Initial Login #
Users (Administrators, Editors and Authors) are provided with an initial username and password when their roles are configured.
It should be noted that WordPress can send a message regarding the initial login information, experience has shown that some mail systems may reject this email, as discussed here. therefore the administrator should directly email the information to the user so that SiteWorks does not suffer reputational damage. The recommended process is:
- The username and password are sent to the new users, in two emails, typically via Beacon or a similar system.
- It is recommended that the username is greater than ten characters in length and must not include a reference to either the person’s name, the name of the u3a or their position in the u3a.
- The supplied password must conform to the SiteWorks standards, see below.
- New users should be advised about the process and expect emails containing the required information as part of their induction process.
The initial password must be changed after the first login as discussed here.
Rejection of a Password. #
A user’s password must conform to the SiteWorks standards, i.e. greater than 8 characters in length, and include punctuation, lower and upper case letters and numbers. It should be noted that WordPress or a third-party password manager while generating what appears to be an acceptable password, the character string may not conform to the SiteWorks standards e.g. no punctuation characters.
If the following message appears at the top of the screen after clicking Add New User or Update User, the entered password has not been accepted.
If the message appears a new password needs to be supplied and confirmed by clicking Add New User or Update User.
Password Generation and Specification #
To maintain a secure site, all SiteWork users MUST note the following:
- Guidance from the National Cyber Security Centre on password generation and management required to maintain a high level of security should be noted and followed as good practice.
- The password must be between 12 and 64 characters long, and include at least one of each of the following: a capital letter, a lowercase letter, a number and a punctuation mark. The SiteWorks configurations plugin does not permit a user to receive a password that does not meet the minimum requirement. It should be noted that the longer the password the more secure it is, hence twelve characters should be considered the minimum length. Some password generators may not provide an acceptable password – typically they omit the number or punctuation character.
- While the “Three Word Approach” is recommended, it is not 100% compatible with the above requirements, hence a degree of obfuscation is required.
- The Remember Me function available from the login screen should not be used, a separate password manager or one provided by the browser or operating system should be used. In either case, ensure that the software is updated regularly.
Changing a Password #
A user’s passwords can be changed by:
- Using the lost password feature on the Login Page, if this is selected WordPress will send the user a link via email to allow the password change. However, this comes with a cost of possible reputational damage to the SiteWorks if used excessively, hence users should be advised not to use this feature.
- The Administrator can select the Users from the Dashboard, and on selecting an individual user, reset the password, and follow the process identical to setting the original password to inform the user.
- A user can reset their password by editing their profile, using the new password option, located under Account Management as follows:
- Scroll to the bottom of the webpage.
- Select Set New Password
- Enter a password that conforms to the SiteWorks specification.
- Take note of the new password. It is strongly recommended that you copy and paste this into an electronic notepad or password manager. Remember, even the best of us can make a minor transcription error if taking a handwritten note (e.g. was it 0 or O, 1 or l).
- Select Update Profile.
- If the change was successful you will receive an email from the system.
Protection from Brute Force attacks. #
To prevent brute force cyber attacks, the SiteWorks distribution includes the Loginizer plugin, which provides the following protection concerning a unique IP address:
- Allows only four login attempts, after which a 15 minute lockout is activated.
- If more than five lockouts are detected. logins are blocked for 24 hours.
It is important to understand that the public IP address is blocked, so the temporary access block will apply to anyone attempting to access any account on the same website from a single computer. So even if a user has two different logins to the same site, for example, one as an Author and the second as an Administrator, then a lockout triggered by either account will prevent a login on the other account.
Issues can be reviewed via the Loginzier dashboard, by selecting the Brute Force tab.
Applications Password #
Users are not currently required to set an Applications Password.
