How to keep your PPC accounts secure

Blog banner

PPC advertisers use a lot of data but big data comes with bigger security risks. It’s never been more important to keep your accounts secure and protect yourself from any security breaches.

The risks are increasing all the time, too, as hackers use increasingly advanced techniques, and trends like working from home open new threats. Luckily, PPC platforms like Google Ads have their own security features and guidelines you can follow to keep accounts safe and this article explains what else you can do to protect yourself.

Check the security features & recommendations of each PPC platform

The first step to protecting your PPC accounts is to check the security features and recommendations of each platform. Google has a variety of security features built into its various products (including Google Ads) and it also recommends additional steps you can take to protect your account.

Facebook, LinkedIn and other networks all come with their own features and recommendations so familiarise yourself with each platform.

Here are some of the key steps Google recommends for protecting your Google Ads account:

1. Require your users to enable 2-Step Verification

Account administrators can require all users of their Google Ads accounts to enable 2-Step Verification. When you set up 2-Step Verification, you’ll sign into your account using a password and a second verification step. The second verification step can involve a phone call, the Google Authenticator App, a security key or a text message (SMS).

2. “Confirm it’s you” security challenges

To help protect your account, you may need to prove it’s you when you try to complete sensitive actions like the following:

  • Inviting Standard or Admin users
  • Performing unusual budget changes
  • Creating Ads with URL domains not previously used in your account
  • Creating Campaigns with apps not previously used in your account

When attempting these actions, you may be asked to confirm it’s really you by completing a security challenge such as receiving a security code on your phone.

3. Restrict the email domains your users can use

By adding allowed email domains in your security settings, you can ensure that users from outside your organisation don’t get invited to access your Google Ads account. For instance, if you set “” as the allowed email domain for your account, you’ll only be able to invite [email protected] to the account, but not [email protected].

4. Avoid sharing login credentials among multiple users

If many people need to use your Google Ads Account, don’t have them share the same username and password. Instead, grant each person access to the Google Ads account, using their individual Google Account.

Each Google Account can have direct access to up to 20 Google Ads Accounts. Also, keep in mind that if you’re managing multiple Google Ads accounts, a manager account might be a better option for you. You can then give different users access to the manager account, and allow them to access multiple accounts from that single manager account.

5. Manager account security mandates

Manager account security mandates are minimum security settings enforced on all current and future sub-accounts that a manager account has administrative ownership over. These security settings are available to admin users of manager accounts and can be applied to all current and future sub-accounts owned by the manager.

Obviously, these steps apply to Google Ads specifically but most advertising platforms implement similar features and security advice. Google is pushing security harder than most advertisers, though, so you may find other networks still have some catching up to do.

Here are some useful links to security information for the other major advertising platforms:

Enable two-step verification (2SV)

Two-step verification (2SV) is becoming the default standard for account protection in Google products. Since 2018, the company has expanded 2SV across its range of products and this now includes Google Ads and Google Analytics.

two-step verification

“When you use Google Ads, you’re trusting us with sensitive information—which is why it’s important to keep it private and safe. Today, we’re making updates to put you in control of your security and ensure you stay protected.”New security protections for your Google Ads account, Google Ads Help

Increasingly, this is the default setting in Google Ads although this doesn’t apply to all accounts yet. If it isn’t, you can enable 2-step verification by following the steps on this page. You can also opt out of 2-step verification by following the steps at the bottom of the same page but Google strongly recommends using this security setting, especially for Google Ads.

Google is now rolling out the same system to personal accounts and it has seen a 50% drop in hacked accounts since expanding.

What is two-step verification?

Two-step verification (2SV) is a security method that adds a second layer to the log-in process. Once you’ve typed in your details (normally your email/username and password), you’ll be asked to follow an additional step, such as type in a verification code sent to the email address you typed in.

You’ve also likely heard of two-factor authentication (2FA) and it’s already common to use the names 2SV and 2FA interchangeably, but they’re actually two different methods.

Technically, two-factor authentication is a more secure alternative to 2SV because it adds a second step of authentication that requires you to use an entirely different method of authentication – for example, sending a code to another device (SMS message) or scanning a fingerprint.

In the case of Google, its “two-step verification system” is a mix of 2SV and 2FA methods.

Review who has access to your PPC accounts

Over the months and years, many different people can legitimately gain access to your PPC account. New team members join, old ones leave and others get promoted into and out of roles. You want to make sure that access is always restricted to the people who really need it and the only way to avoid mistakes is to regularly review who has access to any given account.

Doing this regularly will make sure people don’t retain access for any longer than necessary but – more importantly – it will help you identify any access that was never intentionally given in the first place.

In Google Ads, you can easily review and remove access by clicking on the tool icon labelled TOOLS AND SETTINGS in the top navigation menu and selecting Access and security under the Setup section.

Here, you can review everyone who has access to the account and you can remove access by clicking on Remove access under the Actions column.

You’ll find more information on this Google Ads Help page.

Make sure you regularly review user access (ideally, every quarter or more, depending on how many users you have) and do this across all of your advertising networks.

Scan all machines for malware

Likewise, you should regularly scan all machines for malware and keep antivirus software up-to-date at all times. This should be standard procedure for all on-site machines used to access your PPC accounts but don’t forget about any devices used outside of the office – an increasing threat as more people work from home or remotely.

