Tell us what you are trying to do?
I'm in the process to role out my site by the end of the month with Toolset. Someone is trying to hack at my current site right now. I know this because I'm getting emails almost everyday saying that some IP was blocked for 48 hours and bla bla bla.
My concern is this, my current site, I only have a log in (which by the way, I changed the login address and added recaptcha v2) has only my assistant and I as admins. The new site, I wanted to allow clients to login as users in order for them to be able to edit their posts.
If I allow the users to do that, aren't I increasing the change of the site being hacked, since some users might use a weak password? Will the whole site be affected if a user's account get hacked?
What are the things I can do to prevent hacking my site?
Usually a user role with none admin privileges wouldn't be able to access certain areas of the site. If the users are able to hack your site through the user account then this would be an exploit in wordpress that we wouldn't be able to solve here.
It all depends on how the website is being hacked for me to advise but sometimes I know that hacking can be done by inserting malicious code onto the website through some hosts.
I would suggest advising your host about the issue as well. The google captcha is usually a good hack prevention when it comes to users logging in as it prevents automated hacking tools from accessing the site.
I have not implemented the new site that has Toolset yet, thus my question was about Toolset's security protocols and access. I know Access is pretty good at keeping people out but it does not have a session timeout feature, which is kind of critical when creating a Listing site. User's can use public computer and forget to log out, etc.
Or does Access have a session timeout that I don't know?
No access does not have a timeout functionality. These would normally be functionalities of the wordpress.
The only thing our access plugin does is to setup use case permissions. It doesn't have any control over the security of the login and session information.
