CM Admin Toolset (CMADM) + WordPress Two Factor Authentication (CMAUTH) + CM Restrict User Account Access - Use Case - How to Improve Your WordPress Site Security

Use Case – How to Improve Your WordPress Site Security

Back to CM Admin Tools User Guides

Back to WordPress Two Factor Authentication Guides

Back to CM Restrict User Account Access User Guides

Introduction

The CM Admin Tools plugin is a selection of handy administration tools to empower your WordPress admin dashboard, improve site performance, customize the admin panel look and feel, monitor error logs, track cron jobs, and more.

WordPress Two Factor Authentication rebuilds the account security for your WordPress users by offering integration with a few widely accredited two-factor authentication (2FA) methods.

CM Restrict User Account Access allows you to automatically block or delete user accounts on your site after some period of time, or restrict user accounts by the amount of logins.

Use Case Front-End

Successful accessing the account with 2FA using email code:

Attempt to access the back-end dashboard when it's forbidden:

Attempt to login when the account is not activated yet:

Attempt to login when the account expired or has reached the limit of logins:

Use Case Assumptions

In this example use case guide we will consider how to improve the security of your WordPress site using the bundle of plugins.

We consider that you have already bought the plugins, but not installed them yet. 

It follows:

• Installing the plugin
• User account restrictions
  • Limit of logins to the site
  • Account expiration settings
• Two-Factor Authentication (2FA)
  • 2FA login with email code
  • IPs restriction
  • Devices restriction
• Access restrictions
  • Displaying admin bar
  • Maintenance mode
  • XML-RPC
  • Dashboard access
• End result

Installing the Plugin

The process is the same for all CM plugins and add-ons.

• Download the plugin from your customer dashboard.
• Log in to WordPress and navigate to the WordPress Admin → Plugins settings.
• Click on Add New.
• Activate it and add the license.

User Account Restrictions

Let's start with user account restrictions. Using the plugin CM Restrict User Account Access you can automatically block or delete user accounts on your site after some period of time. You can also define the amount of accesses on your site.

Before enabling these features, we need to configure base plugin settings. Navigate to Admin Dashboard → CM Restrict User Account Access Pro → Settings → General tab.

There you can find the default settings:

• Pick the First Day of The Week - Choose the day that the week should start from. You can choose between Sunday and Monday. This option is important for setting the weekly limits of accessing the site. This option defines, when to reset counter of accesses. It means, it doesn't matter on which day the user was registered - in can be on Friday or Saturday, for example - anyway the counter of his weekly limits will be reset on Sunday or Monday - depending on what day you choose as start of the week.
• Default value for "Delete user after date" checkbox - If enabled, the checkbox Delete when expire in the new user profile will be checked by default. You can check or uncheck this option individually for each user. This prevents accidental expirations and deletions. Let's keep this option disabled now.
• Login error message (not activated) - You can set the message which appears, if the user tries to login when his account is not activated yet.
• Login error message - You can set the message which appears, if the user tries to login when his account is expired or reached the limit of accesses.
• Choose what to do with the content of a deleted user - In case if you want the user account to be deleted when expired, you can either delete all his content or reassign it to another user. This option can be overridden individually for each user on the user profile editing page.
• Pick the user to attribute content to - If you want to attribute all content of the deleted user to another one, you should pick the user here. This choice can be overridden individually for each user on the user profile editing page.

Now it's time to configure main features.

Limit of Logins To the Site

Lower you can find a few options that allow you to set daily, weekly and total limits for accessing your site for every user. It means, when the user reaches one of the limits while logging in, he won't be able to login to the site.

The following 3 fields let you define the default number of logging in for the user:

• Pick the total accesses for user - This value must be more than for weekly and daily accesses.
• Pick the weekly accesses for user - This value must be less than for total accesses and more than for daily accesses.
• Pick the daily accesses for user - This value must be less than for total and weekly accesses.

To make any of these parameters unlimited, you can check the option Unlimited Access On/Off next to the needed parameter, or set the value "-1".

Don't forget to click the button Save at the bottom of the page to save the changes.

Individual User Limits

These limits can be overridden separately for each user. The values you define in these fields are default. The default values are used in 2 cases:

1. When the user is created and you enable limits for him - the start limit values are equal to default.
2. If you changed the limit values for the user and later want to reset them to default. 

Now we can enable the restrictions for users. Navigate to Admin Dashboard → Users → All Users.

Hover on the user that you want to set the limits to and click  Edit.

Then scroll down to the section CM Restrict User Account Access. You can find there two options. We need the option Restrict user by number of accesses - choose Yes to enable this restriction.

When the option is enabled, a few new options will appear:

• Restrict date (from) - Set the date and time, when the following limits will start working. Before the defined date and time the limits will not work. 

The following 3 parameters are duplicating the options from the plugin settings. Here you can override the default settings:

• Total number of accesses - Set the number how many times the user can login to your site in total. This value must be more than for weekly and daily accesses.
• Weekly number of accesses - Set the number how many times the user can login to your site during the week. This value must be less than for total accesses and more than for daily accesses.
• Daily number of accesses - Set the number how many times the user can login to your site during the day. This value must be less than for total and weekly accesses.

