CM Admin Toolset (CMADM) + WordPress Two Factor Authentication (CMAUTH) + CM Restrict User Account Access - Use Case - How to Improve Your WordPress Site Security


Use Case – How to Improve Your WordPress Site Security

Back to CM Admin Tools User Guides

Back to WordPress Two Factor Authentication Guides

Back to CM Restrict User Account Access User Guides

Note: This guide covers features from: 


Introduction

The CM Admin Tools plugin is a selection of handy administration tools to empower your WordPress admin dashboard, improve site performance, customize the admin panel look and feel, monitor error logs, track cron jobs, and more.

WordPress Two Factor Authentication rebuilds the account security for your WordPress users by offering integration with a few widely accredited two-factor authentication (2FA) methods.

CM Restrict User Account Access allows you to automatically block or delete user accounts on your site after some period of time, or restrict user accounts by the amount of logins.

Use Case Front-End

Successful accessing the account with 2FA using email code:

Accessing the account with 2FA using email code - WordPress Two Step Authentication
Accessing the account with 2FA using email code

Attempt to access the back-end dashboard when it's forbidden:

Attempt to access the back-end dashboard when it's forbidden
Attempt to access the back-end dashboard when it's forbidden

Attempt to login when the account is not activated yet:

Attempt to login when the account is not activated yet
Attempt to login when the account is not activated yet

Attempt to login when the account expired or has reached the limit of logins:

Attempt to login when the account expired or has reached the limit of logins
Attempt to login when the account expired or has reached the limit of logins

Use Case Assumptions

In this example use case guide we will consider how to improve the security of your WordPress site using the bundle of plugins.

We consider that you have already bought the plugins, but not installed them yet. 

It follows:

Installing the Plugin

The process is the same for all CM plugins and add-ons.

CreativeMinds Customer Account Dashboard - Downloads tab
CreativeMinds Customer Account Dashboard
  • Download the plugin from your customer dashboard.
  • Log in to WordPress and navigate to the WordPress Admin → Plugins settings.
  • Click on Add New.
  • Activate it and add the license.

User Account Restrictions

Let's start with user account restrictions. Using the plugin CM Restrict User Account Access you can automatically block or delete user accounts on your site after some period of time. You can also define the amount of accesses on your site.

Before enabling these features, we need to configure base plugin settings. Navigate to Admin Dashboard → CM Restrict User Account Access Pro → Settings → General tab.

Navigation to the plugin settings - WordPress Two Factor Authentication Plugin
Navigation to the plugin settings

There you can find the default settings:

Default plugin settings
Default plugin settings
  • Pick the First Day of The Week - Choose the day that the week should start from. You can choose between Sunday and Monday. This option is important for setting the weekly limits of accessing the site. This option defines, when to reset counter of accesses. It means, it doesn't matter on which day the user was registered - in can be on Friday or Saturday, for example - anyway the counter of his weekly limits will be reset on Sunday or Monday - depending on what day you choose as start of the week.
  • Default value for "Delete user after date" checkbox - If enabled, the checkbox Delete when expire in the new user profile will be checked by default. You can check or uncheck this option individually for each user. This prevents accidental expirations and deletions. Let's keep this option disabled now.
  • Login error message (not activated) - You can set the message which appears, if the user tries to login when his account is not activated yet.
  • Login error message - You can set the message which appears, if the user tries to login when his account is expired or reached the limit of accesses.
  • Choose what to do with the content of a deleted user - In case if you want the user account to be deleted when expired, you can either delete all his content or reassign it to another user. This option can be overridden individually for each user on the user profile editing page.
  • Pick the user to attribute content to - If you want to attribute all content of the deleted user to another one, you should pick the user here. This choice can be overridden individually for each user on the user profile editing page.

Now it's time to configure main features.

Limit of Logins To the Site

Lower you can find a few options that allow you to set daily, weekly and total limits for accessing your site for every user. It means, when the user reaches one of the limits while logging in, he won't be able to login to the site.

The following 3 fields let you define the default number of logging in for the user:

Fields for defining default numbers of logins
Fields for defining default numbers of logins
  • Pick the total accesses for user - This value must be more than for weekly and daily accesses.
  • Pick the weekly accesses for user - This value must be less than for total accesses and more than for daily accesses.
  • Pick the daily accesses for user - This value must be less than for total and weekly accesses.

To make any of these parameters unlimited, you can check the option Unlimited Access On/Off next to the needed parameter, or set the value "-1".

Setting up default numbers of logins
Setting up default numbers of logins

Don't forget to click the button Save at the bottom of the page to save the changes.

Saving the changes
Saving the changes

Individual User Limits

These limits can be overridden separately for each user. The values you define in these fields are default. The default values are used in 2 cases:

  1. When the user is created and you enable limits for him - the start limit values are equal to default.
  2. If you changed the limit values for the user and later want to reset them to default. 

