Overview #

A major responsibility of each Local Website Administrator is to provide each user with secure login credentials. This will ensure the security of both the local site and the SiteWorks environment is maintained.

Users (Administrators, Editors and Authors) are provided with an initial username and password when their roles are configured.

It should be noted that WordPress can send a message regarding the initial login information, experience has shown that some mail systems may reject this email, as discussed here. therefore the administrator should directly email the information to the user so that SiteWorks does not suffer reputational damage. The recommended process is summarised as

• New users should be advised about the process and expect emails containing the required information as part of their induction process.
• It is recommended that the username be greater than ten characters in length and that it does not include a reference to either the person’s name, the name of the u3a, or their position in the u3a.
• The supplied password must conform to the SiteWorks standards, see below.
• The username and password are sent to the new users, in two emails, typically via Beacon or a similar system.

The initial password must be changed after the first login as discussed here.

Password Generation and Specification #

To maintain a secure site, all SiteWork users MUST note the following:

• The password must be between 8 and 64 characters long, and include at least one of each of the following: a capital letter, a lowercase letter, a number and a punctuation mark. A minimum of twelve is recommended. The SiteWorks configurations plugin does not permit a user to use a password that does not meet the minimum requirement. It should be noted that the longer the password the more secure it is, hence twelve characters should be considered the minimum length. Some password generators, including the inbuild WordPress generator, may not provide an acceptable password – typically they omit the number or punctuation character.
• While the “Three Word Approach” is recommended, it is not 100% compatible with the above requirements, hence a degree of obfuscation is required.
• The Remember Me function available from the login screen should not be used, a separate password manager or one provided by the browser or operating system can be used. In either case, ensure that the software is updated regularly.
• Guidance from the National Cyber Security Centre on password generation and management, which is required to maintain a high level of security, should be noted and followed as good practice.

Generating a Three Word Password #

To generate a three-word password suitable for SiteWorks, the following process can be followed:

• Select three random words – between three and five letters long.
• Combine them into a single lowercase string.
• Change a limited number of characters to uppercase, digits and punctuation marks, select from ! £$ ^ & * ( ) _ – ~

Hence:

learn, juice, tea ⇒ learnjuicetea ⇒ 7earNjuic£tea

To hack this password, approximately 2 × 10²³ options need to be tested and please don’t use this password on a live site!!

Acceptance and Rejection of a Password. #

Changing a Password #

A user’s passwords can be changed by:

• Using the lost password feature on the Login Page, if this is selected WordPress will send the user a link via email to allow the password change. However, this comes with a cost of possible reputational damage to the SiteWorks if used excessively, hence users should be advised not to use this feature.
• The Administrator can select the Users from the Dashboard, and on selecting an individual user, reset the password, and follow the process identical to setting the original password to inform the user.
• A user can reset their password by editing their profile, using the new password option, located under Account Management as follows:
  • Scroll to the bottom of the webpage.
  • Select Set New Password
  • Enter a password that conforms to the SiteWorks specification.
  • For punctuation characters, the following are recommended: ! £ $ ^ & * ( ) _- ~
  • Take note of the new password. It is strongly recommended that you copy and paste into an electronic notepad or password manager. Remember, even the best of us can make a minor transcription error if taking a handwritten note, it is recommended to avoid I, 1, O, 0, B 8, G, 6, Q, D, S, 5, Z, and 2. Additionally, quotation marks can confuse Apple users especially.
  • When entering the new password ensure the strength is Strong and it conforms to the SiteWorks specification, see figure below.
  • Select Update Profile.

After selecting Update Profile, scroll to the top of the page, and the following message appears the entered password has been accepted and the profile is updated

If the following message appears at the top of the screen after selecting Update Profile, the entered password has not been accepted, and a new password needs to be supplied:

Protection from Brute Force attacks. #

To prevent brute force cyber attacks, the SiteWorks distribution includes the Loginizer plugin, which provides the following protection concerning a unique IP address:

• Allows only four login attempts, after which a 15 minute lockout is activated.
• If more than five lockouts are detected. logins are blocked for 24 hours.

It is important to understand that the public IP address is blocked, so the temporary access block will apply to anyone attempting to access any account on the same website from a single computer. So even if a user has two different logins to the same site, for example, one as an Author and the second as an Administrator, then a lockout triggered by either account will prevent a login on the other account.

Issues can be reviewed via the Loginzier dashboard, by selecting the Brute Force tab.

Applications Password #

Users are not currently required to set an Applications Password.