To make any of these parameters unlimited, you can check the option Unlimited Access On/Off next to the needed parameter, or set the value "-1".

When you first enable this restriction, the values in these 3 fields are equal to the default ones - from the plugin settings. If you changed these values for this user and want to reset them to the default, click the button Reset login limits.

Each of these 3 parameters has a counter called Used Accesses. It displays how many times the user logged in.

The counter Daily number of access is reset every 24 hours, and Weekly number of accesses is reset in the beginning of every week (in our case - on Monday, we defined it in plugin settings). When the user reached the limit in Total number of accesses, he wouldn't be able to access the site anymore.

You can reset these counters by clicking on the button Reset login counters.

When you finished setting restriction for the user, scroll down and click the button Update User.

Now get back to the list of all users. You can see restriction info for each user (if defined) in the column  Total / Weekly / Daily.

You can also see there a value Grand Total - it counts how many times the user logged-in in general. So, even if you use the Reset login counters button - it will not affect the Grand total value, as it counts ALL user's log-ins while the access limits are enabled for him. This value can be erased automatically only with deleting the user's account.

Now, when the user reaches the limit, he will see the message that he is not able to login.

Account Expiration Settings

Now get back to the plugin settings.

Find the section User registration settings. This section defines expiration period for all new registered users. The options are:

• Enable expire date time after registration - Enable this option to automatically expire accounts after registration.
• Time period - Input the amount of time (for instance, 30).
• Time unit - Choose the type of time period if it should be Hour(s) or Day(s) (for instance, 30 days).

Don't forget to save the changes after configuring. Now all new registered users will be automatically blocked when 30 days pass.

Individual User Date Restrictions

You can also manually set the restriction period of time for each user. Let's get back to the editing page of the user. On that page, scroll down to the section CM Restrict User Account Access. You can find there two options. We need the option Restrict user by date - choose Yes to enable date restriction.

When the option is enabled, a few new options will appear:

• Account activation date - Set the time, when the account will be activated. If the user tries to login before that time, he will see the message that his account is not activated yet.
• Restrict date - Set the time, when the account will be blocked. If the user tries to login after that time, he will see the message that he doesn't have the access anymore. Let's set the period of time to 3 month - during this the user can use his account.
• Delete when expire - Enable this option if you want to delete the account when the access time expires. We will not enable deletion of the expired account now, let's just block expired account.

When you finished setting restriction for the user, scroll down and click the button Update User.

Now get back to the list of all users. You can see restriction dates for each user (if defined) in the column Restrict Date.

Result

Now, when the user tries to login when the account is not activated yet, he will see the message that his account is not activated yet:

And if the user tries to login when the account is expired or he reached the limit of logins, he will see the message that he doesn't have access anymore:

Two-Factor Authentication (2FA)

The plugin WordPress Two Factor Authentication provides a few widely accredited two-factor authentication (2FA) methods: Google Authenticator, Mobile Phone SMS, Email verification and Email code. By not relying on the password alone, users feel confident that their credentials and data are stored safely. From the list of provided methods, we will consider enabling 2FA using email code within our use case guide. 

2FA Login With Email Code

Enabling email code protection on your site is quite simple. First, you need to configure all base options. To do this, navigate to Admin Dashboard → CM Secure Login Pro → Settings → General tab.

Here you can find a few sections with the options. 

Login

• Protection method - This option is a core of the plugin. Here you need to choose which protection method you want to use. In this use case we choose Send verification code to user's email address method.
• Require chosen protection method for all users - Enable this option if you want to apply the previously selected solution for all users. 
• Require chosen protection method for chosen roles - If previous option is disabled, you can apply chosen protection method only for definite user roles that you can choose in the list. 

Disable passwords

You can disable the password for every user or only for those with certain roles. Note that disabling the password does not mean the users will only need their username to sign in. Instead, they will login with their usernames and the chosen authentication method.

• Disable passwords for all users - Choose Yes if you want to disable passwords for all users. Let's keep it now in the position No.
• Disable passwords for chosen roles - Choose here roles that won't need to use password for login. Works if previous option is disabled (chosen No).

Common

Here you can configure additional security options.

• Expiration time for the email/SMS code or link [minutes] - Define the time in minutes when the sent one-time code expires.
• Sleep time when the entered code is incorrect [seconds] - Set a delay time to send to the browser if a user enters an invalid code from Google Authenticator or e-mail. This can slow down malicious bots which try to login using the brute-force method.
• Logout after activity/inactivity time [minutes] - Users will be logged out after this period of activity/inactivity (in minutes). Set to 0 to disable.
• Logout mode - Here you can choose in which cases to logout the users: after some period of inactivity, or in both cases - activity and inactivity. Works if previous option is enabled.
• Characters set to generate the code from - Set the characters that will be used to create the random code.
• Code length - Set the authentication code length.
• Enable statistics - Enabling this option allows you to collect the statistics with detailed information about all logins that were done using 2FA protection. Learn more about this feature in this guide: WordPress Two Factor Authentication (CMAUTH) - How To - Collect Login Statistics

Email Code

Next important tab is Email Code.

