Let’s say you want better security for your WordPress site. Maybe you want your employees to always access their WordPress account by authenticating through Google (which you see as easier to manage rather than requiring all users to maintain separate username/passwords for WordPress as well as Gmail). You’ve also read about brute force attacks on WordPress so hope that Google login will guard against those. You might also have installed a plugin such as Limit Login Attempts to prevent multiple login attempts from the same IP address – likely a sign of a brute force attack (although increasingly such attacks are performed from distributed IPs).
This post explains how to configure Google Apps Login Premium/Enterprise versions to secure your site in this way – and also explains why brute force attacks will never succeed against WordPress when protected by Google Apps Login, so in fact your Limit Login Attempts plugin is now completely redundant!
Google Apps can now be used as a Single Sign-On (SSO) solution for a wider range of cloud applications – specifically, those that support the SAML 2.0 standard.
Our Google Apps Login plugin has always allowed users to sign into WordPress sites – via their Google Apps accounts – using a different authorization mechanism called OAuth 2.0. This is a modern protocol designed for ‘web scale’, to be used across web browsers and mobile devices.
However, many ‘enterprise’ services prefer to use the older SAML 2.0 even though it is restricted to web browsers and is more complicated to implement. This is largely because SAML can also provide extended ‘authentication’ information, controlling users’ permissions once connected.
The fact that Google Apps accounts can now be used as a Single Sign-On for a wider range of services is great news for customers of Google Apps Login. Using Google to sign on to far more services will reinforce your employees’ use of ‘Login with Google’ when they connect to your WordPress site using our plugin.
You can read Google’s official announcement. And there is a great explanation on the difference between SAML 2.0 and OAuth 2.0 here.
Many customers use our Google Apps Login Enterprise version to restrict access to their WordPress intranet so that, not only is it inaccessible to non-employees, but certain groups of employees should have different WordPress roles, and perhaps some employees should not have access at all.
Following the Heartbleed vulnerability affecting all of us on the web, security has been a big topic lately. Some of us even changed our years-old passwords, and maybe enabled 2-factor authentication on our email accounts… (2-factor is the system where you need a code generated by, say, your mobile phone as well as your regular password to login.)
So it seems that most of us survived, but given the wake-up call, we thought it would be a good time to remind you of some simple things you can do to ensure your WordPress installation is secure.
How important is it to set up a comprehensive user hierarchy on your WordPress sites?
This article will explain the benefits of creating multiple users for your WordPress site and how understanding the different roles users can have will give you the control needed to allow others to create content, without risking control of the site itself. The article will also teach you to check your site configuration to understand if there are any backdoors that unwanted visitors could use to register, view private content, or make undesired changes to your site.