WPShift — teams
WordPress team workspaces, secured by default.
WordPress team workspaces on WPShift separate clients and projects into fully isolated spaces, each with its own servers, sites, domains, mailboxes and billing. Teammates join with role-based permissions, a developer can get SSH and deploy rights without seeing billing, a client can get read-only visibility on their own workspace and nothing else, and every login is protected by TOTP two-factor authentication or single sign-on with Google or WordPress.com. Per-workspace API keys serve CI/CD pipelines and automation, scoped, rotatable and audit-logged. It is built for agencies running client portfolios and for any team where access needs boundaries. Workspaces exist on every plan; workspace sharing with teammates ships with the Agency plan at €29.99/mo, which also carries priority support.
Workspaces are the client boundary.
The account layer is designed for reuse: SSH keys, cloud provider connections and Git source tokens are configured once at account level and available across every workspace you own.
Agencies live and die on separation: one client must never see, or be billed for, another. On WPShift that boundary is the workspace itself. Each one holds its own servers, sites, domains, mailboxes and billing, and when a contract ends, you transfer ownership cleanly and the client keeps their workspace.
Your account-level integrations stay with you for the next project: SSH keys, cloud provider credentials and Git source tokens are configured once at account level and reusable everywhere. Connect DigitalOcean once and it is available in every workspace, no re-pasting tokens per project, and rotation happens in one place.
Usage-based billing keeps growth boring, in the good way. WPShift Cloud server hours, email storage and backup storage are metered against your subscription, and the per-unit price is the same regardless of plan tier, so growing into the next bracket does not come with a price shock.
What you get.
Workspaces for clients
Multiple workspaces per account, each fully isolated with its own servers, sites, domains, mailboxes and billing. Transfer ownership when contracts change hands.
Role-based access
Per-role permissions for billing, server SSH, database access, deploy actions and read-only audit. Grant exactly what each person needs.
Workspace API keys
Per-workspace keys for CI/CD pipelines, automation scripts and internal tools. Scoped to the workspace, rotatable in one click, audit-logged per call.
Two-factor and SSO
TOTP two-factor on every account with recovery codes at enrollment, plus sign-in with Google or WordPress.com.
Global account integrations
Account-level SSH keys, cloud provider credentials and Git source tokens, reusable across every workspace. Configure once, rotate in one place.
AI-assisted support
Tickets with categories, priority and attachments. AI summaries condense long threads and suggest responses, and the public knowledge base is searchable site-wide.
Security that holds up in an agency.
Access is granted per role, not per favour: billing, server SSH, database access, deploy actions and read-only audit are separate permissions. Invite a developer with deploy rights but no billing visibility; invite a client with read-only visibility on their own workspace and nothing else.
Logins are covered from both directions. TOTP two-factor authentication runs on every account with recovery codes generated at enrollment, and Google or WordPress.com single sign-on removes the shared-password habit for teams already living in those identity systems.
When you need help, tickets carry categories, priority and attachments, and AI summaries condense long threads into the key facts with a suggested response, which speeds up triage on both sides. The public knowledge base is searchable site-wide, so many how-do-I questions never need to become tickets at all.
Who it’s for.
Teams where access needs edges, not habits.
- 01
Agencies
A workspace per client, transferable when the contract ends, with billing, access and infrastructure separated by design rather than by discipline.
- 02
Freelancers scaling up
Bring in a subcontractor with exactly the rights the job needs, deploy but not billing, one workspace but not the rest, and revoke cleanly after.
- 03
Teams with non-developers
Read-only roles let account managers and clients see status without the ability to break anything, and SSO means no extra password to manage.
How it works.
- 01
Create a workspace per client
Each one is fully isolated, its own servers, sites, domains, mailboxes and billing, so client boundaries are structural, not procedural.
- 02
Invite people with roles
A developer gets deploy rights but no billing visibility, a client gets read-only access to their own workspace, an admin gets the lot.
- 03
Secure the logins
TOTP two-factor with recovery codes on every account, or single sign-on with Google or WordPress.com if your team already lives there.
- 04
Automate with API keys
Generate per-workspace keys for CI/CD and automation. Every call a key makes is recorded in the audit log against the key name.
How it’s priced.
Workspaces, roles, two-factor and API keys are platform features. Plans set the limits around them.
See all plans and pricing- Workspace sharing with teammates ships with the Agency plan (€29.99/mo), which also carries priority support.
- Plan limits apply per account: 1 server and 3 sites on Personal (€5.99/mo), 5 and 15 on Professional (€14.99/mo), unlimited on Agency. Prices ex VAT.
- Usage-based add-ons, WPShift Cloud server hours, email storage, backup storage, are metered at the same per-unit price on every tier.
- The 7-day free trial runs full Professional features, no credit card required.
Questions, answered.
How do workspaces isolate clients?
Each workspace holds its own servers, sites, domains, mailboxes and billing. Nothing leaks between them, and ownership can be transferred cleanly when a contract changes hands.
Can I give a client access without risk?
Yes. Invite them with a read-only role scoped to their own workspace. They see status and nothing else, no billing, no SSH, no deploys.
What login security is available?
TOTP two-factor authentication on every account, with recovery codes generated at enrollment, plus single sign-on with Google or WordPress.com.
Are API keys safe to hand to a pipeline?
Each key is scoped to one workspace, rotatable in a single click, and every call it makes is recorded in the audit log against the key name.
Which plan do I need for a team?
Workspace sharing ships with the Agency plan at €29.99/mo, which also includes unlimited servers and sites and priority support. The 7-day trial runs full Professional features so you can evaluate first.
Give every client their own walls.
Start your 7-day free trial with full Professional features. No credit card required, cancel anytime.