Shared Website Accounts: Security Risks & Fixes

TL;DR

Sharing website accounts is a bad idea for cyber security. It makes it hard to track who did what, increases the risk of accidental errors or malicious activity, and weakens your overall protection. This guide explains why and how to fix it.

Why Shared Accounts Are Risky

1. Accountability Issues: If something goes wrong (a mistake is made, content is deleted, the site gets hacked), you won’t know who was logged in at the time. This makes fixing problems and preventing them happening again much harder.
2. Password Security: Shared passwords are often simple to remember – meaning they’re easier to guess or crack. They also get written down, emailed, or shared verbally, increasing exposure.
3. Increased Attack Surface: More people knowing the password means more chances for it to fall into the wrong hands. Each user becomes a potential entry point for attackers.
4. Audit Trail Problems: Most website systems log actions by username. With a shared account, you lose valuable information about which individual made changes. This is vital for cyber security investigations.
5. Compliance Issues: Many regulations (like GDPR) require knowing who has access to sensitive data. Shared accounts make meeting these requirements difficult.

How to Fix Shared Account Problems

The best solution is to eliminate shared accounts and give each person their own login.

1. Identify All Shared Accounts: Make a list of every website account currently being used by multiple people. This includes content management systems (CMS) like WordPress, e-commerce platforms like Shopify, hosting control panels, social media accounts, and any other critical web services.
2. Create Individual User Accounts: For each shared account, create separate logins for each user who needs access. Use strong, unique passwords for each account. A password manager is highly recommended.
   • Password Manager Example: Consider using a tool like Bitwarden or LastPass to generate and store complex passwords securely.
3. Assign Appropriate Permissions (Role-Based Access Control): Don’t give everyone full administrator access. Assign each user the minimum level of permission they need to do their job. Most CMS platforms have built-in roles like Editor, Author, Contributor, and Subscriber.
   • WordPress Role Example: In WordPress, go to Users > Roles Editor (you may need a plugin for this) and carefully define what each role can access and modify.
4. Enable Two-Factor Authentication (2FA): This adds an extra layer of security by requiring a code from a phone app or email in addition to the password.
   • Google Authenticator Example: Most platforms support 2FA apps like Google Authenticator. Enable it for all accounts, especially administrator accounts.
5. Regularly Review User Access: Periodically check who has access to your website and revoke permissions for anyone who no longer needs them.
   • Hosting Control Panel Example: In cPanel or Plesk, regularly review the list of users with access to your hosting account.
6. Implement Audit Logging & Monitoring: Ensure your website platform logs user activity and that you regularly monitor these logs for suspicious behaviour.
   • Log Review Example (Linux server): Use commands like

     tail -f /var/log/auth.log

     to view recent login attempts on a Linux server.

7. Train Users: Educate your team about the importance of cyber security best practices, including password management and recognizing phishing attempts.

What if I absolutely *must* have shared access?

While strongly discouraged, if you must share access (e.g., a temporary contractor), use these precautions:

• Temporary Accounts: Create a dedicated account for the shared user and delete it immediately after they no longer need access.
• Limited Permissions: Grant only the necessary permissions, nothing more.
• Monitor Activity Closely: Keep a very close eye on what the shared user is doing while logged in.