Category Archives: WordPress

What WordPress Editors can’t do (that Admins can)

by in WordPress

I thought it would be helpful to outline what WordPress Editors can’t do that admins can. I see a tendency among our clients to assign the highest user role possible when creating new user accounts to make sure a new staff member can do anything they’ll be needed to do.

In the case of WordPress the highest user role is “Admin” (or “Super Admin” on a Network site). Not only is it unnecessary to use the ‘admin’ role as the go-to user role, but it can put your website at risk. Even users with the best intentions, if not properly trained in WordPress, can make mistakes and cause problems for your website.

I strongly recommend assigning the highest level of Editor to any staff you add as users to your website. I explain a bit more about WordPress user roles in my article, 7 Tips for Setting WordPress User Roles

WordPress functions that Editors can NOT do (but Admin users can)

Network tasks (on a WordPress Multisite install):

  • configure the network,
  • add/remove network sites, users, plugins, themes and options.

Network sub-site or single site tasks:

  • Plugins: install, activate, update, edit, delete
  • Themes: install, switch between themes, delete, edit theme options, edit theme files
  • Users: List users, change user roles, create new users, edit users, delete users
  • Manage site options
  • Update core system
  • Edit the dashboard
  • Import/export posts, pages, etc.

I think you’ll agree with me that these tasks are best in the hands of those more experienced. User Roles within WordPress are fantastic tools when used properly. I encourage you to review the user roles on your WordPress site and reconsider the admin roles, especially.

Questions? We can help. Drop me a note using our contact form

7 Tips for Setting WordPress User Roles

by in website-tips, WordPress

First, a brief introduction to WordPress user roles. There are 5 basic user roles on WordPress. Here’s a very basic breakdown of what each role has access to:

Administrator – Has access to all administrative options and features.
Editor – Can add/edit/delete posts.
Author – Can add/edit/delete their own posts, but not the posts of others. Can upload media.
Contributor – Can write and edit posts and submit them for review. Cannot publish posts and cannot upload media.
Subscriber – Can change their own profile and leave comments, but generally has no other capabilities.

7 Tips for Setting WordPress User Roles

Here are my top 7 tips for setting WordPress user roles for your website.

  1. There must always be at least one admin user. When WordPress is installed, an admin account will be automatically created through the installation process.
    Do not use a user name like ‘admin’ or ‘user’ or ‘wordpress’ for the sake of keeping your website secure. You should use a strong user name, and even stronger password. I like to use random.org/passwords to generate a password, and I add in a few random special characters to make it even stronger. Don’t use your birthday or your dog’s name. Read my article about choosing a secure password you can actually remember.
  2. Use your admin account for admin tasks only! Set up a separate editor account for writing posts and pages if you’ll be doing some of your own writing.
  3. Beware of too many chefs. Keep the number of admins as low as possible. If you are the site owner, you may want to limit your site to 2 admin roles – one for you, and one for your webmaster.
  4. When adding a new writer to your staff, start them out as a Contributor and have a more seasoned editor reviewing their content before posting.
  5. Be aware that editors can publish pages and posts, so only hand out this role when you trust the content a user is writing is going to represent your business well. Graduate your writers from Contributor to Author. Only your top writers should be Editors.
  6. Grant non-technical support staff the level of Editor as the highest level of access.
  7. Remember that admins have equal power over your website, and even the best intentioned people, when inexperienced, can cause harm to your site. Think of your admin account like the keys to your office.

I hope these tips have helped you to better understand WordPress user roles, and have given you some helpful tips on how to most effectively set user roles on your WordPress website.

Questions? Leave a comment or drop me a note to let me know how I can help.

WordPress 4.3 admin menu broken in Chrome – Fix

by in Website Troubleshooting, WordPress

I recently updated our sites to WordPress 4.3 and started noticing the left nav in the admin was broken on hover. I thought at first it was an issue on my localhost, checked live sites and found it there too. This is what it looks like:

As you hover along the links in the left nav bar, they seem to jump around, disappear and reappear kind of on top of each other.

This is not a WordPress bug at all, but is a known bug in the current version of Google Chrome. (If you follow that link and would like to say ‘me too!’, just click on the star just left of the title ‘Issue 509179’) This should be fixed by the next major release.

In the meantime, you can fix this issue by disabling “Slimming Paint” in your Google Chrome options. To do that copy/paste this into your browser address bar (where you usually type the web address for a website):
chrome://flags/#disable-slimming-paint

Your browser will jump to the section with a highlighted title that says “Disable slimming paint”. The wording is a little confusing because you’re enabling disabling this feature. Just click the link that says ‘enable’ and then restart your browser.

 

Your WordPress admin menu will render normally again.

Security Plugins Every WordPress Website Should Have Installed

by in Plugins, Security, WordPress

If you run a website, then website security is probably on your mind regularly. As technology becomes more integrated with our lives, news about security breeches, DOS attacks and hacks has become more frequent. The need for being proactive about protecting your website has never been stronger. Here are some of my favorite security plugins, most of which are free, even if the free version is limited is definitely something every WordPress website should have installed. Check back as I’ll keep this list updated as things change, plugins are added or in the case any are sadly removed!

