How Do You Manage WordPress.com Account Use On Multiple Sites?

jetpackHere’s a fairly common scenario for WordPress users and developers. When setting up a self-hosted site for someone else, you’re usually working alone, without your client by your side. Perhaps you’re building a site for your mother or a non-profit or someone who is not technically inclined. You quickly install WordPress, apply your chosen theme and then start adding plugins.

Some of the most commonly used plugins require API keys and/or account credentials in order to use them. For example, many WordPress developers find Akismet and Jetpack to be indispensable when creating new sites. In order to activate Akismet, you need to input your API keys. When you set up Jetpack you are required to connect via your WordPress.com account. What do you do as a developer in this scenario if your client doesn’t have an account and barely knows how to use the internet? More than likely you end up using your own API key for convenience.

I searched the documentation on both Akismet and Jetpack but was unable to find the preferred way setting up these services on multiple websites. Certainly, an individual may have multiple blogs and sites of his own, so multiple use of your Akismet API key is acceptable. This is mentioned in the Akismet docs:

Can I use the same API key for multiple sites?

Yep! If you have multiple sites that you want to protect with Akismet, you can use the same API key for each site.

However, using that key on websites you don’t own is essentially like sharing your password, since the API key is clearly displayed in the settings for any admin user to see. Misuse is unlikely but the potential still exists.

akismet

Since you must sign up for these services with your real identity, it’s not right to use a throwaway email address to sign someone else up. So you’re really left with two options:

1. Require the site owner to sign up for Akismet or WordPress.com and send you their credentials when you’re building the site.

2. Use your own Akismet API key and/or authenticate with your own WordPress.com account.

With the first option, you keep separate all of the sites that don’t belong to you. However, it may not be easy to get your client to set up a new account with WordPress.com. You cannot simply put his email address in there because he needs to agree to the terms of service himself. Waiting for your client to set up an account can also hold you back if you’re in a hurry.

The second option is more convenient but may not be the proper way to go about adding these services to websites that you do not own.

Concerns When Using API Keys on Multiple Websites

When you sign up for Akismet, the email with your API key says:

“Please keep this private, treat it like a password.”

Because we’re used to copying and pasting API keys for everything, it may seem like a casual affair. But an API key really is just like a key to a building. Let’s say you work at a retail store. If you’re in possession of a key to that building and you let any of your friends use your key to go in and take whatever they want, you will be responsible for what was done with your key. Misuse falls on the holder of the key.

key

Akismet outlines this clearly in the terms of use:

If you obtain or purchase an API Key, you are responsible for maintaining the security of your API Key, and you are fully responsible for all activities that occur under the account and any other actions taken in connection with your API Key.

So while they do not expressly forbid you to use it on multiple websites, you are the one responsible for that key. If your key is in use on a site that you built for a client, and then they never update it and their site gets hacked or turned into a spam factory, the misuse of that API key is on you. This is especially a concern if you use your key to activate Akismet network-wide on a large multisite network. Does that mean your entire account could be banned? If that API key gets turned off, then all of your other non-offending sites won’t have access to it either.

There’s also the concern with Jetpack. Authenticating with WordPress.com for any site you’re working on can start to pile up. You might be viewing your “My Blogs” page and suddenly realize: Yikes, my WordPress.com account is everywhere!

Are There Best Practices for Using API Keys With Multiple Websites?

Looking into this gives way to some questions of best practice. Is it acceptable to use your API key and WordPress.com account all over the internet if you’re not concerned? As long as you don’t mix commercial and non-commercial use with Akismet, is it acceptable to use the same key on your own blog, your grandmother’s memorial site, your mother’s recipe blog, and wherever else?

From what I can tell, there are no clear guidelines for multiple use, but you should be very careful about what websites you allow to use your API key. It all comes down to how much risk you are willing to assume. Use of Akismet and WordPress.com services seems to be tied to the individual as far as terms of use go and you could be held responsible for the misuse of any of these accounts.

How Do You Handle These Multiple Use Scenarios?

Do you load up your WordPress.com account by authenticating for tons of blogs or do you force your user to register for WordPress.com and give you the credentials? Strictly separate API keys and accounts is probably much safer, however less convenient. Anyone have some suggestions on the best way to go about this?

photo credit: kissro via photopin cc

12 Comments


  1. Normally when I build sites I get access to the customers webhosting (which you need when making sites live) and just create a random email account using their own domain name just for the purpose of signing up to services like WordPress.com, Akismet, Email marketing services etc etc. I always then just forward emails from that email address to the customers other email address or one of my own emails…

    For storing logins and api’s I just save them in a .doc file along with any other logins and details I have of the clients.

    This system has always worked for me.

    Report


  2. Handing out your API key does not seem like a very good idea. Plenty of people do seem to do that though.

    Report


  3. Create the account for them, or walk them through it, in person, explaining why and the differences.

    Report


  4. Kirk Wight wrote a good post about this a few months ago: Jetpack and WordPress.com accounts

    tl;dr: You’ll want your client to create their own WordPress.com account if they don’t already have one. If you connect Jetpack to your own WordPress.com account, they will still have to link to their account to use features such as Likes, Notifications, or Post by Email.

    It will also make things easier if they ever need some help with their Jetpack site and don’t want to go through you.

    It’s also worth noting that a lot of people may already have an account, if they signed up for Gravatar for example.

    Report


  5. @Jeremy -Thanks for that link – the article does make some very important points about not leaving a client stranded with your login.

    Report


  6. I’d go with Ottos comment using Martins method. It’s a courteous way of having your client deeper involved in the project.

    Report


  7. @Cris. – Yes seems like a good way to go about it. I just wasn’t sure whether it’s acceptable to agree to terms of use for someone else.

    Report



  8. I am surprised nobody has so far mentioned using the API key in the wp-config.php file…

    /** Define WordPress.com API Key */
    define(‘WPCOM_API_KEY’,’c1d044646524′);

    That way, your client will never know.

    Report


    1. I believe someone did mention it (not in the article) in the second comment. Indeed, this is a possible solution. You’d of course, just have to remember to get them set up with their own account, should your business relationship end and you part ways. In which case, I feel like this might double your work, versus following the advice of Otto and a method similar to what Martin shared.

      Report


  9. When I take on a new client, the first thing I get them to agree too, is the creation of a new Gmail Account that will be used for everything related to their WordPress Website. I then use this mailbox to setup their Google Webmaster Tools, Google Analytics, WordPress.com Account (Akismet etc).

    When I hand over the website, I hand over the Gmail Account; This ensures separate API Keys, frees the client up from doing stuff he/she doesn’t want to do and in the end gives them complete freedom to do with the accounts as they please once my job is done (assuming they don’t want me to continue with site maintenance etc)

    Report

Comments are closed.