Password Management

Table Of Contents

A user’s password must conform to the SiteWorks standards, i.e. greater than 12 characters in length, and include punctuation, lower and upper case letters and numbers. It should be noted that WordPress or a third-party password manager while generating what appears to be an acceptable password, the character string may not conform to the SiteWorks standards e.g. no punctuation characters.

If the error message appears at the top of the page after selecting either Add New User or Update User, the entered password has not been accepted by SiteWorks, and a NEW password is required.

Initial Login #

All users (Administrators, Editors and Authors) are provided with an initial username and password when their roles are configured.

It should be noted that WordPress is capable of sending a message to the user with the initial login information. However experience has shown that some mail systems may reject this email, as discussed here, therefore the administrator should directly email the information to the user, so that the SiteWorks does not suffer reputational damage. The recommended process is:

  • The user name and password must be sent to the new users, in separate emails, typically via Beacon or a similar system.
  • It is recommended that the username is not less than ten characters in length and should not include a reference to either the person’s name, the name of the u3a or their position in the u3a.
  • The supplied password must conform the SiteWorks standard.
  • New users should be advised about the process and to expect emails containing the required information.

The initial password must be changed after the first login.

Password Generation and Specification #

To maintain a secure site, all users MUST note the following:

  • Use a password between 12 and 64 characters long, and include at least one of each of the following: a capital letter, a lowercase letter, a number and a punctuation mark. The SiteWorks configurations plugin does not permit a user to receive a password that does not meet the minimum requirement. It should be noted that the longer the password the more secure it is, hence twelve characters should be considered the minimum length. As noted above, some password generators may not provide an acceptable password – typically they omit the number or punctuation character.
  • While the “Three Word Approach” is recommended, it is not 100% compatible with the above requirements, hence a degree of obfuscation is required.
  • Guidance from the National Cyber Security Centre on password generation and management required to maintain a high level of security should be noted and followed as good practice.
  • The Remember Me function available from the login screen should not be used, a separate password manager or one provided by the browser or operating system should be used. In either case, ensure that the software is updated regularly.

Changing a Password #

A user’s passwords can be changed by:

  • Using the lost password feature on the Login Page, if this is selected WordPress will send the user a link via email to allow the password change. However, this comes with a cost of possible reputational damage to the SiteWorks if used excessively, hence users should be advised not to use this feature.
  • The Administrator can select the Users from the Dashboard, and on selecting an individual user, reset the password, and follow the process identical to setting the original password to inform the user.
  • A user can reset their password by editing their profile, using the new password option, located under Account Management as follows:
    • Scroll to the bottom of the webpage.
    • Select Set New Password
    • Enter a password that conforms to the SiteWorks specification.
    • Take note of the new password. It is strongly recommended that you copy and paste this into an electronic notepad or password manager. Remember, even the best of us can make a minor transcription error if taking a handwritten note (e.g. was it 0 or O, 1 or l).
    • Select Update Profile.
    • If the change was successful you will receive an email from the system.

Protection from Brute Force attacks. #

To prevent brute force cyber attacks, the SiteWorks distribution includes the Loginizer plugin, which provides the following protection concerning a unique IP address:

  • Allows only four login attempts, after which a 15 minute lockout is activated.
  • If more than five lockouts are detected. logins are blocked for 24 hours.

It is important to understand that the public IP address is blocked, so the temporary access block will apply to anyone attempting to access any account on the same website from a single computer. So even if a user has two different logins to the same site, for example, one as an Author and the second as an Administrator, then a lockout triggered by either account will prevent a login on the other account.

Issues can be reviewed via the Loginzier dashboard, by selecting the Brute Force tab.

Applications Password #

Users are not currently required to set an Applications Password.

What are your feelings
Updated on 15/10/2024