A membership site is rarely a one-person operation for long. Your designer touches the theme. A VA processes refunds. A developer is fixing checkout. Your email platform, payment gateway, and analytics tool each have a login to something that matters.

That sprawl is normal. The problem is what happens when nobody keeps track of it. Old accounts pile up, passwords get reused, and a freelancer who wrapped up two years ago still has Administrator on your site. One stolen laptop and the whole thing is exposed.

This guide walks through how to share access to your WordPress membership site and the third-party services around it without losing control. We will cover roles, two-factor authentication, password managers, application passwords, audit logs, a recurring access audit, and a checklist you can run whenever your team changes.

Start With the Principle of Least Privilege

The most important rule of access management is also the simplest: only give as much access as a person needs to do the job in front of them, and only for as long as they need it.

Your bookkeeper does not need to install plugins to review orders. A developer troubleshooting checkout does not need full write access to your Stripe API. A guest writer publishing a single post does not need to see your member list. This applies to humans, integrations, and plugins alike. Every account, key, and integration is a possible way in. Fewer doors means fewer doors to lock.

WordPress Admin Access

WordPress ships with five built-in user roles: Administrator, Editor, Author, Contributor, and Subscriber. Most teams give out Administrator by default. They should not.

• Administrator: For the site owner and a very small number of trusted collaborators. This role can install plugins, edit code, delete users, and read every order in the database.
• Editor: Right for most content contributors who need to publish across the site without touching settings or plugins.
• Author and Contributor: For people writing only their own posts.
• Subscriber: The baseline role for members and any old team account you want to disable without deleting.

If a team member needs to manage memberships but does not need full Administrator access, install the Membership Manager Role Add On. It gives a custom role access to the Memberships menu, members, orders, discount codes, reports without unlocking site settings, themes, or plugin management.

Always create a unique account for each person. Sharing a single “admin” login is one of the most common mistakes we see. When something goes wrong, you cannot tell who did what. When someone moves on, you cannot remove their access without resetting a password everyone else uses.

Turn On Two-Factor Authentication Everywhere

Two-factor authentication (2FA) is the single biggest security upgrade you can make. A leaked or guessed password is no longer enough to get in. The attacker also needs the rolling code on your phone or a hardware key.

Turn it on for:

• Your WordPress admin: Free plugins like Two Factor (from the WordPress core team) or Wordfence Login Security add 2FA with an authenticator app.
• Your hosting account: This is where someone can rotate your password, restore an old backup, or delete your site entirely.
• Your payment gateway: Stripe and PayPal both require 2FA for sensitive actions. Make sure every team member with access has it set up, not just you.
• Your email account: If someone owns your email, they own every “reset password” link sent to you.
• Your domain registrar: Losing your domain is worse than losing your site.

Hardware keys and passkeys are stronger than SMS codes or authenticator apps when your team is comfortable with them. For more on requiring 2FA for your members, see Should You Use Two-Factor Authentication (2FA) on Your Membership Site?

Share Passwords Through a Password Manager

“Hey, here’s the WordPress login, password is in the next message” is how a surprising number of credentials still get shared. Stop doing that. Slack history, email archives, and screenshots in chat threads stick around for years and end up in places you did not plan for.

Use a password manager that supports secure sharing. 1Password, Bitwarden, Dashlane, and Keeper all do this well. Each person gets their own account, you create a shared vault for the credentials they need, and you revoke access by removing them from the vault. No emailing a new password to everyone else.

A password manager also makes it practical to use long, unique passwords. Every account gets a generated 20+ character password that no one ever has to type.

Use Application Passwords for Tools and Integrations

Since WordPress 5.6, the core platform has supported Application Passwords: scoped, named, revocable passwords for the WordPress REST API. If you are connecting your site to an external tool like Zapier, a custom dashboard, or a deployment script, application passwords are the right approach.

They only work for the REST API, not for logging into the dashboard. You name each one, for example, “Zapier order webhook”, and you can revoke a single application password without affecting anything else. You will find them at Users > Profile > Application Passwords.

For services that support Single Sign-On (SSO) via Google Workspace, Microsoft, or an identity provider like Okta, prefer SSO over creating yet another account. When you remove a user from your Google Workspace, they immediately lose access to every connected tool.

Server and Hosting Access

Plain FTP is no longer appropriate for a production site. FTP transmits usernames and passwords in clear text, and most modern hosts (Kinsta, WP Engine, Pressable, Cloudways) do not offer it anymore. If your host still uses plain FTP, it is time to look at a host built for WordPress.

Use SFTP or SSH with key-based authentication instead. Create a unique, folder-scoped account for each person who needs server access, never share the main account, and remove the account when the work is finished. If your hosting control panel can issue temporary credentials with a built-in expiration date, use that.

Third-Party Services

Almost every membership site runs on a stack of outside tools: payment gateway, email marketing, analytics, support, project management, automations. Each one is its own access surface.

The rule is the same as for WordPress: use the built-in team and permissions features. Do not share the owner’s login. Where to look in the common ones:

• Stripe: Settings > Team
• PayPal: Account Settings > Account Access
• Mailchimp: Account > Settings > Users
• Kit (formerly ConvertKit): Settings > Account > Team
• Google Workspace / Google Analytics 4: Admin > Users, or Property Access Management
• Slack, Notion, Asana, Trello: workspace settings, then Members

While you are in each service, audit two things: who has access, and whether 2FA is required for all users. Payment gateways and email platforms are high-value targets. An attacker who controls your sending domain or your refund flow can do significant damage before you notice.

