Restricting Users from Sharing Login Credentials

Restrict users from sharing their login credentials


All of us know that the most lucrative target for malicious actors and scammers have been businesses and companies that are lackadaisical in their internal security implementations.

These lax security implementations allow the malicious actors to infiltrate and compromise the systems, networks and databases of entire companies.

And why do these companies fail to protect themselves ?

It’s due to the unfound belief that implementing a security infrastructure is an arduous and time consuming task for the company. This is directly counter to the actual situation.

These companies end up putting both their internal employees and customers at risk.

With the increase in cyber attacks against SMBs and large scale enterprises alike. Individuals and companies both have reasons to be wary, and to find solutions for these problems.

With most of these attacks taking place due to stolen or breached usernames and passwords. the most foolproof way to protect your customers and admins, is by implementing 2 Factor or MultiFactor Authetication accross your platform.

Why should you restrict users from sharing their WordPress account credentials?


Not only security complications, unchecked sharing of user credentials can lead to several types of losses; the loss of revenue, security issues, content stealing, etc.



  • Loss in Revenue: If you have paid content on your site which should be used only by one user who has paid for it, then if the user shares the username and password with their family and friends, it can lead to diminishing business to your site.

    For example, if you have an e-Learning website then a paid user sharing premium content to his friends and family can result in a loss of revenue.


  • Security threats: If a user or admin account’s password has been shared with an attacker then it can be dangerous for the site too, as the attacker can do whatever the privileges provided to that account are capable of doing.

    For example, if an attacker gets access to an administrator account of your site then the attacker can delete the database, delete the users, and all other changes that an administrator can do.


  • Content stealing: Content stealing is extremely popular nowadays. As a site owner, you may want to restrict some specific content of your site to some specific users but if any users from that list have shared their credentials to an outsider then this can cause lead to content being leaked or stolen to outside entities.

    For example, if you have some webpages which should not be accessible from outside the organization and if any account has been shared or hacked by the attacker, this can lead to the attacker stealing important data. The attacker can steal user's information too; so protecting your site from such attacks is very important.




stop users from sharing login credentials








How miniOrange restricts your user’s credentials and implements 2 Factor Authentication ?


miniOrage provides a two-factor authentication plugin which adds an extra layer of security to your WordPress website. In the plugin, you will get several authentication methods that can restrict the user’s credentials from being shared with anyone, on purpose or by accident.

When the user enters his/her correct username and password it is prompted with a second-factor authentication page, which needs to be validated to login. So our solution works here to restrict the credentials to only one user. We have 15+ authentication methods which include OTP over EMail, OTP over SMS, hardware token, QR code authentication, etc. These are some of the methods which can work in restricting credentials.




QR code authentication


miniOrange provides QR code authentication method with the help of a miniOrange authenticator app. In this method, a QR code is generated each time when a user requests for configuration. The user needs to scan the QR code on his/her mobile phone.

The generated QR code can be scanned only on one device for configuration. After the QR code is scanned and validated an account will be registered in the mobile app and users will be prompted with the second factor on every login attempt. On every login request, a new QR code will be prompted to verify the identity which is possible using the same device. As the configuration can be done only on one phone so nobody except the legitimate user can access your site.

You would only need the miniOrange authenticator app to configure this method, the app is available on both Android and iOS marketplaces.


You can test this method by following these steps:

  • Install miniOrange 2-factor plugin from the WordPress directory.

  • Once the plugin is installed go to the two-factor tab in the plugin.

  • As you can see there will be several authentication methods available. Click on the configure button of miniOrange QR code authentication.

    Restrict user from sharing login credentials

  • After that download the miniOrange app on your phone. Once the app is installed click on the configure your phone button.

    stop user from sharing login credentials

  • It will prompt you with a QR code, scan that QR code by clicking on the + button in the app.

    Restrict user from sharing login credentials

  • If you have successfully configured the QR code it will show you a 6 digit OTP on your phone and a green tick on the QR code on the site.This QR code will register only one device so the device owner is the only person authorized.

    Learing management system

  • Now you have successfully configured the QR code authentication. For testing Goto and incognito/private window or use a different browser and try to login to your site. After entering the correct username password you will be prompted with a QR code. Scan that QR code in your phone by clicking on the SCAN QR CODE button.

    login credentials

  • It will redirect you to WordPress Dashboard and the Configuration is successful.



Device Fingerprinting / Remember device



Device fingerprinting is another method to restrict your users. In Device Fingerprinting or remember device users can use the credentials only on the first few devices. There will be a limit on the number of devices a user can log in and it is configurable.

Users can log in to the website from any device. After every successful login, the device count will increase and once the device count has reached the limit then the user won’t be able to log in from the new devices. The user can log in from saving devices. applications device will be different if the browser, operating system, timezone, and several other settings.

This is a configurable option you can choose how you want to differentiate two devices. For example, if you have configured the device limit to two then the users can use only the two unique devices which they have used for login. So this will restrict users to share the credential with any other person as he won’t be able to delete the devices or change the limit. Also, there is an option available to administrators for deleting the previous devices of users so that if any user does not have access to the previous device then the user can reconfigure it to the new device.



Biometric Methods



We have several biometrics methods. The most popular ones are human fingerprints, voice recognition, face recognition, etc. As these methods are not easy to hack and are unique to each user So this would allow your users to use their identity as the second factor and it is way more convenient than the usual 2-factor methods. In the case of biometric authentication, your users will be asked to configure the second factor with their voice, fingerprint, or image. Once the configuration is complete it will be asked on every time they log in.

As hacking these methods is not an easy job so it will provide you the required security from credentials getting shared. Ex. In the voice authentication method, the user will be prompted with some random words.

The user needs to pronounce those words for feeding his/her voice in the miniOrange voice detection model. Once the voice is configured in the voice detection model the user will be prompted with the voice-based authentication page after every login attempt. Then the user needs to pronounce the word written on the voice-based authentication page. As every human has a different voice so it becomes really hard for attackers to bypass.