Editor's note: This post is part of our collection on managing multiple WordPress sites.
***
Running a WordPress management service comes with a serious responsibility: handling clients' login credentials.
Protecting this sensitive information is critical to your business' success. Without proper security, your clients' sites are vulnerable to hackers—a situation that can lead to losing site data, fraudulent purchases, and more.
These consequences are too catastrophic for WordPress site managers to brush aside. With a security breach, you lower your clients' trust and, most likely, lose their business.
Ensure their security with technical measures and clear communication. Here are eight security measures for protecting WordPress logins across multiple clients' sites.
8 ways to make your clients' WordPress logins secure
Protecting account access is crucial to the security of your clients' sites. These eight security measures are powerful, yet simple and easy to implement across all of your clients' WordPress sites.
1. Get an SSL certificate and enable HTTPS
Hackers may collect login information by intercepting the connection between a user's browser and the website. One way to block their interception is by encrypting the connection to the site and enabling HTTPS.
In addition to securing the connection for site visitors, HTTPS websites rank higher in Google search results, and sites without an SSL certificate are marked as "Not Secure" by Google Chrome.
Enabling HTTPS requires acquiring and installing an SSL certificate on your website. The most common way to get SSL certificates is through your client's web host. You can also purchase an SSL certificate directly from a Certificate Authority (CA) like GoDaddy.
How to coordinate with clients: Securing your clients' websites should be a top priority. Show them that HTTPS is crucial for protecting their site from hackers, improving their search rankings, and avoiding the "Not Secure" warning in Chrome. If your client has a GoDaddy account, you can use Shared Shopping in GoDaddy Pro to purchase and install an SSL certificate on their behalf.
Related: How to add SSL and HTTPS to WordPress (in 3 steps)
2. Create separate user accounts
WordPress creates an Administrator account when it's first installed. Instead of sharing credentials to this one all-powerful account, you should create a unique user account for each person working on the site.
A WordPress user's role should match the level of access they need to do their job. In most cases it's unlikely that everyone needs Administrator-level access. That's why WordPress includes a number of other roles (Editor, Author, Contributor, and Subscriber) with restricted capabilities.
If someone leaves the team, or if their account is compromised for whatever reason, their user account can be adjusted accordingly.
Related: Navigating WordPress user roles to maximize site security
How to coordinate with clients: Create a list of people who need access to the site, and what their responsibilities include. For each person, create a user account with an assigned role that's appropriate for their needs. In some cases you may want to use a plugin like Members to add new roles with custom capabilities.
3. Use long, strong passwords
Relentless hacker bots will rapidly attempt an enormous number of password combinations until they crack a user's password.
It's easier for bots to guess passwords that are short and simple. There are a relatively low number of possible combinations, so they reach the correct password quickly.
Make it difficult for bots to guess your clients' login info by using long combinations of unique characters for their passwords. You can build these passwords yourself by following these dos and don'ts. Or, you can have a strong password created for you with a password generator, such as the one built into WordPress or this one from LastPass.
How to coordinate with clients: Send clients a note about the importance of strong passwords for protecting their site. Include links to secure password best practices and other resources, e.g. a password generator. For a stricter policy, you can use the Force Strong Passwords plugin that requires users to have strong passwords. Just make sure you let your clients know in advance so that they aren't surprised by login issues.
4. Limit the number of login attempts
For password-guessing brute force attacks, hacker bots need to test enough combinations to eventually guess the right login information.
One way to protect clients' sites from these attacks is limiting the number of login attempts. If a user can only enter login information once or twice, hacker bots won't be able to make a large number of attempts to guess your username and password.
A popular plugin for limiting WordPress login attempts is Limit Login Attempts. It lets you limit the number of retry attempts when logging in to whatever amount you prefer. Once users hit that cap on attempts, their account is locked down for a set time period.
How to coordinate with clients: After you set the login attempt limit, promptly communicate to clients that you have set the restriction. Sending a message about the change avoids the scenario of their account being locked without an explanation.
5. Install security plugins
Security plugins add an additional layer of protection to WordPress. Wordfence and Sucuri are two of the most popular WordPress security plugins. Together they're a comprehensive solution to block malicious traffic, monitor suspicious activity, and detect malware.
WordPress management platforms also often have additional security features to help keep clients' sites secure. For example, GoDaddy Pro Sites offers automated security checks to regularly see whether clients' sites are clean and safe.
How to coordinate with clients: Consider using a security plugin in all of your future WordPress projects. For existing sites, consult with your client on whether installing additional security plugins or addons would be appropriate. Be sure to discuss any costs (e.g. fees for the tool, service, and your time) and potential disruptions (e.g. downtime during deployment) that are required.
6. Change the WordPress login URL
Most WordPress sites use the platform's default URL for login pages, which is the domain name followed by “/wp-admin/wp-login.php”.
Keeping this default URL for clients' sites makes it easy for hackers to find their login pages and attempt brute force attacks. You can protect clients' sites by changing the WordPress login URL to something custom.
While manually changing the URL is possible, the process comes with a number of headaches. You may have to change your URL every time you update WordPress, and the process can create errors with your logout screen. Instead, use a plugin to change the URL, such as WPS Hide Login.
How to coordinate with clients: To prevent any login issues, let clients know the new URL before you make the change. Wait until they confirm that they've received your notice before your change the URL.
7. Enable two-factor authentication
Even if a hacker knows an Administrator's username and the login URL, there are still ways to block them from gaining access.
One method is setting up two-factor authentication (2FA). This requires more than a username and password for logging in, usually by confirming the login attempt through another device. For example, it might require a code sent via SMS to a mobile number, or a code generated by a mobile app.
You can set up two-factor authentication on each client's WordPress site with certain security plugins, such as Google Authenticator. If you're using a WordPress management platform to handle clients' sites, you'll also want to set up two-factor authentication for that account. You can set this up using the Google Authenticator app.
How to coordinate with clients: Many two-factor authentication plugins allow you to select the users that you want to enable it for. Notify the users that you enabled two-factor authentication for once you've set it up. Explain how two-factor authentication can block hackers and give a brief overview of what they can expect for setting up. Many two-factor authentication plugins prompt users to set up another form of confirmation during their first login after the plugin has been installed.
8. Use a management tool
It can be a real challenge to remember user credentials for all the WordPress sites you manage.
And while it's tempting to save those credentials in a spreadsheet or shared doc and call it a day, it's far more secure to use a password management tool like LastPass or 1Password.
WordPress management tools like GoDaddy Pro Sites go even further. Since a majority of your tasks are handled within the tool, you won't need to log in and out of each individual website.
How to coordinate with clients: Add a WordPress management tool to your software stack. It should exist alongside the tools you use for CRM, project management, time tracking, billing & invoicing, and client management. Use it for all new clients and projects. For existing sites, let your client know in advance that you're adding them to your management tool, and that they may see an additional plugin installed on their site because of it.
Keep logins secure to keep your business strong
Securing clients' logins is a necessity of WordPress management services. Using the security measures from this guide protects your clients from losing their site data, payment details, and other sensitive information via WordPress.
This damage control may not be visible to clients, but it keeps them happy in the long run. By ensuring clients' sites run smoothly, your secure login management builds great customer relationships and with that support, enables your business to grow.