Now we can enable the restrictions for users. Navigate to Admin Dashboard → Users → All Users.

Navigation to the list of all users
Navigation to the list of all users

Hover on the user that you want to set the limits to and click  Edit.

Editing the user
Editing the user

Then scroll down to the section CM Restrict User Account Access. You can find there two options. We need the option Restrict user by number of accesses - choose Yes to enable this restriction.

Restrict access settings for a specific user
Restrict access settings for a specific user

When the option is enabled, a few new options will appear:

Specifying number of logins for a specific user
Specifying number of logins for a specific user
  • Restrict date (from) - Set the date and time, when the following limits will start working. Before the defined date and time the limits will not work. 

The following 3 parameters are duplicating the options from the plugin settings. Here you can override the default settings:

  • Total number of accesses - Set the number how many times the user can login to your site in total. This value must be more than for weekly and daily accesses.
  • Weekly number of accesses - Set the number how many times the user can login to your site during the week. This value must be less than for total accesses and more than for daily accesses.
  • Daily number of accesses - Set the number how many times the user can login to your site during the day. This value must be less than for total and weekly accesses.

To make any of these parameters unlimited, you can check the option Unlimited Access On/Off next to the needed parameter, or set the value "-1".

Making unlimited weekly access
Making unlimited weekly access

When you first enable this restriction, the values in these 3 fields are equal to the default ones - from the plugin settings. If you changed these values for this user and want to reset them to the default, click the button Reset login limits.

Resetting login limits
Resetting login limits

Each of these 3 parameters has a counter called Used Accesses. It displays how many times the user logged in.

Login counters
Login counters

The counter Daily number of access is reset every 24 hours, and Weekly number of accesses is reset in the beginning of every week (in our case - on Monday, we defined it in plugin settings). When the user reached the limit in Total number of accesses, he wouldn't be able to access the site anymore.

You can reset these counters by clicking on the button Reset login counters.

Resetting login counters
Resetting login counters

When you finished setting restriction for the user, scroll down and click the button Update User.

Saving the changes
Saving the changes

Now get back to the list of all users. You can see restriction info for each user (if defined) in the column  Total / Weekly / Daily.

Login info of a user
Login info of a user

You can also see there a value Grand Total - it counts how many times the user logged-in in general. So, even if you use the Reset login counters button - it will not affect the Grand total value, as it counts ALL user's log-ins while the access limits are enabled for him. This value can be erased automatically only with deleting the user's account.

Now, when the user reaches the limit, he will see the message that he is not able to login.

TIP

Learn more detailed about this type of restriction in this guide: CM Restrict User Account Access - Use Case - How To Limit Account Access by Logins

Account Expiration Settings

Now get back to the plugin settings.

Navigation to the plugin settings
Navigation to the plugin settings

Find the section User registration settings. This section defines expiration period for all new registered users. The options are:

User registration settings
User registration settings
  • Enable expire date time after registration - Enable this option to automatically expire accounts after registration.
  • Time period - Input the amount of time (for instance, 30).
  • Time unit - Choose the type of time period if it should be Hour(s) or Day(s) (for instance, 30 days).

Don't forget to save the changes after configuring. Now all new registered users will be automatically blocked when 30 days pass.

Individual User Date Restrictions

You can also manually set the restriction period of time for each user. Let's get back to the editing page of the user. On that page, scroll down to the section CM Restrict User Account Access. You can find there two options. We need the option Restrict user by date - choose Yes to enable date restriction.

Enabling individual user date restrictions
Enabling individual user date restrictions

When the option is enabled, a few new options will appear:

Individual user date restrictions
Individual user date restrictions
  • Account activation date - Set the time, when the account will be activated. If the user tries to login before that time, he will see the message that his account is not activated yet.
  • Restrict date - Set the time, when the account will be blocked. If the user tries to login after that time, he will see the message that he doesn't have the access anymore. Let's set the period of time to 3 month - during this the user can use his account.
  • Delete when expire - Enable this option if you want to delete the account when the access time expires. We will not enable deletion of the expired account now, let's just block expired account.

When you finished setting restriction for the user, scroll down and click the button Update User.

Saving the changes
Saving the changes

Now get back to the list of all users. You can see restriction dates for each user (if defined) in the column Restrict Date.

Restriction dates of a user
Restriction dates of a user

TIP

Learn more detailed about this type of restriction in this guide: CM Restrict User Account Access - Use Case - How To Limit Account Access by Logins

Result

Now, when the user tries to login when the account is not activated yet, he will see the message that his account is not activated yet:

Result when the account is not activated yet
Result when the account is not activated yet

And if the user tries to login when the account is expired or he reached the limit of logins, he will see the message that he doesn't have access anymore:

Result when the account is expired or reached the limit
Result when the account is expired or reached the limit

Two-Factor Authentication (2FA)

The plugin WordPress Two Factor Authentication provides a few widely accredited two-factor authentication (2FA) methods: Google Authenticator, Mobile Phone SMS, Email verification and Email code. By not relying on the password alone, users feel confident that their credentials and data are stored safely. From the list of provided methods, we will consider enabling 2FA using email code within our use case guide. 

