As a website owner, there will likely be times when a developer, tech support, Virtual Assistant or similar professional will ask you for access to the backend of your site. This post looks at what to think about before agreeing, how to figure out what access someone will need, and how to prepare your site.Currently reading: What To Consider Before Giving Someone Backend Access To Your Website Click To Tweet
01. Do they need access to the backend of your website?
It may sound obvious, but it’s easy to just agree when someone you’ve hired asks. Does the person asking genuinely need access to your website, FTP, or hosting control panel/account? The fewer people who have access the better, as it’s more secure, and easier to backtrack. You can figure out what’s been changed (and where) recently, and it reduces finger pointing or being stuck in the middle if anything goes wrong.
This is especially important for your SEO as you’ll want to revert any changes that hurt your search rankings, and some people can make changes without realising they’ve done something to harm SEO (for example, creating a lot of keyword-stuffed text or links or changing plugin settings).
Another common problem is people saying they’re going to improve your site speed. A lot of people in the speed industry apply a set of blanket fixes, usually because it’s quicker and easier for them to do so or sometimes because they don’t really understand site speed and rely on you not understanding either (we have a free, easy to follow speed course for that – just raise a support ticket!). As each hosting platform is different and each site can be as individual as a fingerprint, this can end up doing more harm than good (even if your PageSpeed Insights scores look better). In this situation you may want to revert to a backup, but ideally you want to know enough about site speed yourself to know what you’re hiring for and whether that person can/will do what you need.
Don’t feel like you have to apologize for asking for clarity or more details. If you’re paying for a service, especially one involving changes to your website, you have every right to ask about the specific tasks being done and why. If you don’t know what something means, always ask. Many tech experts either don’t realize they’re speaking in jargon or don’t really know themselves what things mean – and it’s important to know which type you’ve hired! The golden rule applies here: if they can’t explain it to you in a way you understand, they don’t know enough about it themselves to be doing the work.
Tip: If a response sounds particularly jargon-y or you’ve got a list of terms that you don’t understand, google it to see if it’s been copied ans pasted from somewhere else. It might not give you help understanding, but it will tell you a lot about the sender!
Be very cautious about hiring people purely because you’ve heard they have a good reputation. Ask for examples of their work, what they’ve achieved for clients, and if you’re hiring for speed, speed test their clients’ sites yourself using a waterfall speed test – not PageSpeed Insights!
Always give as little access as possible to your website, hosting, email and name servers. If they ask for more, don’t be afraid to ask why and what they’re planning to do. Remember, it’s your website and your say. If anyone refuses to explain to you or belittles you, you probably don’t want to give them access to anything at all.
You can try an activity log plugin to see what people are doing in your WordPress Dashboard, but this won’t help if they deactivate it first or access your backend through a different route (e.g. your file manager or FTP) as you won’t know what they’re doing.
02. Do you need a second opinion?
The internet will give you a million opinions, so it’s best to stick to people you know well in real life. Alternatively, if you’re a Lyrical Host customer, please raise a ticket with us. Our senior developers can tell you quickly and easily whether you’re getting what you’re paying for and if there are any red flags.
03. What kind of access do you want to give them?
There are lots of different ways to give someone access to your site (and control how much access you’re giving them).
WordPress itself has a number of user roles you can use to limit access when you’re adding someone as a new user from your Dashboard. You can change permissions at any time, which is useful if you think someone may some back to work on your site in the future; you can just downgrade their role rather than having to delete/re-add them. If they have authored posts on your site, you won’t want to delete them completely.
If the person you’re working with is doing tasks for you beyond writing or editing blog posts, they’ll likely need to be an administrator (only give admin access to people you trust as they can downgrade/delete your user). If you’re not sure, just raise a support ticket and we can help.
You’ll want to have user registration turned off by default. So to add another user account, head to Users > Add New in your WordPress Dashboard instead. You can change their name, email, permissions and so on from their user profile.
Giving someone access to the backend of your WordPress site gives them a lot of power; they can make significant changes to your site, including adding/deleting plugins, themes and content, and exporting your content if they wanted to make a copy of it. However, if you have backups yourself and/or with your web host, you/they can restore from those in the worst case scenario, so it’s not as risky as giving someone access to your hosting account or domain.
