1. Create separate user accounts: Create separate user accounts for each user who needs access to your hosting account. This will allow you to control who has access to what files and folders.
2. Set permissions: Set permissions for each user account to control what they can access and what they can do. This will help you ensure that only authorized users have access to sensitive information.
3. Monitor activity: Monitor user activity to ensure that users are not accessing or modifying files or folders that they should not be.
4. Use secure passwords: Make sure that all user accounts have secure passwords that are difficult to guess.
5. Use two-factor authentication: Use two-factor authentication to add an extra layer of security to user accounts. This will help ensure that only authorized users can access your hosting account.
6. Use encryption: Use encryption to protect sensitive data from being accessed by unauthorized users.
7. Update regularly: Make sure to update your hosting account regularly to ensure that all users have the latest security patches and updates.
If you operate a business or manage large projects you know how important a multi-user environment can be. In this post, I’d like to give some tips and tricks on how you can operate a website safely using WordPress’ built-in tools and some advanced features MyKinsta offers you.
The Benefits Of Multi-User Environments
There are two main benefits that arise from the ability to access software with different user levels – security and convenience.
If only one user has ownership-level access to your hosting account while all the other users have reduced permissions you are mitigating a large portion of risk. Every user has access to what they need and nothing more.
Trust in your users is only part of the issue. Each user has third-party logins that could affect any service – chiefly their email. If someone hacks a trusted employee’s email they could disrupt your application.
As for convenience, giving everyone the access they require can ease their job. If you give a user Billing access in MyKinsta they will not have access to sites, analytics and other data at all. They just see billing related items like company settings and invoices. Reducing the noise allows billing users to do their jobs more easily. This is also handy in an agency situation where your accountant shouldn’t necessarily have access to site details.
Hosting And WordPress Accounts
Managed WordPress hosting can be a little different from other applications because you are operating under two distinct and different software systems.
Access to your hosting dashboard (MyKinsta for Kinsta) should usually be restricted to a much smaller set of users than access to your WordPress admin. You may have scores of writers, proofreaders, editors and developers but in most cases, they won’t all need access to your hosting environment.
Setting Up A Good Multi-User System In MyKinsta
In this section, we’ll give you some recommendations through MyKinsta but the general principles can be applied to any hosting environment. In MyKinsta we offer Company and Site users. Company-level users can access company-level information while site-level users have access to individual sites only.
We offer four user roles at the company level.
- Company Administrators have access to everything, including all sites.
- Company Developers can manage all websites but don’t see company billing or settings.
- Company Billing users only have access to company settings and billing information, and do not have access to sites.
- A Company Owner has the same permissions as Company Administrators with the added capability to request account closure.
For site level users, we offer two user roles.
- Site administrators have access to all environments (live and staging) for assigned sites.
- Site developers only have access to staging environments for assigned sites.
For more information about our user levels take a look at our Knowledge Base article about how my Kinsta roles work.
With that in mind you can set up your users with the correct accesses, here’s what we recommend:
- If you own the company you are designed the Company Owner. This is a special designation which allows you to delete your company.
- If you have a trusted manager such as your main business partner or COO you can make them Company Administrators so they can manage your business for you.
- Your accountant or CFO can be set as Company Billing users to access invoices and other finance-related data.
- If you have a main developer or a CTO you can make them Company Developers. They will be able to manage both the live and staging environments for all sites without needing to worry about company details or invoices.
Depending on how your business is set up you’ll want to invite site-level users differently. Here are some scenarios to consider:
- If you are a full-service agency managing all aspects of client sites for them you may not need site-level users at all. If you have a couple of devs working on all your sites it may be worth making them all Company Developers.
- If you have a huge team tending to hundreds of sites it may be a good idea to give specific users access only to a subset of your sites. This can be done by giving Site Administrator or Site Developer access, depending on whether you want to provide access to both live and staging environments.
- If you are training a developer to join your team you could give them Site Developer access to your sites. This would allow them to manage staging environments only. Any mistakes made will not have an effect on live sites.
- If you own a site and have just hired a developer you can give them Site Developer access until you are happy with their work. You could also keep their access at that level. When finished you can simply push your staging environment to live with one click. Your developer can then continue work on the next version using the staging environment
To learn more about MyKinsta user roles, check out our in-depth knowledgebase article.
We’ve added a couple of bulk actions to make sure you can get everything set up in as little time as possible. The two most important ones are adding multiple users to a site and how to remove users from sites. See the links for descriptions and videos.
Using WordPress User Roles
If you use MyKinsta’s multi-user feature in tandem with WordPress’ built-in roles feature you are greatly reducing risk. The same general advice from above applies to WordPress. By default WordPress offers the following roles:
In this post, we give you a good explanation of what each one does. In a nutshell: administrators can do anything. Editors can manage all posts while authors can only manage their own. Contributors can write and manage their own posts but can’t publish. Subscribers can only manage their profile.
At Kinsta we give our authors the contributor role because publishing is done by the marketing team. Some authors, particularly those on our non-English sites like the Spanish blog may receive the editor role. This is because they may need to do small edits to posts which we couldn’t do otherwise due to language barriers. Even so, these are trusted partners, a typo is preferable to a security breach.
Administrator privileges are only given to a couple of people to make sure we have someone online at all times who can manage all settings if needed.
If you need to modify the default roles or want to create your own you can do so via custom code or plugins like User Role Editor. These methods give you granular control over your whole website.
Further Good Practices
Roles and permissions have nothing to do with a person’s hierarchy in a company. Don’t insist on having an actively used admin account everywhere because you are the CEO. In other words: don’t let your ego dictate your permissions.
At Kinsta we use Google Workspace and 1Password. Google Workspace is great for being able to reset passwords to any company email account in an emergency and 1Password is great for storing login credentials – including two-factor authentication codes. This way, if a manager really needs to, they can gain access to most accounts without having to operate an administrative account for each service we use.
Make regular security sweeps. Organizations change quickly and forgetting to remove someone from a project is not uncommon. Security sweeps ensure that everything is current and secured. On the website, we do a quick sweep every couple of months. If a user with the author role hasn’t written any posts for a while we’ll make them a contributor. If they start writing again they’ll let us know and we can make a decision about the update then.
The Future Of MyKinsta Multi-User
We built the multi-user feature from the ground up based on interviews conducted by our UX team. We solved the most common cases that came up and we think we’ve made something that every user will enjoy. We’ll continue to listen to feedback and improve this corner of MyKinsta, just like we have improved other systems.
We’re particularly interested in catering to the needs of agencies. If you have any thoughts, ideas, or comments, let us know. Log in to MyKinsta or grab one of our plans now to get started. Multi-user is enabled on all our plans out-of-the-box.