A Simple Captcha Can Help Deter Attacks.

Brute Force Attacks occur no matter what host you’re with, and no matter how strong your password is. The first step to protecting your website from a successful brute force attack is setting up a strong user name and password.
(Helpful articles: Is my password strong enough? and How to Create a Strong Password You Can Remember)

Step two in protecting your website from brute force attacks is adding an extra layer of difficulty to the bot attempts at cracking your login is adding a Captcha, which can be as simple as a basic math question (or not so simple if it’s before coffee). I recommend the Captcha by BWS plugin, which will add a simple captcha form to your login page. You can learn more about it here: BWS Captcha plugin and download from WordPress repository, here.

Secure your Login.

Adding a captcha to your login page is good, but what’s even better is limiting the number of login attempts anyone tries making to get into your WordPress admin area. For this I highly recommend Login Security Solution. This plugin logs IP addresses of attempted logins, and will systematically slow down the login process to those IPs. The delay is a ‘survival of the fittest’ method, meant to deter attackers, steering them away from your site to move on to the next one that may be an easier target. The beauty of this plugin is, if they DO manage to break in, the plugin recognizes the user as a miscreant and kicks them out, anyway!

Stay in Control of Your Site Security.

As an added measure of security, I also recommend using the WordFence plugin. It works well especially if you set it up to work in conjunction with Login Security Solution. This plugin offers lots of options, and while it has some great pro-active features, some features come in very handy during an attack.

Proactive features I’ve found most useful are the ability to block aggressive search engine spiders like Baidu and Sogou, which can be resource hogs.

There is a live traffic tab that will allow you to see current activity on the site, and if you’re undergoing a brute force attack, you’ll be able to see the IP addresses of the attackers. Combined with the tab to manually block an IP or IP range, you can do something about it.

Scan your site for Potential Problems.

If you’re running a free theme and want to check for possible exploits in the code, you should definitely install and run the “Exploit Scanner” plugin, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code, and may require a more trained eye to work with, but is a great and powerful tool.

Compromised Website? Get Help Sooner Rather Than Later.

Sometimes you don’t need to run a scan – you notice things like advertisements for the latest variety of Viagra or similar being prominently displayed on your site, or maybe just the mobile version of your site. If you want to run a test to be sure, here’s a site that will let you run a scan of your site to check for malicious activity or malware. Be patient, it takes awhile to complete. (It took about 5 minutes for my test to run).

Viruses, especially database injection viruses, can get evil and messy very quickly. If you suspect your site has been compromised and you don’t have the technical know-how to fix it, it’s better to get help from someone who does sooner rather than later. Every moment your site exists with a virus allows that virus to propagate through your site and make it harder to clean later on, so consider it important to treat this as an urgent matter.

To get help from TrekVisual for an infected website, visit our webmaster services page or contact us.

Is my Password Strong Enough?

by in Security, website-tips, WordPress

Username: admin
Password: admin

You know that’s really not bright, but why? First, I’ll answer the question –

Why do I need a strong password? 

It may not be obvious, but a strong password will help prevent a successful brute force attack on your account (whether this is your FTP account or your WordPress website).

“(A brute force attack) consists of systematically checking all possible keys or passwords until the correct one is found.” (wiki) You’ve seen it in movies, a computer screen cycling through characters one by one until each one is a hit and ‘locks’. This is the basic concept behind

Give it a go, at this Brute Force Space Analysis calculator. Enter admin as a password. This is an accelerated test, with the smallest scenario showing how fast a password could be cracked with 1,000 attempts per second (3.43 hours). Now try a password like adm1n:) and it now estimates a successful crack would take centuries.

You should be aware that this calculator doesn’t tell a complete story. Many brute force attacks are ‘password dictionary’ attacks, meaning a dictionary of common passwords are tried. Admin, 123456, Password are some of the more common (obvious) dictionary passwords.

How do I create a strong password?

The strongest password should be as long as possible (if you’re allowed to use 24 characters, use them), with a minimum of 8 characters. Your password should include numbers and be MiXeDCase (using upper and lower case letters). Most importantly, special characters should be interspersed among numbers and letters.

1Password! is an example of a password that includes all of those recommendations, but is definitely not a strong password, because it’s obviously a commonly recognizable word that begins with a number and ends in a (meaningful) special character. You should avoid common words, and I’d even suggest avoiding the use of the number 1 and the exclamation point.

To create a completely random password, you can use a site like random.org. If you’re super careful bordering on paranoid, you can use two or more password generator sites and combine parts of the generated password from each. I can’t guarantee this method will create an easy to remember password, though. For ideas to create a strong password you can remember, check out How to Create a Strong Password You Can Remember.

*Funny note: While writing this blog entry we got an automated notice from our TrekVisual security program to notify us that one of our sites was undergoing a brute force attack. Username they tried? admin