How to Change Password on WordPress Through Hosting
I have two websites; one is a personal blog and the other one is a niche e-commerce store. Both of them are hosted on the same server. I often need to change the password for the WordPress account on that server, but since all logins are done through SSH, I always end up changing the password for both sites at the same time. This is frustrating. Is there a way to change the password for just one of the sites instead of both?
Alternative Ways to Login
WordPress supports two types of authentication, username and password, and two types of login pages, one is the normal login form on WordPress.com and the other one is through a third-party service, such as Google or Facebook (if you use that kind of login system). If you have a specific reason for wanting to use a third-party login system instead of the built-in WordPress account (for example, if you use a VPN to connect to the server and keep your login secured), then you have a couple of options.
You can set up a different login page for each type of login. In my case, I have a WordPress.com account and a Facebook account, and I use a different login page for each one.
If you choose to use the password option on your WordPress account, then you can either choose a strong and complex password, or you can use the Security Keys that WordPress provides to make entering your password easier. The advantage of the Security Keys is that they are generated randomly each time you set them up, so if someone steals your login details or manages to guess your password, they won’t be able to use it. The disadvantage is that you have to re-key each one when you set them up, which is more work than using a strong password. But at least it’s a hassle-free option.
Use SSH Keys
If you have a dedicated IP (that is, your own static IP that you can assign to each one of your servers), then you can generate SSH keys for each of your servers. If your account is set up to use SSH keys, then you can use them to log in to your server rather than having to type in your password every time. The advantage is that you no longer have to worry about your login being stolen or guessed, because it will not be possible for anyone to login to your server without the SSH keys.
If you choose to use this method, then you will need to generate a 2048-bit RSA key pair on your local machine and upload the public key to your server. You can use the following command to generate a new key pair:
$ ssh-keygen -t rsa -b 2048
Make sure to save the file as ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub on your local machine. You can then use the following command to upload the public key to your server:
$ cat ~/.ssh/id_rsa.pub | ssh rsnapshot.org -t rsa -f ~/.ssh
Now, whenever you need to login to your server, you can just use the following command:
$ ssh rsnapshot.org -t rsa -f ~/.ssh
And you will be logged in as soon as you enter your correct username and password.
This is not a perfect solution and has some downsides: you have to generate and store copies of your private key locally, which increases the possibility of a data breach; you need to keep track of all the usernames and passwords for your various servers, which is not ideal; having to type in your password more than once when logging in from different machines; and last but not least, you cannot use Security Keys with this method.
Use Second Factor Authentication (2FA)
If you are using Google or another third-party service as a login system, then you can enable two-factor authentication to further protect your login. With 2FA, whenever you log in from a new device (such as a new computer, mobile phone, or tablet), you will be asked to verify that you are in fact who you say you are by giving the device another factor besides your password. Typically, this is something you have, such as a physical token (usually a fob) or a special key that is generated each time you log in from a new device (this is the Security Key option I mentioned previously).
The advantage of 2FA is that it makes sure that you are who you say you are, by requiring you to have something additional with you (such as a fob) whenever you log in from a new device. The disadvantage is that it is a hassle to have to get a fob or generate a key on a new device whenever you log in; and if you forget your second factor or it gets stolen, then you have no way of accessing your account without the secondary device. Furthermore, there is always the possibility that someone could intercept the data being transferred to or from the server while it is in transit and steal it.
Use Multi-Factor Authentication (MFA)
If all of the above options seem like a hassle to you and you are not sure which one to choose, then you can use Multi-Factor Authentication instead. With MFA, you are still required to have something additional with you when you log in (usually a fob or a Security Key), but you are also required to log in from multiple devices (usually a computer and a mobile phone). This makes sure that you are who you say you are and that no one is trying to prey on your poor, unfamiliarshioned self while you sleep.
The advantage of MFA is that it requires you to have something additional with you when you log in (usually a fob or a Security Key), which makes it harder for someone to steal your login details. The disadvantage is that you have to remember to bring your fob or Security Key whenever you log in from a new device; and since it is also a multi-device situation, you have to log in from both your mobile phone and your computer if you want to ensure that you can access your account whenever you want. The process can be a little more complex than entering your password only from one device.
If none of the above options seem like a good fit for your needs, then you can always resort to the tried-and-tested method of the password. But if you think that having a random generated password might be a security risk for your blog or website, then you are wrong. There is no need to be overly complicated when it comes to keeping your logins secure. Use a password manager and generate random passwords for your various accounts, and you will be all set!