Here’s a fairly common scenario for WordPress users and developers. When setting up a self-hosted site for someone else, you’re usually working alone, without your client by your side. Perhaps you’re building a site for your mother or a non-profit or someone who is not technically inclined. You quickly install WordPress, apply your chosen theme and then start adding plugins.
Some of the most commonly used plugins require API keys and/or account credentials in order to use them. For example, many WordPress developers find Akismet and Jetpack to be indispensable when creating new sites. In order to activate Akismet, you need to input your API keys. When you set up Jetpack you are required to connect via your WordPress.com account. What do you do as a developer in this scenario if your client doesn’t have an account and barely knows how to use the internet? More than likely you end up using your own API key for convenience.
I searched the documentation on both Akismet and Jetpack but was unable to find the preferred way setting up these services on multiple websites. Certainly, an individual may have multiple blogs and sites of his own, so multiple use of your Akismet API key is acceptable. This is mentioned in the Akismet docs:
Can I use the same API key for multiple sites?
Yep! If you have multiple sites that you want to protect with Akismet, you can use the same API key for each site.
However, using that key on websites you don’t own is essentially like sharing your password, since the API key is clearly displayed in the settings for any admin user to see. Misuse is unlikely but the potential still exists.
Since you must sign up for these services with your real identity, it’s not right to use a throwaway email address to sign someone else up. So you’re really left with two options:
1. Require the site owner to sign up for Akismet or WordPress.com and send you their credentials when you’re building the site.
2. Use your own Akismet API key and/or authenticate with your own WordPress.com account.
With the first option, you keep separate all of the sites that don’t belong to you. However, it may not be easy to get your client to set up a new account with WordPress.com. You cannot simply put his email address in there because he needs to agree to the terms of service himself. Waiting for your client to set up an account can also hold you back if you’re in a hurry.
The second option is more convenient but may not be the proper way to go about adding these services to websites that you do not own.
Concerns When Using API Keys on Multiple Websites
When you sign up for Akismet, the email with your API key says:
“Please keep this private, treat it like a password.”
Because we’re used to copying and pasting API keys for everything, it may seem like a casual affair. But an API key really is just like a key to a building. Let’s say you work at a retail store. If you’re in possession of a key to that building and you let any of your friends use your key to go in and take whatever they want, you will be responsible for what was done with your key. Misuse falls on the holder of the key.
If you obtain or purchase an API Key, you are responsible for maintaining the security of your API Key, and you are fully responsible for all activities that occur under the account and any other actions taken in connection with your API Key.
So while they do not expressly forbid you to use it on multiple websites, you are the one responsible for that key. If your key is in use on a site that you built for a client, and then they never update it and their site gets hacked or turned into a spam factory, the misuse of that API key is on you. This is especially a concern if you use your key to activate Akismet network-wide on a large multisite network. Does that mean your entire account could be banned? If that API key gets turned off, then all of your other non-offending sites won’t have access to it either.
There’s also the concern with Jetpack. Authenticating with WordPress.com for any site you’re working on can start to pile up. You might be viewing your “My Blogs” page and suddenly realize: Yikes, my WordPress.com account is everywhere!
Are There Best Practices for Using API Keys With Multiple Websites?
Looking into this gives way to some questions of best practice. Is it acceptable to use your API key and WordPress.com account all over the internet if you’re not concerned? As long as you don’t mix commercial and non-commercial use with Akismet, is it acceptable to use the same key on your own blog, your grandmother’s memorial site, your mother’s recipe blog, and wherever else?
How Do You Handle These Multiple Use Scenarios?
Do you load up your WordPress.com account by authenticating for tons of blogs or do you force your user to register for WordPress.com and give you the credentials? Strictly separate API keys and accounts is probably much safer, however less convenient. Anyone have some suggestions on the best way to go about this?