By default, two-factor authentication is required for all administrators and custom roles with the
manage_options capability on a WordPress VIP site. All users, no matter what role is assigned to them, are strongly encouraged to enable two-factor authentication for their WordPress accounts. Under no circumstances should a password-less authentication solution be implemented on a site (e.g., an IP address check, or a one-click login by email).
In addition, VIP recommends that all customers follow best practices when it comes to securing their devices, accounts and access to VIP tools. Individual users should also follow as many of these security recommendations as possible:
- Set a login password for all user accounts on a computer.
- Set a complex (more than 4 character) passcode to unlock mobile devices. Do not use fingerprints or patterns.
- Enable a screen saver that activates after a short period of time and requires a password to turn off.
- Use only strong passwords. Never use the same password in more than one place.
- Use a password manager such as 1Password or BitWarden. If possible, use a password manager that does not sync to the cloud.
- Never put passwords in text documents, Google Docs, intranet pages, post-it notes or other unencrypted forms of storage.
- Use two-factor authentication (2FA) for any services that support it, including WordPress.com accounts, Google apps such as Gmail, Dropbox, Twitter, Facebook, GitHub, iCloud, LinkedIn, PayPal and others. Do not store 2FA backup codes anywhere online. VIP strongly recommends using an authenticator app, such as Authy or Google Authenticator, over SMS-based two-factor authentication.
- Avoid storing account passwords, OTP keys, and 2FA backup codes in the same password manager. Use multiple password managers for different types of security authentication information whenever possible.
- Turn on device locating services such as “Find My Mac” for Apple laptops or “Find My iPhone” for iPhones.
- Encrypt a computer’s hard drive, and make sure any backups are encrypted too.
- Install and run anti-virus software with the latest virus definitions.
- Enable a computer’s firewall.
- Ensure that home and office network routers are running the latest firmware and are not using default passwords.
- Be suspicious of any unusual requests to share sensitive information, such as usernames, passwords or other personal data. Report any such requests and “phishing” attempts.
- If working in public, use a privacy screen to prevent activity from being visible by others.
Last updated: December 23, 2023