Password Management

Initial Login #

All users (Administrators, Editors and Authors) are provided with an initial username and password when their roles are configured.

It should be noted that WordPress is capable of sending a message to the user with the initial login information. However experience has shown that some mail systems may reject this email, as discussed here, administrators should directly email users, so that the server does not suffer reputational damage. Hence:

  • The password and user name must be sent to the new users, in separate emails, typically via Beacon or a similar system.
  • It is recommended that the username is not less than ten characters in length and should not include a reference to either the person’s name, the name of the u3a or their position in the u3a.
  • New users should be advised about the process and to expect emails containing the required information.

The initial password must be changed after the first login.

To maintain a secure site, it is strongly recommended that all users note the following:

  • Use a password between 8 and 64 characters long, and include at least one, of each of the following: a capital letter, a lowercase letter, a number and a punctuation mark, as generated by WordPress or a password manager. The SiteWorks configurations plugin does not permit a user to receive a password that does not meet the minimum requirement. It should be noted that the longer the password the more secure it is, hence twelve characters should be considered the minimum length.
  • While the “Three Word Approach” is recommended, it is not 100% compatible with the above requirements, hence a degree of obfuscation is required.
  • Users are recommended to follow the guidance provided by the National Cyber Security Centre on password generation and management to maintain a high level of security.
  • Avoid using the Remember Me function available on the login screen, and use a separate password manager or one provided by the browser or operating system. In either case, ensure that the software is updated regularly.

Changing a Password #

A user’s passwords can be changed by:

  • Using the lost password feature on the Login Page, if this is selected WordPress will send the user a link via email to allow the password change. However, this comes with a cost of possible reputational damage to the server if used excessively, hence users should be advised not to use this feature.
  • The Administrator can select the Users from the Dashboard, and on selecting an individual user, reset the password, and follow the process identical to setting the original password
  • A user can reset their password by editing their profile, using the new password option, located under Account Management as follows:
    • Scroll to the bottom of the webpage.
    • Select Set New Password
    • A WordPress generated password is provided, or you can enter a password as long as it conforms to the SiteWorks specification (i.e. greater than 12 characters, and includes punctuation, lower and upper case letters and numbers).
    • Take note of the new password. It is strongly recommended that you copy and paste this into an electronic notepad or password manager. Remember, even the best of us can make a minor transcription error if taking a handwritten note (e.g. was it 0 or O, 1 or l).
    • Select Update Profile.
    • If the change was successful you will receive an email from the system.

Protection from Brute Force attacks. #

To prevent issues with brute force cyber attacks, the SiteWorks distribution includes the Loginizer plugin, which provides the following concerning a unique IP address:

  • Allows four login attempts, after which a 15 minute lockout is activated.
  • If more than five lockouts are detected. no further login will be considered for 24 hours.

It is possible to review issues via the Loginzier dashboard, by selecting the Brute Force tab.

Applications Password #

Users are not currently required to set an Applications Password.

What are your feelings
Updated on 24/02/2024