To share or not to share?

Password sharing is commonplace. The other day I received an email thread forwarded by a colleague that had done the rounds.

Someone was desperately trying to recover a shared account password, not by using the tried and tested forgot password routine but by emailing all and sundry with a long list that did not work.

Numerous passwords were contained in the email and the list of copyees was worryingly long.

Thankfully the reason they didn’t work was that the site in question had been mothballed. But what if those passwords were also used elsewhere, which is highly likely? What if they were also used on a Netflix account?

Password sharing and reuse and far are too common. At Our Locality, we will issue first a warning and then consider sanctions for repeat offenders and eventually suspend accounts if we find evidence of password sharing or reuse in breach of our policies.

Our friends at ChatGTP advise:-

It is not recommended to share subsite admin passwords on WordPress in multisite mode or any other mode for that matter. Sharing passwords, especially admin-level passwords, can pose significant security risks and potentially compromise the security of your website.

Here are a few reasons why sharing passwords is not a good idea:

  1. Security Risks: Sharing passwords increases the likelihood of unauthorized access to your website. If the password falls into the wrong hands, malicious actors could gain control of your site, steal sensitive information, or cause other types of damage.
  2. Lack of Accountability: When passwords are shared, it becomes difficult to track who has access to the site and who performed specific actions. This can complicate troubleshooting and auditing processes.
  3. Password Management: Sharing passwords can lead to poor password management practices, such as using weak passwords or reusing passwords across multiple accounts. Strong, unique passwords are crucial for maintaining the security of your site.
  4. Compliance and Legal Issues: Depending on your jurisdiction and the type of data your website handles, there might be legal requirements or industry regulations that mandate proper password management and user access controls.

Instead of sharing passwords, consider implementing these best practices to enhance the security of your WordPress multisite:

  1. User Accounts: Create separate user accounts for each individual who needs access to the subsites. Assign roles with appropriate permissions based on their responsibilities.
  2. Two-Factor Authentication (2FA): Enable two-factor authentication for all user accounts, especially those with admin privileges. This adds an extra layer of security by requiring a second form of verification beyond just a password.
  3. Strong Passwords: Ensure that all user accounts have strong, unique passwords that are not easily guessable. Encourage the use of password managers to generate and store complex passwords securely.
  4. Regular Auditing: Periodically review and audit user accounts and their permissions. Remove any accounts that are no longer needed or have excessive privileges.
  5. Educate Users: Educate all users about the importance of good security practices, such as not sharing passwords and being cautious about phishing attempts.
  6. Limit Access: Only grant admin access to those who genuinely need it. For other users who require certain capabilities, consider assigning them lower-level roles that match their responsibilities.

Remember, security is a critical aspect of website management. By following these best practices and maintaining proper access controls, you can help protect your WordPress multisite and the data it contains from potential security breaches.

By @ourlocality

Publishing Locally in East Lothian since 2010