How to restrict users from sharing their login credentials in WordPress?

How to Restrict the sharing of user credentials on your WordPress website by using the miniOrange 2-factor authentication plugin?

Wordpress is a free and open-source content management system written in PHP. Wordpress is the largest CMS in use right now around the world, almost 40% of all websites are built on WordPress. As it is the most used CMS, it attracts a large number of attackers. As both, the credentials i.e. username and password are static and do not change on every login attempt so this can allow users to share their credentials with someone outside the organization. So in this way, one account can be used by multiple users and this is not feasible in some cases.

For example, if you are handling an eLearning / online learning platform or a learning management system(LMS) you would not want your students to share their premium course credentials with their family and friends. The restriction of credentials is useful on many websites that include Employment websites for jobs where you want to restrict your employees to share the credentials. This can also increase the security threats to your website; if any user's password gets leaked then the attackers can make several critical changes to your website.

Why should you restrict users from sharing their WordPress account credentials?

Sharing user credentials can sometimes lead to several types of losses including the loss of money, security issues to the website, content stealing, etc. These are some of the reasons why you should restrict users from sharing their credentials with anyone.

• Profit Loss: If you have paid content on your site which should be used by only one user who has paid for it, then if the users share the username and password with their family and friends then it can lead to loss of business to your site. For example, if you have an e-Learning website then a paid user sharing premium content to his friends and family can result in a loss of profit.


• Security threats: If a user or admin account’s password has been shared with an attacker then it can be dangerous for the site too, as the attacker can do whatever the privileges provided to that account are capable of doing.
  For example, if an attacker gets access to an administrator account of your site then the attacker can delete the database, delete the users, and all other changes that an administrator can do.


• Content stealing: Content stealing is quite popular nowadays. As a site owner, you want to restrict some specific content of your site to some specific users but if any users from that list have shared their credentials to an outsider then this can cause a loss of business. For example, if you have some webpages which should not be accessible from outside the organization and if any account has been shared or hacked by the attacker, this can lead to the attacker stealing important data. The attacker can steal user's information too so protecting your site from such attacks is very important.

How miniOrange prevents credentials sharing and secures your website?

miniOrage provides a two-factor authentication plugin which adds an extra layer of security to your WordPress website. In the plugin, you will get several authentication methods that can restrict the user’s credentials from being shared with anyone, on purpose or by accident. When the user enters his/her correct username and password it is prompted with a second-factor authentication page, which needs to be validated to login. So our solution works here to restrict the credentials to only one user. We have 15+ authentication methods which include OTP over EMail, OTP over SMS, hardware token, QR code authentication, etc. These are some of the methods which can work in restrict

QR code authentication:

miniOrange provides QR code authentication method with the help of a miniOrange authenticator app. In this method, a QR code is generated each time when a user requests for configuration. The user needs to scan the QR code on his/her mobile phone. The generated QR code can be scanned only on one device for configuration. After the QR code is scanned and validated an account will be registered in the mobile app and users will be prompted with the second factor on every login attempt. On every login request, a new QR code will be prompted to verify the identity which is possible using the same device. As the configuration can be done only on one phone so nobody except the legitimate user can access your site.

You would only need the miniOrange authenticator app to configure this method, the app is available on both Android and iOS marketplaces.

You can test this method by following these steps:

• Install miniOrange 2-factor plugin from the WordPress directory.
• Click on the miniOrange 2-factor plugin visible in the menu to the left.


• You can see the list of Authentication methods here. Click on the Configure button beneath the miniOrange Authenticator.


• Go to the Google Play Store or the Appstore and install the miniOrange authenticator app. After successful installation of the miniOrange authenticator app and click on the QR code Authentication button.


• It will prompt you with a QR code, scan that QR code by clicking on the + button in the app.


• If you have successfully configured the QR code it will show you a 6 digit OTP on your phone and a green tick on the QR code on the site. This QR code will register only one device so the device owner is the only person authorized.


• Now you have successfully configured the QR code authentication. For testing Goto and incognito/private window or use a different browser and try to login to your site. After entering the correct username password you will be prompted with a QR code. Scan that QR code in your phone by clicking on the SCAN QR CODE button.


• It will redirect you to WordPress Dashboard and the Configuration is successful.

Device Fingerprinting / Remember device:

Device fingerprinting is another method to restrict your users. In Device Fingerprinting or remember device users can use the credentials only on the first few devices. There will be a limit on the number of devices a user can log in and it is configurable. Users can log in to the website from any device. After every successful login, the device count will increase and once the device count has reached the limit then the user won’t be able to log in from the new devices. The user can log in from saving devices. applications device will be different if the browser, operating system, timezone, and several other settings. This is a configurable option you can choose how you want to differentiate two devices. For example, if you have configured the device limit to two then the users can use only the two unique devices which they have used for login. So this will restrict users to share the credential with any other person as he won’t be able to delete the devices or change the limit. Also, there is an option available to administrators for deleting the previous devices of users so that if any user does not have access to the previous device then the user can reconfigure it to the new device.

Biometric Methods:

We have several biometrics methods. The most popular ones are human fingerprints, voice recognition, face recognition, etc. As these methods are not easy to hack and are unique to each user So this would allow your users to use their identity as the second factor and it is way more convenient than the usual 2-factor methods. In the case of biometric authentication, your users will be asked to configure the second factor with their voice, fingerprint, or image. Once the configuration is complete it will be asked on every time they log in. As hacking these methods is not an easy job so it will provide you the required security from credentials getting shared. Ex. In the voice authentication method, the user will be prompted with some random words. The user needs to pronounce those words for feeding his/her voice in the miniOrange voice detection model. Once the voice is configured in the voice detection model the user will be prompted with the voice-based authentication page after every login attempt. Then the user needs to pronounce the word written on the voice-based authentication page. As every human has a different voice so it becomes really hard for attackers to bypass.