We manage WordPress which as we all know requires a login to use. We also provide a standalone interface to manage your Pagely Hosting Account which has its own account management system. Add to that a typical Pagely customer may have multiple WordPress sites, each with their own Administrator login and user. So here you are left with juggling a handful of usernames and passwords in your daily routine.
Is this an inconvenience? It can be. However we feel in the name of added security it is worth it to ensure the integrity of your experience.
Scenario 1: The Single-Sign-on or Master login approach.
Say you use a hosting service that provides a login to their main system. Once logged into that system you can click a button that automatically logs you into another system, like WordPress. You click another button and it logs you into yet another site, each time bypassing the account management controls put there for a reason.
In this case access to all sites can be gained from 1 comprised login at the main hosting system. If your account at the source is compromised the intruder now has access to everything else. Whoa nelly, this is a really bad day for you, and your hosting company.
There may also be cases where from within WordPress they may allow you access back into the central system without entering the proper credentials again. This is another open door method to comprise everything as 1 hacked WP site gains the bad guys access to everything else through the proverbial back door.
While this approach is commonly used in the name of convenience, the example above illustrates why we stay away from it. It’s easy, but also easy to get owned.
Scenario 2: Separate logins for each system.
At Pagely, you have a username/password for our hosting account system and a separate and unique username/password for each of your sites with no direct connection between them. You must login to each site separately in order to access it. We sacrifice a little convenience in the name of added security. Each system has a unique login/password combination for a very simple reason. Isolation between systems limits the probability of a security meltdown.
Furthermore we also require an additional “Secret Question” verification for any destructive action. Example: Even when logged into our system if you wish to remove a product/site or change usernames/emails you are required to answer the secret question your provided at signup. Another layer to prevent the bad days.
How do you then juggle these multiple logins? You already do this everyday with facebook, gmail, WordPress, and your corporate VPN. A password manager like 1Password can make it a little easier. Also: USE A PASS-PHRASE
As always, nothing is 100% full-proof. We have made choices which we feel decrease the likelihood of bad day for you and are in the best interest of all our clients. Like this post and want to read more around WordPress Security? We got more for you.