2FA Login With Email Code

Enabling email code protection on your site is quite simple. First, you need to configure all base options. To do this, navigate to Admin Dashboard → CM Secure Login Pro → Settings → General tab.

Navigation to the plugin settings - WP 2FA Plugin
Navigation to the plugin settings

Here you can find a few sections with the options. 

Login

Login settings - WordPress Login SMS Verification
Login settings
  • Protection method - This option is a core of the plugin. Here you need to choose which protection method you want to use. In this use case we choose Send verification code to user's email address method.
  • Require chosen protection method for all users - Enable this option if you want to apply the previously selected solution for all users. 
  • Require chosen protection method for chosen roles - If previous option is disabled, you can apply chosen protection method only for definite user roles that you can choose in the list. 

Disable passwords

You can disable the password for every user or only for those with certain roles. Note that disabling the password does not mean the users will only need their username to sign in. Instead, they will login with their usernames and the chosen authentication method.

  • Disable passwords for all users - Choose Yes if you want to disable passwords for all users. Let's keep it now in the position No.
  • Disable passwords for chosen roles - Choose here roles that won't need to use password for login. Works if previous option is disabled (chosen No).
Disabling passwords - 2 Factor Authentication for WordPress
Disabling passwords

Common

Here you can configure additional security options.

Common settings - WordPress Two Step Authentication
Common settings
  • Expiration time for the email/SMS code or link [minutes] - Define the time in minutes when the sent one-time code expires.
  • Sleep time when the entered code is incorrect [seconds] - Set a delay time to send to the browser if a user enters an invalid code from Google Authenticator or e-mail. This can slow down malicious bots which try to login using the brute-force method.
  • Logout after activity/inactivity time [minutes] - Users will be logged out after this period of activity/inactivity (in minutes). Set to 0 to disable.
  • Logout mode - Here you can choose in which cases to logout the users: after some period of inactivity, or in both cases - activity and inactivity. Works if previous option is enabled.
  • Characters set to generate the code from - Set the characters that will be used to create the random code.
  • Code length - Set the authentication code length.
  • Enable statistics - Enabling this option allows you to collect the statistics with detailed information about all logins that were done using 2FA protection. Learn more about this feature in this guide: WordPress Two Factor Authentication (CMAUTH) - How To - Collect Login Statistics

Email Code

Next important tab is Email Code.

Email code settings tab - WordPress Enable 2FA
Email code settings tab

In this tab, you can edit the email template that contains a verification code:

Email template - How to Enable 2FA On WordPress
Email template

You can use the following shortcodes to add dynamic content to subject and body of these emails:

  • Subject shortcodes:
    • [blogname] 
    • [siteurl] 
    • [userdisplayname] 
    • [userlogin] 
    • [useremail]
  • Body shortcodes:
    • [code] - code that user have to enter on the login form. Note: this shortcode must be in the email.
    • [blogname] 
    • [siteurl] 
    • [userdisplayname] 
    • [userlogin] 
    • [useremail]

In this tab you can also define a URL where the user will be redirected when logged in after using the code. If it's left empty, the default WordPress admin link will be used.

After login redirection URL - WordPress 2FA
After login redirection URL

Result

Base configuration is done, so don't forget to click the button Save at the bottom of the page, and let's check how it works on the front-end.

When the user tries to login after 2FA is enabled, he needs to enter his username/email and password, and then click Get verification code. He will be notified that the verification code was sent to his email. He can also see the time when the code expires. In the email the user needs to copy provided code. And then put it to the Verification Code field and click Log In

Result - WordPress Two Factor Authentication Plugin
Result

IPs Restriction

WordPress Two Factor Authentication provides a couple of more features for additional security of the accounts.

Head to the IP tab.

IP restrictions tab - WP 2FA Plugin
IP restrictions tab

You can choose how many IP addresses are allowed for each user role.

The options are: 

Enabling IP limits - WordPress Login SMS Verification
Enabling IP limits
  • Restrict user IPs - Enables the feature.
    • User roles affected by IPs restriction - Mark which roles will be affected.
  • Maximum of IPs allowed to each user - Choose a number (1 or higher).
  • Accept only IPs chosen by the admin - Only allows logins from specific IPs defined by the admin per each user. This means that login attempts from other IPs will be blocked even if more IPs slots are available.

In result, if someone tries to login to the account from new IP, and IPs limit is reached, or this IP is not allowed by the admin, there will be a following message:

Result - 2 Factor Authentication for WordPress
Result

Devices Restriction

Another restriction type is located under the Device tab.