In this tab, you can edit the email template that contains a verification code:

You can use the following shortcodes to add dynamic content to subject and body of these emails:

• Subject shortcodes:
  • [blogname] 
  • [siteurl] 
  • [userdisplayname] 
  • [userlogin] 
  • [useremail]
• Body shortcodes:
  • [code] - code that user have to enter on the login form. Note: this shortcode must be in the email.
  • [blogname] 
  • [siteurl] 
  • [userdisplayname] 
  • [userlogin] 
  • [useremail]

In this tab you can also define a URL where the user will be redirected when logged in after using the code. If it's left empty, the default WordPress admin link will be used.

Result

Base configuration is done, so don't forget to click the button Save at the bottom of the page, and let's check how it works on the front-end.

When the user tries to login after 2FA is enabled, he needs to enter his username/email and password, and then click Get verification code. He will be notified that the verification code was sent to his email. He can also see the time when the code expires. In the email the user needs to copy provided code. And then put it to the Verification Code field and click Log In. 

IPs Restriction

WordPress Two Factor Authentication provides a couple of more features for additional security of the accounts.

Head to the IP tab.

You can choose how many IP addresses are allowed for each user role.

The options are: 

• Restrict user IPs - Enables the feature.
  • User roles affected by IPs restriction - Mark which roles will be affected.
• Maximum of IPs allowed to each user - Choose a number (1 or higher).
• Accept only IPs chosen by the admin - Only allows logins from specific IPs defined by the admin per each user. This means that login attempts from other IPs will be blocked even if more IPs slots are available.

In result, if someone tries to login to the account from new IP, and IPs limit is reached, or this IP is not allowed by the admin, there will be a following message:

Devices Restriction

Another restriction type is located under the Device tab.

You can restrict certain user roles from logging in from too many different devices. 

The options are:

• Restrict user devices - Enables the feature.
  • Select user roles with devices restricting - Mark which roles will be affected.
• Maximum number of devices allowed to user - Choose a number (1 or higher).

In result, if someone tries to login to the account from new device, and devices limit is reached, there will be a following message:

Access Restrictions

The CM Admin Tools plugin provides the set of features to increase the security of your WordPress site. To configure them, navigate to Admin Dashboard → CM Admin Tools Pro → CM Admin Tools Pro.

Displaying Admin Bar

First, head to the Customization tab.

Under the Admin Bar section, you can disable the admin bar on the front-end. Just choose Yes in the option Hide admin bar on the front-end:

Maintenance Mode

Now head to the Access tab. 

First feature here that we will consider is Maintenance Mode. It can be useful, if your site is under construction and you want to be displayed a page with some announcement. Options for this feature can be found under the corresponding section:

• Enable maintenance (coming soon mode) - If enabled, all your website's pages won't be available for specified users and instead a page you define in this setting will be displayed.
• Page to display - Choose which page will be displayed when the maintenance mode is enabled.
• Allowed roles - You can specify which roles will be able to see the website, even if the maintenance mode is enabled (eg. administrator).

• Use minimal template - If enabled, only the "coming soon" page title and content will be displayed. If disabled, then normal WP template will be loaded.

  How it works on the front-end, when the user accesses the site:

  

XML-RPC

Another important option is located under the Security section.

• Enable XML-RPC - If enabled, the Wordpress features will be available by the XML-RPC (remote procedure call protocol based on XML). For example, this allows managing your website by the Wordpress mobile App. However, it creates some security risks. Disable this option if you want to provide the highest security level.

Dashboard Access

Last section we need is Dashboard Access. Here you can define which users are allowed to have access to the back-end dashboard and specify additional requirements for this. The options are:

• Roles who can access the dashboard - Enable or disable dashboard access for a specific roles. User won't be able to open the dashboard pages and the admin bar will be hidden on the frontend. The Admin will always be allowed to access the Dashboard.
• Allow capabilities who can access the dashboard - Allow access to the dashboard for users who have specific capabilities (separated by comma). Example: edit_posts,publish_posts,other_custom_cap.
• Disallowed Capabilities who cannot access the dashboard - Disallow access to the dashboard for users who have specific capabilities (separated by comma). Example: edit_posts,publish_posts,other_custom_cap.
• Redirect user trying access the dashboard to URL address - Enter the URL where users will be redirected after attempt to access the dashboard.
• Always allow access to User Profile page - If enabled, the access to the User Profile dashboard page will be always possible, even if the user cannot access the Dashboard.

When you finish editing the settings, click the button Save at the bottom of the page.

End Result

Following instructions found in the plugin and guides you should be able to improve the security of your WordPress site using the bundle of plugins.

Use Case Front-End

Attempt to login when the account is not activated yet:

Successful accessing the account with 2FA using email code:

Attempt to access the back-end dashboard when it's forbidden:

Attempt to login when the account expired or has reached the limit of logins:

Attempt to access account using another IP:

Attempt to access account from another device:

	Other WordPress products can be found at CreativeMinds WordPress Store
	Let us know how we can Improve this Product Documentation Page To open a Support Ticket visit our support center