A question was raised over at NamePros: how do I give my web developer limited access to my website? This raises a conflicting issue. You want your site to be secured from malicious intent, incompetent developers or perhaps you want to prevent access to other sites you are hosting. However, a developer needs enough access to get the job done and anything too restrictive is constricting.
First, let’s look at things from my perspective as a web developer:
I was hired to customize a WordPress theme for an existing website purchased from another provider. This particular client did not want to grant access to his hosting account. Normally, I would make an initial site backup via FTP, backup the database via the control panel and end up with two site clones: a complete original backup for safekeeping and another one for development on my testing server. However, my client had never worked with me before and understandably did not want to give me access to his hosting account.
Therefore, I simply worked around the restrictions. I have a readily available WordPress testing environment on my development server and I received his WordPress theme via email. However, eventually I hit a brick wall when the changes he requested required me to sort through his actual data. I needed to clone his content, which means I needed access to his database. The end result was a lot of wasted time with back and forth versus if I had access to everything I wouldn’t need to stop, email him for data requests, apply it to my server, send him the new files so he can upload them, wonder why it doesn’t change on the live site, stop, request more files from him, etc, etc.
It’s constricting when a client grants me limited access to their website. It rarely happens but when it does it’s like trying to work with my hands and body tied to the chair. We need access to many things, not just files. Uploading a site may require configurations in many different places and most of the time the steps needed are too difficult to blindly instruct a person who has limited technical experience over email ( or phone ) exactly what they need to do when we can just login and take care of it in under ten minutes
without having to explain away years of our field in a matter of minutes to you.
It’s as silly as taking your car to a mechanic, hovering over him to ensure he doesn’t steal your car, then making him give you the wrench when it comes time for the actual repairs and making him instruct you on which places to tighten the screws just because you feel less risk this way.
Fortunately there are measures to give you a peace of mind and your web developer the access he or she needs:
Backup your data (database, files, host settings, everything) before you give someone access. Regular backups should be a normal part of your site maintenance. If not, at least do this before you allow someone access.
Always ask what control panels, utilities, directories, etc that he/she needs access to and ask them to explain why.
Get to know who you are working with. Do they test on a development environment? Do they backup files before working on them? Will they employ others to help with your site? How will they store your username/password for future access? Do they have enough experience to restore your site in case something goes wrong?
If the programmer doesn’t need database access you can assign them an FTP account without giving them control panel access. Giving them a domain.com/programmer is fine if you know how to move around your files and change settings. If not, trust them with main directory access.
The main reason a developer would need access to your hosting control panel is to set up a database. Learn how to do this yourself and all you have to do is email your developer the set up information.
There are other reasons for needing hosting control panel access. Ask your developer why they would need access.
Some companies allow the assignment of account management profiles with only enough access to particular features. For example, GoDaddy has an AccountExec tool for hosting only or domain management only. The rest of your information and settings are isolated from this account.
Never allow anyone to make css or core file changes (such as theme files) via a content management system control panel. The main reason is most CMS do not have a restore utility in case a change doesn’t work out as expected.
Change all passwords after the project is complete.
Overall, it is most important to work with someone you trust and feel confident in their abilities. However, you should keep regular site back ups because even the best of us make mistakes from time to time. Full access to the entire hosting account is ideal for web developers but don’t feel bad if you feel the urgency to protect your data. It is, for many of us, an investment worth protecting.
What's your opinion? Join the Discussion! Leave a Comment