October 26, 2020

Using password protection provides an added layer of security to your website. When password protection is enabled, any visitor requesting access to view your website url, or temporary domain name, will trigger a prompt asking for a username and password to gain entry. Once a user provides valid credentials, they will have access to the website as normal. 

This is a handy tool during the migration process to a Nexcess cloud hosting plan or upgrading your existing hosting plan. After the migration process is finished, enabling password protection should be standard practice for website owners who want to verify everything is working as normal, before changing DNS records and sending traffic to the new server. This process is also known as going live.

It is recommended that all staging and development sites enable password protection to prevent search engine bots crawling the site, indexing content and providing links on the search results pages.

Customers not on a cloud hosting account, or unable to enable password protection by following the steps in this article are encouraged to create a support ticket and talk to a support technician.

Why should you enable password protection?

It’s a common practice these days for website owners and developers to utilize a staging and/or development environment. There are many benefits including the proper way to test WordPress updates, fix/determine the issue of a bug and to even rebuild the website while keeping the production site fully intact.

Three of the major benefits to enabling password protection include: 

  1. Search Engine Optimization (SEO) & Page Rank
  2. Sales on the correct website
  3. Hidden from hackers

SEO & Page Rank

Search Engine Optimization (SEO) is the key to every  website being found on the internet. Each page, post or e-commerce product can have its own individual SEO strategy while contributing to the overall success of the website itself. Once a page is published on your website, search engine robots crawl your site and start assigning value to the page in order to help determine the overall score. This score is used to determine where your website ranks in a Search Engine Result Page. Also known as SERPs. 

One of the biggest benefits to having password protection enabled is the privacy from search engines like Google, Bing and Yahoo. These services provide robots that crawl the internet and index all available information. Which is great for any Production website using an E-commerce solution. However, duplicate content and outdated information can hurt your page rank. In almost every case, a staging or development site is a direct copy from production. Enabling password protection denies every visitor to the site, human or robot, unless a username and password are provided. Eliminating any chances of a secondary site to harm the SEO & page rank of your live website.

The same is true during the migration process. Technically speaking, when you sign up for a Managed WordPress Hosting plan, our services create a temporary domain name in order for the site to become “alive” in order to import or migrate a website from one host to another. After the migration process, if you do not enable the password protection feature, you run risk of having multiple websites saying the same thing. And all  you were trying to do was move hosts. 

Sales on the correct website

If a search engine bot is able to identify and crawl a secondary website, the search engine will start to index the page and deliver the search results to an end user. Which is never a good thing. Especially these days when we start talking about desktop and mobile traffic. Users on a desktop device might take notice of the website address and realize they are in the wrong place. However, not everyone knows different website environments and will consider the site they are currently using to be the “Production” or live website. The user will place a transaction on the staging site and will expect their products to be downloaded or delivered. Enabling password protection on your secondary site can prevent this from happening in the future.

This in itself might cause more issues down the line.If a sale is made on the Staging site, the same will not show on the Production site. The sale will also be incorrectly identified. Meaning the sales id could be #112 on the staging site, but the production site’s last sale was id #674839. Other things like remarketing, analytics tracking and email drip campaigns can also be missed as the staging site was not created to do the same things as production.

Hidden from Hackers 

Having one website is enough to worry about. Not just the maintenance and execution of the site. High ranking websites are often seen as potential targets. Production websites are usually thought of as “Stable” and very unlikely to be exposed to a potential hack. Mainly because the code living on the Production environment has been tested and vetted by the team. Which is a great thing. A secondary website might not be so lucky. 

There have been many cases where a new version of a WordPress theme or plugin has discovered a security issue and needs to be fixed. Well, if you installed the latest version of the theme or plugin, the secondary environment is now susceptible to an attack. Due to the code still being in place and the website being a front facing public entity. Enabling password protection will stop any hack attempt from happening on the front end of the website.

Setbacks to using Password Protection

Newton’s third law states “for every action, there is an equal and opposite reaction.” The same is true with enabling password protection. Requiring a username and password be entered in order to view the website can be tough enough. Especially if you’re running a team of more than a few people. Hopefully everyone is using a tool like a password manager and has access.

Another setback to using password protection is denying data to be delivered from one site to another. When using a WordPress plugin like Jetpack, users have the option of using the WordPress.com CDN and a feature called Photon. When enabled, all images inside of the media library are uploaded to the Photon CDN. When a page is loaded, WordPress loads the image from the CDN and not the media library. This is a practice commonly used to enhance page speed. However, when Jetpack is enabled on a secondary environment with password protection enabled, the images will not load on page. Your only option is to disable the Photon feature or remove the password protection.

Headless WordPress is another area where password protection can cause more harm than good. Headless WordPress uses the backend of WordPress plus the WordPress Rest API to provide a data endpoint. This data endpoint is used by popular Javascript libraries like React and Gatsby to build the front end of a website or application. If the website has password protection on, the front end of the website or application will not be able to show any content. This can be hazardous to teams when trying to debug an issue, fix an error or build a new feature.

It’s very important to understand that Password Protection is used to hide the content of a website from visitors passing through. Password Protection does not stop access to the server itself. A developer can use a SFTP program, the command line and deployment methods to manipulate the website files. If a hacker was to gain access to those credentials, the results could be detrimental to the environment, website and business.

Enabling password protection in the Nexcess portal

You will need to login to the portal to enable password protection.

In the Nexcess portal, click on the Plan tab to view your current hosting plans.

Click on the name of a hosting plan to access the plan dashboard.

Next you will see a list of websites installed on the plan. Click on the name of the website to access the site dashboard.

Once inside of the site dashboard, click on the access tab. 

Once the table loads, you’ll see the section titled “Password Protection”. 

There is a toggle switch customers can use to enable the feature. Customers are provided with the username on screen. Customers must click on View Password to retrieve the password to gain entry to the website. Customers can also reset the password at any time. 

Russell Aaron
We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.