Device restrictions tab - WordPress Two Step Authentication
Device restrictions tab

You can restrict certain user roles from logging in from too many different devices. 

The options are:

Enabling device limits - WordPress Enable 2FA
Enabling device limits
  • Restrict user devices - Enables the feature.
    • Select user roles with devices restricting - Mark which roles will be affected.
  • Maximum number of devices allowed to user - Choose a number (1 or higher).

In result, if someone tries to login to the account from new device, and devices limit is reached, there will be a following message:

Result - How to Enable 2FA On WordPress
Result

Access Restrictions

The CM Admin Tools plugin provides the set of features to increase the security of your WordPress site. To configure them, navigate to Admin Dashboard → CM Admin Tools Pro → CM Admin Tools Pro.

Navigation to the plugin settings
Navigation to the plugin settings

Displaying Admin Bar

First, head to the Customization tab.

Customization settings tab
Customization settings tab

Under the Admin Bar section, you can disable the admin bar on the front-end. Just choose Yes in the option Hide admin bar on the front-end:

Hiding admin bar on the front-end
Hiding admin bar on the front-end

Maintenance Mode

Now head to the Access tab. 

Access settings tab
Access settings tab

First feature here that we will consider is Maintenance Mode. It can be useful, if your site is under construction and you want to be displayed a page with some announcement. Options for this feature can be found under the corresponding section:

Maintenance mode settings
Maintenance mode settings
  • Enable maintenance (coming soon mode) - If enabled, all your website's pages won't be available for specified users and instead a page you define in this setting will be displayed.
  • Page to display - Choose which page will be displayed when the maintenance mode is enabled.
  • Allowed roles - You can specify which roles will be able to see the website, even if the maintenance mode is enabled (eg. administrator).
  • Use minimal template - If enabled, only the "coming soon" page title and content will be displayed. If disabled, then normal WP template will be loaded.

    How it works on the front-end, when the user accesses the site:

    Result
    Result

XML-RPC

Another important option is located under the Security section.

Enabling XML-RPC
Enabling XML-RPC
  • Enable XML-RPC - If enabled, the Wordpress features will be available by the XML-RPC (remote procedure call protocol based on XML). For example, this allows managing your website by the Wordpress mobile App. However, it creates some security risks. Disable this option if you want to provide the highest security level.

Dashboard Access

Last section we need is Dashboard Access. Here you can define which users are allowed to have access to the back-end dashboard and specify additional requirements for this. The options are:

Dashboard access settings
Dashboard access settings
  • Roles who can access the dashboard - Enable or disable dashboard access for a specific roles. User won't be able to open the dashboard pages and the admin bar will be hidden on the frontend. The Admin will always be allowed to access the Dashboard.
  • Allow capabilities who can access the dashboard - Allow access to the dashboard for users who have specific capabilities (separated by comma). Example: edit_posts,publish_posts,other_custom_cap.
  • Disallowed Capabilities who cannot access the dashboard - Disallow access to the dashboard for users who have specific capabilities (separated by comma). Example: edit_posts,publish_posts,other_custom_cap.
  • Redirect user trying access the dashboard to URL address - Enter the URL where users will be redirected after attempt to access the dashboard.
  • Always allow access to User Profile page - If enabled, the access to the User Profile dashboard page will be always possible, even if the user cannot access the Dashboard.

When you finish editing the settings, click the button Save at the bottom of the page.

Saving the changes
Saving the changes

TIP

Learn more detailed other features that the CM Admin Tools plugin provides in this guide: CM Admin Tools (CMADM) - Use Case - Security and Optimization

End Result

Following instructions found in the plugin and guides you should be able to improve the security of your WordPress site using the bundle of plugins.

Use Case Front-End

Attempt to login when the account is not activated yet:

Attempt to login when the account is not activated yet
Attempt to login when the account is not activated yet

Successful accessing the account with 2FA using email code:

Successful accessing the account with 2FA using email code - WordPress 2FA
Successful accessing the account with 2FA using email code

Attempt to access the back-end dashboard when it's forbidden:

Attempt to access the back-end dashboard when it's forbidden
Attempt to access the back-end dashboard when it's forbidden

Attempt to login when the account expired or has reached the limit of logins:

Attempt to login when the account expired or has reached the limit of logins
Attempt to login when the account expired or has reached the limit of logins

Attempt to access account using another IP:

Attempt to access account using another IP - WordPress Two Factor Authentication Plugin
Attempt to access account using another IP

Attempt to access account from another device:

Attempt to access account from another device - WP 2FA Plugin
Attempt to access account from another device


Other WordPress products can be found at CreativeMinds WordPress Store

Let us know how we can Improve this Product Documentation Page

To open a Support Ticket visit our support center
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.