If the login credentials of accounts on your WordPress sites are compromised, this could result in your site getting hacked. The Password Security features in Really Simple SSL aim to strengthen the protection of WordPress accounts on your website. We will explain each of these features below, and how they can help you improve the security of user accounts.
Enforce strong passwords & frequent password change
- Activating the “Enforce strong passwords” setting enhances WordPress’ default password strength check (for all new user registrations); and removes the possibility for users to configure weak, and medium passwords for their account.
- Enabling the “Enforce frequent password change” setting forces frequent password changes for all users, or just for selected user roles (e.g. Administrators), to make sure that all of the accounts on your WordPress site are using sufficiently strong passwords.
Users with the selected user roles will receive an email to inform them that their password will expire in 7 days. After 7 days they will be notified their account is locked, and will need to reset their password before logging in again. During this reset, they will need to choose a password according to the new enhanced password strength check.
Reduce login cookie expiration / Limit logged in session duration
After a successful login to your WordPress site, you will receive valid session/auth cookies which allow you to access the site without the need for re-authentication (until they expire). In other words, these cookies can be seen as ‘digital keys’ which allow you to access the site.
However, if the session cookies of a user are stolen by an attacker (for example; due to the user’s local device being infected with malware): the attacker might be able to perform a session hijacking or “pass the cookie” attack, whereby they use browser tools or modified web requests to insert the stolen auth cookie into a new session; and the attacker would then be authenticated as that user until the token expires.
To limit the window of opportunity for an attacker to exploit this, we recommend setting the “Limit logged in session duration” option to 8 hours.
Please take note of the following details with regards to the login cookie expiration setting:
- Any changes to the auth cookie expiration will only start to take effect after logging out & logging back in to your WordPress Account
- The expiration of the cookie would still be set to the default value (14 days) if the “Remember Me” checkbox was ticked during the log-in. To prevent this you can enable the “Hide the Remember Me checkbox” option as well, which removes the Remember Me option from the login page.