Watch for Plugin and Theme Sprawl

The most common WordPress security incident today is not a rogue team member. It is an over-permissioned or abandoned plugin. Every plugin runs with full access to your database and filesystem. Treat that with the same care as a new hire.

• Only install plugins from sources you trust. For Paid Memberships Pro Add Ons, that is the PMPro Add Ons directory and the official Stranger Studios GitHub organization. PMPro Add Ons are not distributed through the wordpress.org plugin directory.
• Check the last-updated date and active install count before installing anything new.
• Delete plugins you are not using. Deactivated plugins still sit on disk and can still be exploited.
• When you stop using a tool, remove its plugin, revoke its API keys, and delete its user account in the same sitting.
• Treat themes the same way, and remove heavily modified themes that no longer receive security patches.

Install an Audit Log Plugin

If two people have Administrator access on a site, “who changed that setting?” is not a question you can answer from the WordPress UI alone. An audit log fixes that. Two free options that work well with Paid Memberships Pro:

• Simple History: Lightweight, surfaces logins, post edits, plugin activations, and more.
• WP Activity Log: More detailed, with a paid tier that adds extended retention and alerts.

Even on a small site, an audit log is the first place to look when something breaks unexpectedly or a setting changes without explanation. On any site with a team, it is essential.

Run a Quarterly Access Audit

Cleaning up access is not something you do once. People move on, contracts end, plugins get abandoned. The accounts they leave behind do not delete themselves. Put a recurring quarterly task on your calendar and walk through this list:

1. WordPress users: Filter Users > All Users by Administrator and Editor. For each one, ask whether they still need that role. Downgrade or delete (reassign their posts first).
2. Application passwords: Open each Administrator profile and revoke any you do not recognize.
3. Server users: In your hosting control panel, review SFTP and SSH users. Delete anything stale.
4. Payment gateways: Review the team list in Stripe and PayPal. Confirm 2FA is active for every user.
5. Email marketing and other tools: Review users in Mailchimp or Kit, then in Slack, Notion, Asana, your analytics platform, and anything else with multiple users.
6. Plugins and themes: Delete inactive plugins. Confirm everything else is updated.
7. Domain and DNS: Confirm your registrar and DNS provider have current contact information on file.

The first audit always takes the longest. After two or three quarters, it usually takes less than an hour.

Plan for a Lockout Before It Happens

If your only Administrator account is compromised tomorrow, or you lose access to the email tied to it, what do you do? A few habits make this much less stressful:

• Keep at least two Administrator accounts on separate email addresses, stored in separate password manager vaults.
• Set a real recovery email on your WordPress admin and every critical third-party account.
• Know your host’s recovery process before you need it.
• Back up regularly, so you can roll back if a compromised account causes damage before you catch it.
• Document the plan. A one-page “if X happens, do Y” document in your password manager is enough for most teams.

Sharing Access With the Paid Memberships Pro Support Team

When you open a support ticket with us, the fastest path to a fix sometimes means direct access to your site. The preferred approach requires no shared admin password and no plain FTP credentials sent through a chat window.

1. Use the support ticket, not email. Replies on the ticket are private by default.
2. Create a unique support user. Go to Users > Add New, use a username like pmprosupport, set the email to info@paidmembershipspro.com, assign the Administrator role, and let WordPress generate a strong password.
3. Share the credentials securely. Post the login URL, username, and password in the private support reply, or send a one-time link from your password manager.
4. Prefer a temporary login plugin. The free Temporary Login Without Password plugin generates a self-expiring login link that does not require sharing a password at all. This is our preferred option for short-lived access.
5. Revoke access when the ticket closes. Delete the support user (or let the temporary link expire) as soon as the issue is resolved.

For server-level access, follow the same pattern. Create a scoped SFTP or SSH user for the duration of the work and remove it when the ticket closes. If you have a premium membership, you can open a support ticket here.

Restrict Who Can View Your Membership Reports

Some site owners are comfortable giving a team member access to the PMPro admin to manage members, process orders, and apply discount codes, but do not want them to see revenue reports.

If you’re using the Membership Manager Role Add On to assign this access, you can create a modified version of access that excludes reports.

Refer to this guide on how to create a role with custom capabilities. The specific report-related capabilities to remove are:

• pmpro_reports
• pmpro_reportscsv
• pmpro_loginscsv
• pmpro_sales_report_csv

Your Team Access Checklist

Use this checklist any time you onboard or offboard a team member.

Onboarding a New Team Member

• [ ] Create a unique WordPress user with the smallest role that fits the job.
• [ ] Share only the password manager vaults they need.
• [ ] Invite them to each third-party service with the smallest role that fits.
• [ ] Require 2FA before sharing any credentials.
• [ ] Document what they have access to in one place.

Offboarding a Team Member

• [ ] Remove their WordPress user (reassign their content first).
• [ ] Revoke their application passwords.
• [ ] Remove them from every third-party service.
• [ ] Remove them from your password manager and rotate any credentials they personally used or could recall.
• [ ] Delete their SFTP or SSH user on the server.
• [ ] Confirm the audit log shows no unexpected activity after their last day.

Frequently Asked Questions

Conclusion

A membership site grows through trust. Your members, your team, and the tools you depend on. The work above is how you protect that trust. None of it is glamorous, but an hour a quarter on access hygiene goes a long way.

If your team is growing and you need finer control over who can access the PMPro admin, the Membership Manager Role Add On is the right place to start.