How to Prevent Students from Sharing Login Information

In today’s world, shared accounts are commonplace. I bet if you asked 10 friends if they’ve ever used someone else’s Netflix or Amazon account, at least half would say yes. That might not be a huge deal for a company as big as Netflix—with 138 million paid subscribers (source) and $15.8 billion in revenue in 2018 (source)—but for your small business selling online courses, it matters.

You’ve worked hard to create an online course that provides value to your students. The last thing you want is for students to share login information with a friend, who then gets to take your course for free.

This article will outline how you can prevent students from sharing login information for your LearnDash site (or any WordPress membership or LMS). So far, I’ve identified three different solutions, which I’ll outline below:

• Only allow one login per account, at a time – prevents simultaneous logins, but is more of a deterrent than a complete solution
• Enable two-factor authentication (2FA) – a stronger solution that makes it more difficult, but still doesn’t completely prevent it
• Social login – require a user to connect via Facebook, LinkedIn, Google or another account that they wouldn’t want anyone else to access

NOTE
There is no guaranteed way to prevent multiple students from sharing login information. You can make it more difficult, but you can’t completely prevent it from happening.

Should You Prevent Students from Sharing Logins?

Before implementing a solution, I encourage you to consider if it’s worth it. I understand your desire to get paid for your work. You’ve spent hours creating awesome content. You deserve to be compensated and not taken advantage of.

But did you ever wonder why even the biggest online giants (Google, Netflix, Amazon, Spotify, etc.) don’t prevent the sharing of login information?

They certainly have the resources. They could probably have it up-and-running in half a day. And yet, while most of them employ some form of advanced security (email notifications of suspicious logins, security questions, backup phone numbers, two-factor authentication, etc.), none of them completely prevent anyone from sharing login information.

I suspect there are at least two reasons, both of which you should consider for your LMS:

1. They want you to be able to login from anywhere, at any time (because we travel, and demand convenience). How would they truly know if it’s you trying to login, or one of your friends?
2. They want logging in to be as easy & seamless as possible, so that you come back and use the service. If you had to go through extensive verification every time you logged into Amazon, would you find somewhere else to shop?

Hopefully, you’ve given it some thought. If you’d like to explore the options, here we go…

☝ Only Allow One Login Per Account, at a Time

This method will prevent simultaneous logins with the same account. A student could still share their login information with a friend, and as long as the real student is logged out, the friend could log in.

If your courses are released on a specific schedule, or only run for a short period of time, this could be an excellent option. Because all students need to complete the course at the same time, this method would only allow one person to be logged in, taking the course, at a time.

LearnDash Integrity Add-On

LearnDash released an official add-on called Integrity. This add-on has several features, but the one that relates to this topic is the “Prevent Concurrent Logins” feature.

The idea is to only allow one person to login with the same account at a time. If someone is already logged in, and another person tries to use the same username/password from a different device, they are not allowed in.

You can enable this only for certain user roles, so you can exclude admins if you’d like.

In theory, this is great, however, the Integrity plugin has not worked as expected since its initial launch. There have been multiple reports of Administrators being locked out of their accounts, as well as other small bugs. Because of these things, I cannot currently recommend using the Integrity add-on.

If you’re curious how it works, you can learn more here.

🚷 WP Bouncer Plugin

For this method, we’ll be using the free WP Bouncer plugin.

1. Install & activate the plugin
2. That’s it! There are no settings.

The WP Bouncer plugin will take care of everything behind the scenes.

• User A logs in as “student”
• User B then also logs in as “student”
• The next time User A tries to load a new page, they are kicked out
• User B continues to use the site
• If User A logs back in again, User B is kicked out

They could continue this pattern indefinitely. I think the idea is to show both users (the paid student & the “free friend”) that it’s not worth it. They’ll keep booting each other out and neither will be able to use the site freely.

Of course, if they communicate their schedules, and make sure one is always logged out before the other logs in, they’ll be able to get around it. Thus why this is more of a deterrent than a complete solution.

Options & Filters

By default, the user who gets kicked out will see a warning message:

However, if you know how to use WordPress hooks, there are a few filter hooks available.

• ignore admins (allow admin accounts to be logged into simultaneously)
• custom redirect URL (upon logout)
• change the number of simultaneous logins allowed

📋 WP Activity Log

A similar but more powerful option to WP Bouncer is to use the WP Activity Log premium plugin. With WP Activity Log, you can decide how many simultaneous user sessions are allowed at one time (customizable by user role), or simply block multiple sessions altogether.

There are a few added benefits of using this plugin:

• You can terminate anyone’s session with the click of a button
• You can view all actions that a user has taken on the site (which pages they’ve viewed, when they last logged in, etc.)
• You can allow admins or group leaders to share accounts but prevent students from doing so (or customize this however you’d like using different user roles)

Plus you’ll get tons of other features that you might find useful for a membership or LMS site. Check out WP Activity Log →

📱 Enable Two-Factor Authentication (2FA)

A slightly more advanced option is to use two-factor authentication (2FA). This method takes a different approach than the WP Bouncer plugin. With 2FA, each time a user tries to login to their account, they will need three things:

• username or email address
• password
• a one-time, randomly-generated code sent to a single device

KEEP IN MIND
This method will make it more difficult to login—not just for the mooch who is trying to access your course for free, but also for the person who paid for it.

The additional code is typically a 4-6 character code sent via email, SMS text message, or generated via an app on a user’s smartphone. It is only valid for a very short period of time (30 seconds to 5 minutes), before a new code is needed.

There are also some two-factor authentication apps you can install on your phone, and simply tap a button to confirm your login.

Technically, a student could receive a 2FA code on their phone, and still have time to share it with a friend, who could then login. But because of the short lifespan of the code, the student and friend would need to be in immediate communication with one another.

With LearnDash & WordPress, there are multiple plugins that enable two-factor authentication. I recommend you read through the details of each, and choose the one that works best for you.

• Google Authenticator by miniOrange – Free & premium options for most of the common 2FA smartphone apps
• Two Factor Authentication by UpdraftPlus – Free & premium options that support Theme My Login, WooCommerce & several other plugins
• Google Authenticator – Older, and not recently updated, but still works well
• Two-Factor – A super-simple plugin that could eventually get merged into WordPress core. Limited options.

If you already use the premium version of either iThemes Security or Wordfence, they both offer two-factor authentication as well. You might want to consider using their options before installing another plugin.

👥 Social Login

Personally, I’m not a fan of requiring a user to authenticate with a third-party service. Some users might not have a Facebook account, or just don’t want to connect Facebook with yet another application (Facebook isn’t necessarily known for protecting your data 🤨).

However, most students would not be comfortable providing access to a very personal social media account. If you required them to connect to a social account when they log in, it’s unlikely they would share this access with anyone else.

Social Login Plugins

There are quite a few social login plugins to choose from, but I’d probably recommend this one:

• Nextend Social Login

I haven’t personally used it, but I’ve done some research, and it appears to be the best all-around option. Please let me know if you’ve used it, or have other recommendations.

Other Thoughts/Ideas

• 11/19/2022: Facebook post

I certainly realize the desire to prevent the sharing of login information, but you should consider if it’s worth the added frustration it could cause to your actual students. If you decide to implement something, keep a close eye on any student feedback you receive.

If you have another suggestion for how to prevent multiple logins on the same account, please share it in the comments.