for a password to temporarily gain higher privileges to perform that action.

For systems that you are building that don’t have this model built in, you will want to replicate it. Most of the times I will see the application be installed as an admin, and that is all. You should create a lower level user account that gives you most of the function you need outside of administrative functions, and use this account the majority of the time.

Why Should I Care About Access Control?

Acccess control is about who can access your data or resources, and the act of accessing may mean consuming, entering, or using. A couple common examples of access control is a physical lock such as a house lock, and a login prompt to a website. If anyone could gain access to your private data or systems, then that won’t be good would it? This is why access control in all your systems (desktop, website, car, house, etc) is important just like any other cyber security fundamental.