FTP/File Manager Access
This usually involves giving someone access to your hosting control panel, or login details they can use to connect to your site via FTP (a piece of software used for managing files). It gives them greater control over your site than just giving access to WordPress, as they can manage files outside your WordPress install, including deleting and adding files and changing permissions.
Someone is likely to need this kind of access if they’re making changes to your .htaccess file, or you have content/files outside of your WordPress install, for example you also have a non-WordPress forum as part of your site. You only want to give this level of access to someone you really trust who knows what they’re doing, as they can break or delete your site.
Always download your own separate website backup to the cloud or your computer (don’t rely on backups within your site, site files, or hosting control panel as these can all be deleted by someone with FTP and File Manager access).
Hosting/Domain Account Access
This is the highest level of access. Giving someone full access to your hosting account or domain names means they can delete everything, including backups accessed from your hosting control panel, even your hosting account. If they have access to your domains, they can transfer them to another provider and keep ownership for themselves.
For this reason, we strongly advise against giving anyone this kind of access to your website. The most likely reason they would have this kind of access to your hosting account would be if they were your web designer and they were creating your site from scratch (where you have nothing to lose as opposed to years of work).
If you’re a Lyrical Host customer, you can create a sub-user for your hosting account and choose what permissions they have. This allows you to give limited, temporary access to your hosting account (you can remove the sub-user once they’re done). To find out how, see our article on creating a sub-user.
There are other ways people can access/change your website, for example using SSH. These are all high level options that give the user a lot of control, so you’ll want to check it’s really necessary before access is given. We can tell from the responses and reasons given if someone needs that kind of access and if they understand what they’re doing, so if you need a second opinion just let us know via ticket.
04. What else will they have access to?
It’s likely that your website is connected to and/or utilizes a bunch of other third parties, for example social media networks, IFTTT/Zapier integrations, and plugins. Giving someone access to your site also means giving them control of these things, and while social networks tend to protect your personal logins, other things (for example plugin keys and passwords within plugins) can potentially be copied or reset, which can cause licensing/connection issues.
If you’re giving someone access to your hosting account or hosting control panel, you’re also potentially giving them access to everything within that, including email addresses and inboxes, and more. It would be hard for you to detect if someone created a new email address and starting spamming/phishing from it for example, or if they read/deleted your emails or sent emails as you.
You’re also potentially letting another party access customer/visitor data, which is something to consider for GDPR and other privacy laws – especially if you collect personal information such as addresses if you run a store.
05. How will you give them access?
There are two main ways to give someone access: using a password manager service such as LastPass or 1Password, or via a direct login. While password managers can be useful, especially for social media networks that don’t allow you to select user roles for access, they aren’t infallible. Once someone is logged in, they can still change your details to their own and lock you out. However, they are still better than sharing your password directly and give you more control over revoking access.
Whether you’re using a password manager or not, wherever possible never give someone else your own login details. Instead, create them their own user account. This helps you revoke/change access more easily.
Passwords should never be sent plainly in email, over social media messengers, or via text.
You’ll also want to think about how long they will need access for, and make a note to remove/reduce their access and disconnect any third parties (e.g. removing password manager access) as needed. For quick jobs, you’ll want to remove access as soon as possible.
06. Will they need two factor authentication (2FA)?
Giving someone access to your site also means trusting them to keep the details safe. If they leave their laptop in a cafe, or their desktop gets stolen, or they’re lazy with their password choices, or they store passwords insecurely, it could cause major issues for you.
One way to reduce the risk is to require them to use two factor authentication (2FA). There are lots of 2FA plugins you can choose from by going to Plugins > Add New from your WordPress Dashboard, and you can also set up 2FA for your hosting account. We have a blog post on password security with more details and tips.
07. What else do you need to do?
Note to yourself so you don’t forget to remove their account/downgrade it to a lower access role
1. Make a list of access permissions/users so you can keep track (have this stored somewhere secure and away from all access, for example a secure, private cloud account or a file on your own computer).
2. Set calendar reminders for checking your site users regularly (even if you don’t have people working on your site much, this is good practice to help you identify any suspicious users).
3. Set a calendar reminder so you know when to downgrade or remove people’s access.
4. Check in with us – we can advise on workflows, security, and much more, so don’t be afraid to raise a ticket and ask for help.
If you found this post useful, please pin it for someone else to discover!