Web developers can ask for FTP and admin details of your site. It is completely legitimate but still you want to be careful of how much access you give them.
Web developers can ask for FTP, cpanel and admin details of your site. This is completely legitimate but still you want to be careful about how much access you share with them.
Pre sharing precautions
Things you should be doing before sharing access details with anyone.
If anything can go wrong, it will go wrong. Create a complete backup copy of your site. If you are not sure how to backup, ask your host for step by step guide to backup your site.
Once you have the backup, it is also recommended that you download the backup. If you can opt for an automated daily backups from your host, even better.
If you are using a WordPress, opt for Vaultpress service (it is by the people behind WordPress) where you can backup and restore your complete WordPress site with just one click inside WordPress admin.
If you host your WordPress with WP Engine, you don’t need even Vaultpress and they will backup for you.
Backups are not risk free but are just an option for disaster recovery process where if a disaster occurs, you can put things back online.
So it is always recommended to be hiring freelancers whom you can trust and are reputed.
When Sharing Credentials
Share admin accounts instead of super admin accounts.
Create separate FTP accounts
Consider how much you need to be sharing with your freelancer. You may not need to share a super admin details or cpanel hosting login details with a freelancer. FTP details are just fine instead of hosting cpanel accounts.
You can even restrict FTP access to folder levels.
If you have multiple domains in your control panel, it makes much more sense to share only specific folder for a domain to a freelancer.
If you are using WordPress, you may only need to share the wp-content folder or even being more specific, you will just need to share plugins folder if your developer needs to work on plugin or themes folder if your developer needs to work on a theme.
Separate admin accounts
You may also need to share CMS admin details where he may need to be changing things on the front end.
For example if you want to upload a new theme for your WordPress blog, developer not only need to upload plugin using FTP, but will also need to activate the theme in WordPress admin area.
Ideally you should create a separate admin account for freelancer.
Revoking Access the right way
Once you want to revoke access, there are certain things to be considered.
If you provided freelancer with a cpanel access, you may want to see if the freelancer has created any FTP accounts.
There is nothing wrong in creating a separate FTP account but if you just change the cpanel password and if the freelancer has FTP account, he will have access to the site’s files and folders using the FTP details he created.
Check FTP account under CPanel to see what user’s exists if there are user who don’t need FTP access, they should be deleted.
Similarly if you provided freelancer with WordPress admin details, he can create other admins.
Note if you see additional admins, just changing the password for those admins may not be enough and they can use the lost password option to regain access if they have their email address correct.
Deleting additional admin accounts is always preferred but if you aren’t comfortable deleting them, change the email and the password so that password cannot be recovered using the email.
The replica approach
You can create a replica of your complete site and have freelancer use them. You can have issues if server settings are different on the development version and a live version.
I had Xenforo plugin developed for a client where I could upload big files on my local server but not on client’s live server. I knew the issue was with PHP upload limit configuration and client could not explain to host what needs to be done. I then had to explain to host what settings need to be changed to solve the issue.
If you are using WP Engine for WordPress, you can replicate the live site to staging server with just one click and provide developer access to staging server to develop. Once done you can move the changes to the live site. Its makes your live site completely secure.
Things you should never share
You will never need to share domain registrar details because at most you may just need to change DNS for domains which are fairly simple. If you are sharing it, make sure you trust the freelancer completely.
I have root access to many of my clients dedicated server as well as their domain registrar because I do everything for those clients from setting up the cpanel accounts for their clients’ to managing the server.
The most important piece of puzzle is trust.
If you don’t share details, you cannot get the job done and if you do, you take the risk but it’s a risk everyone needs to take.
It’s like handing your credit card to a waiter in a restaurant, under normal circumstance they are going to charge you for your bill.
Further Reading …