Protecting your Membership Content while making money?
This is a very quick tutorial on how to maximize your revenue while also improving security for your Wordpress Membership sites.
For this tutorial we will use:
- Your Members – Probably the best wordpress membership plugin
- Your Minder – A single Login Protection system
- Login Lockdown – Helps prevent brute force attacks
Password Sharing vs Password theft
Your Minder protects a membership site from two common forms of revenue loss through password sharing and theft. In both cases people who shouldn’t have access to your content are gaining access either because someone is willing to share passwords or because a password has broken normally because some one has guessed or used a program to crack the account. In many ways the first is more serious then the second as it is the user that has let the person in and before wed go much further we need to understand why?
Why do people password share?
If password sharing is happening often its worth taking a moment to think why people feel they can/should share their passwords. Here are just a few reasons:
- Group account – the user bought it for use by a group of people who all chipped in
- Company account – like a group account but they bought it for a company or formal organization use.
- Bad content – the content is so bad the user wishes he hadn’t paid for it and publishes his details so others don’t
- Great content – the content was so amazing everyone wanted it.
- Limited access – maybe the price is to high or the number of members has been deliberately locked meaning some users just couldn’t get access.
- I’ll buy one, you buy one – surprisingly common buddy sharing where users swap passwords on a one to one basis.
Obviously some of these things can be fixed, others not but if password sharing is common problem its worth looking at the underlying root cause as well as preventing the problem.
Turn a lockout to a sale
Every time we lock out an account there are going to be at least 2 parties, the paying member and the one or more non paying members. The page where they are redirected needs to cater for both but is primarily aimed at the non members. Think of it as a second sales page these are people who clearly are interested in your site and are willing to go to some pretty nefarious means to get what they want if they have been locked out buying their way back in particularly if the deal is good may just seem easier.
Anatomy of a Lock out sales page – Threat and Sell
There are two basic parts to lock out page, a threat and the sale. The threat is the bit that a) lets the users knows what has happened remember there may well be 1 innocent party (you don’t want to upset them) but you still want to make sure the parties in the wrong know they have been caught! Think of this as the rod… some examples of threats could be.
Warning – This user account has been blocked
Please check the Email you registered with for instructions to unlock this accountYour IP Address has been recorded
Password Sharing Violation
This user account has been locked due to password sharing an email has been sent to the registered email address.
Both have the same general message, this account is locked, I.e don’t bother to try and login in it won’t work. Second we let the legit user know what to do next otherwise they are going to get very worried very quickly if they see just a sales page with no other message they may well not come back and just cancel their membership.
Sales page, so if that was the rod now we need a carrot, you probably know how to write a sales page so this is very much over to you, but remember these people have all be it for a moment seen the product so this is a benefit or a curse but its worth focusing on that.
Protecting Membership sites from Password Sharing
Once you have a good carrot rod page then create a normal Wordpress page (not a post) you might want to make a new page template which loses the sidebar and maybe even the footer.
Your Members – Specific
If you followed our previous Your Members tutorial you will be familiar with our basic landing and upsell template, by creating a copy of the basic landing page template and renaming it (both the filename and if you open it the Template name at the top of the file) Once you have a decent looking landing page with register form embedded in you can set its content access to guest via the right hand side of the page admin.
Create the Lockout Conditions
Now its time to play with Your Minder a plugin that allows you to specify the number of IP address and a period of time to check against. Your Minder does cost $15 but it will be saving you that in minutes. Your Minder and Login Lockdown do similar jobs but in different areas Your Minder is for dealing with successful logins while Login Lockdown is for unsuccessful login attempts.
Presuming you have grabbed your copy of Your Minder then activate it and then
wp-admin → Settings → Your Minder
Set the force Logout URL to the sales page we created earlier
Set Multiple Logins to 2 over 5 minutes (this is a reasonable limit if some one was traveling to say work it would not normally effect them)
Select Email for the type of lock out and write an email explaining what has happened you might also want to change the lock out message (this is the message if the user tries to log in again)
Finally you can set a page for when they reactivate, I use this opportunity to suggest they change their password and offer words of advice and encouragement.
Is an IP individual enough?
A users IP address is unique to the router they are using to connect to the Internet at that moment (for most people their IP address regularly changes) , however while it is probably the best tool fr the task there are always way round it in this case the most common problem is Proxies with sites like anonym.to providing means for password shares to all appear to be using the same password.
Protect from brute force
To help prevent password theft through automated programs, Login Lockdown can lock out the IP after a certain number of failed user attempts.
You can download the plugin for free, then upload (make sure to keep extract into its own folder in plugin folder and do not change the name) then activate followed by:
wp-admin → Settings → Login Lockdown
Changing the settings to 5 failed logins within 2 minutes and setting a suitably long logout period (24 hours minimum)
Login Lockdown is simply the extra step it won’t deter serious password thieves but it along with Your Minder should restrict the potential damage protecting your content and potentially increasing your revenue.
