Have you ever run into the problem of your WordPress users sharing passwords with others? This is not only a security issue but if your website is pay-per-view, they are getting on for free. However, it can be difficult to prevent, WordPress user password sharing.
Luckily, there are some things you can do to mitigate this.
In this article, I will show you a simple way to mitigate WordPress users sharing passwords on a WordPress website.
How Does Password Sharing Hurt?
While WordPress does have a lot of good security measures in place and also has a lot of great security plugins, there are still several reasons why you will want to prevent WordPress password sharing.
By default, a WordPress user is able to login to a user account from multiple locations at the same time. The problem is that this can really compromise the security of a multi-author WordPress website.
To take it a step further, if you run a WordPress membership website this issue can, and eventually will, hurt your profit margin. So you really want to do everything you can to strengthen the security of your WordPress install.
Think about it, if someone is sharing their password for a membership they are a part of, then that means someone else is using the same credentials to log in and get those paid membership benefits.
Aside from a possible hack, those are the two main reasons you will want to do everything you can to prevent WordPress password sharing.
How Does WordPress Handle User Sessions?
Before I show you an easy way to prevent WordPress user password sharing, let me touch a bit on how WordPress handles user sessions.
Like most web applications, WordPress uses “cookies” to identify when a user is logged into a website. These “cookies” don’t contain your WordPress user password, but they do contain a special key and a username as proof that you did indeed know the password.
Here is the problem. If you have accessed your site from a public location and out of habit clicked on the “Remember Me” button, then anyone from that computer you used can now log in to your WordPress user account because WordPress allows the same user to be logged inform two different locations.
In concept, it is an okay idea, but for security reasons it is troubling. It can also be pretty bad for your membership site business as well. Users can simply share their password with friends or family and use that same login info to access all that paid content.
So the idea is that we want to get to a place where you can prevent users from being logged in to a website from two different places.
How is this most easily done? There is a plugin I found that prevents concurrent logins from users.
Installing Inactive Logout
The Inactive Logout plugin has a plethora of useful features when it comes to account management. It has the ability to automatically log off users who are not active (AFK) and can even stop accounts from being logged in at multiple locations.
It is a great tool to utilize if you run a website with a membership or subscription. For example, let’s say you are paying membership and you shared it with a friend. If you are enjoying your content and then are logged out because your friend is viewing it, you cannot enjoy the content you paid for.
As a result, you may reconsider sharing your password.
Let’s start by clicking on Plugins and selecting the Add New option on the left-hand admin panel.
Search for Inactive Logout in the available search box. This will pull up additional plugins that you may find helpful.
Scroll down until you find the Inactive Logout plugin and click on the «Install Now» button and activate the plugin for use.
Disabling Concurrent Logins
While the plugin has a lot of features and settings, you are here to put an end to concurrent logins. This will mitigate the effect of password sharing because it will prevent two users from logging into the same account at once.
On the left-hand admin panel click on Settings and select the Inactive Logout option.
Scroll down the settings page and check the Disable Concurrent Logins box.
Note: The rest of the settings are not on by default, which means this is the only thing enabled, with one exception, the idle timeout. By default, it is set to 15 minutes. I strongly recommend changing the time to at least an hr or more to prevent unnecessary logouts that could anger visitors.
Click on the «Save Changes» button to finish.
That’s it, congratulations on setting up the Inactive plugin to prevent concurrent users in WordPress. I recommend exploring the rest of the plugin’s settings. You will definitely find other useful features that you can take advantage of.
How To Test the Plugin
In order to test the plugin, you can log into your WordPress website from two different browsers on the computer you are using. Go ahead and give it a try in Chrome, then Firefox.
Now, when you try to log into your website from the second browser you will still be able to log in successfully. However, the plugin automatically terminates the old session.
So now when you try to click on any link in the first browser you logged in from you will automatically be taken to the login page, no links will work and you are bumped out.
Again, using this plugin will help prevent lost income on membership sites and help keep your website secure.
It Is Not Possible to Prevent Password Sharing
If you were looking for a more direct way to actually stop one person from giving their password to another person, you are out of luck. That is simply not possible.
Passwords can be shared in a variety of ways including speaking, texting, writing, email, smoke signal, and many more. Okay, you probably won’t see anyone using a smoke signal, but I think you get the point. There are a lot of ways to share a password.
Your website does not have the capacity or legal power to actually monitor anything that doesn’t take place on it.
Thus, you cannot actually prevent password sharing, but you can mitigate its effects.
Practice Safe Login Practices
Before I wrap this up, I want to make sure you know it is also important to have a strong WordPress user password as well. Never access your website on an open network or on a public computer (like a library or at a school).
You should also make sure your website is running some form of CAPTCHA. This will ensure that bots cannot log in to user accounts. In case, you have not heard of the name before, CAPTCHA is that little test that asks if you are a human or tasks you with finding all of the street lights in an image.
I am positive you have seen it in action because most websites utilize it in some form or another. After all, it’s free to set up.
Have these changed lowered the number of users sharing WordPress passwords? Have you found that a solution like this helps cut down on the problem of WordPress users sharing passwords?