Properly managing your Pressable account ownership is one of the most critical steps you can take to protect your websites and your business. The person or email address that holds the โOwnerโ role has complete control over the account, including all sites, subscription details, and billing information.
Following these best practices will help ensure your account remains secure and that you never lose access due to employee turnover or other unforeseen changes.
Enable Two-Factor Authentication (2FA)
Two-Factor Authentication adds a powerful layer of security to your Pressable account, requiring a second form of verification in addition to your password. We strongly recommend that all users, especially the account owner, enable 2FA.
- For a step-by-step guide, please see our knowledge base article: Enabling Two-Factor Authentication (2FA).
In addition to securing your Pressable account, we also recommend that the email address used for the Account Owner role be secured with its own two-factor authentication. Securing the email account itself provides another critical layer of protection for your digital assets.
Understand User Roles: Owner vs. Collaborator
Your Pressable account has distinct user roles with different levels of permission. Using them correctly is key to secure account management.
- Account Owner: This user has full administrative control. They can add or remove sites, manage billing and subscription details, transfer ownership, and cancel the account. There can only be one Account Owner.
- Collaborator: These users can be granted granular permissions at either the account level or for specific websites. A collaborator with full account permissions can perform nearly all the same actions as an Account Owner, but they cannot access billing information or make account-level changes like transferring ownership or closing the account.
Best Practice: The legal owner of the business or a central, designated authority should control the Account Owner profile. All other team members, developers, and contractors should be added as Collaborators.
- Learn more here: How to Add and Remove Collaborators on Your Pressable Account
Apply the Principle of Least Privilege
When granting permissions to collaborators, adopt a “least privilege” security mindset. This means users should only have access to the specific features and options they absolutely need to perform their designated tasks. Giving a user unnecessary permissions creates security risks. For example:
- Database Access: Giving a collaborator access to phpMyAdmin provides them with direct, unrestricted access to the site’s database. A mistake or malicious action could permanently destroy site data or require complex, manual restoration of data from an automated backup. Only grant this to users who are qualified and have an explicit need for it.
- SFTP/SSH Access: Full SFTP/SSH access allows a user to add, edit, or delete user-uploaded files on the server, such as custom themes, plugins, and media uploads. If a collaborator only needs to upload media files, consider creating a WordPress user role with appropriate permissions for them instead of providing full file system access.
- Account-Level Access: Giving a developer account-level collaborator access when they only work on a single project is also a risk. Limit their access only to the specific site they are working on. In many cases, you may want to provide the developer access to a staging clone while restricting or avoiding access to the production site.
Permissions can be adjusted at any time. If a collaborator’s responsibilities change and they require additional access, the account owner and collaborators with the Create Collaborator permission can easily modify their permissions.
Create an Employee Offboarding Process
When a team member’s role changes or they leave your company, it’s vital to update their access to your Pressable account immediately.
- Perform Regular Audits: Periodically review the list of collaborators on your account. Ensure that only current, authorized personnel have access and review their assigned permissions to ensure they align with the principle of least privilege.
- Act Immediately: As part of your employee offboarding checklist, make it a priority to remove the former employeeโs collaborator access from your Pressable account.
Special Considerations for Agencies (A4A)
For agencies using our Automattic for Agencies (A4A) platform, ownership is tied to the A4A account that the Pressable subscription was purchased with. To avoid complications, it is crucial that the primary A4A account is owned by the agency itself, not an individual employee.
- When signing up for A4A, it is strongly recommended that the account is created using the email address of the agency’s legal owner or a designated authority. This ensures the agency always retains ultimate control over the master subscription and all attached client sites.
By implementing these straightforward procedures, you can significantly enhance the security of your account and ensure seamless business continuity for years to come.