We’ll discuss this last point in more detail later.

Keep your website secure

If your website is compromised, you could find platforms like Google Ads disapprove your ads due to malicious links. Hackers are constantly refining their techniques and working their way around the latest security innovations so it’s important to take this seriously.

Google cares a lot about security, too, and it doesn’t want to send users to infected websites. Not only will the search giant disapprove ads linking to affected sites, it will also remove sites from its organic search rankings to protect users.

As standard, you should take the following steps to protect your website:

  1. Add HTTPS and SSL
  2. Keep software and plugins up-to-date
  3. Use a secure web host
  4. Only use secure passwords – and keep them secure
  5. Limit user access and keep track of it
  6. Implement 2FA for website access
  7. Regularly backup your website
  8. Use a web application firewall
  9. Protect your network(s)
  10. Develop security guidelines and train your team on security essentials
  11. Regularly scan your website for malware

Using WordPress? Make sure you know the vulnerabilities


Any content management system (CMS) comes with vulnerabilities. As the world’s most popular CMS, WordPress is targeted by hackers more than any other platform of its kind and the open-source nature of its ecosystem comes with additional risks.

Aside from the standard steps listed above, you should also implement the following procedures to protect any WordPress website.

  • Update WordPress: Always keep your website updated to the latest version of WordPress – the majority of updates address bugs and security issues.
  • PHP update: Stay updated to the latest version of PHP (WordPress will notify you when a new version is available).
  • Update plugins: Always keep plugins up-to-date for the same reason and reconsider any plugins that haven’t been updated for a while.
  • Limit plugins: Every plugin adds a certain amount of vulnerability so only install plugins from trusted developers and keep them updated.
  • WordPress themes: Only use WordPress themes from trusted developers with a strong reputation for security.
  • WordPress login: Move your WordPress login page to a custom URL, not the default /wp-login.php URL.
  • Login attempts: By default, WordPress allows unlimited login attempts but you can restrict these to reduce your vulnerability to brute force attacks.
  • Idle users: You can automatically log out users who haven’t completed an action in a set period of time.
  • Admin username: Change the default admin username from admin to a unique name.
  • Password protect your admin directory: You can implement password protection on the server side for users to access your website’s admin directory, requiring a valid username and password.
  • Database prefix: Change the prefix in your database name from the default wp_.
  • Directory browsing: You can prevent directory indexing and browsing via your website’s .htaccess file.
  • File editing: You can disable WordPress’ built-in code editor when you don’t need access to it using one line of code: define( ‘DISALLOW_FILE_EDIT’, true );
  • PHP file execution: You can also disable PHP file execution in directories where it’s not needed with this line of code: <Files *.php> deny from all </Files>
  • XML-RPC: You can disable XML-RPC (a brute-force vulnerability) via your website’s .htaccess file.
  • Stay informed: Keep yourself in the loop about the latest WordPress vulnerabilities and take action to protect your site when required.

Make sure you work with an experienced WordPress developer when implementing any security changes as mistakes can bring your whole site down.

Implement security guidelines for remote working & working from home

We’ve touched on remote working and working from home a little in this article but more companies are moving to flexible working patterns so this point is becoming increasingly important.

Remote working and working from home can be just as safe as time spent in the office, as long as you and your team understand the potential risks:

  • Using off-site devices, some of which could be shared devices
  • Personal devices may not be as protected as those on-site
  • Personal devices aren’t only used for business purposes
  • Staff may take more risks when using a device for personal purposes
  • Using off-site internet networks, some of which could be unsecured
  • Staff may feel overly confident when working at home
  • Working in public spaces with screens visible to everyone
  • The risk of devices being left, lost or stolen in public locations

All of the risks listed above – and any other potential security issues associated with working outside of the office – are relatively easy to mitigate. First, you need to make sure your team members understand the potential risks and provide training on how to avoid security breaches.

Public WiFi is the obvious example of an unsecured network but private networks are easily compromised, too. So your priority should start with ensuring your staff’s home networks and any devices they’ll use on them are as secure as possible. From there, you can develop guidelines to protect your PPC accounts and any other sensitive information.

For example, you might warn team members against working in cafes and other public settings if they’re going to use any sensitive information, such as logging into or using Google Ads. You might even want to provide your staff with devices specifically for work purposes – machines that you can customise and protect on your own terms.

Are your PPC accounts secure enough?

If you have any concerns about the safety of your PPC accounts, call us on  023 9283 0281 or fill out the contact form and we’ll be in touch.

Chantelle Riley profile picture
Chantelle Riley

Chantelle is a PPC Specialist at Vertical Leap.

More articles by Chantelle
Related articles
Google rolls out free Google shopping

Google announce free listings for Google Shopping

By James Faulkner
Can data predict the winner of the World Cup?

Can data predict the winner of the World Cup?

By George Stone
Google’s helpful content update: How will it affect your website?

Google’s helpful content update: How will it affect your website?

By Abbie Mitchell
Search marketing news and what it means for marketers – Sept 2016

Search marketing news and what it means for marketers – Sept 2016

By Lee Wilson
Report: Q4 2020 Google trends for course providers

Report: Q4 2020 Google trends for course providers

By Michelle Hill
Google offices

SEMINAR: How to get the edge in eCommerce marketing

By Michelle Hill