A question I often hear: how do I give my web developer limited access to my website? This raises a conflicting issue. You want your site to be secured from malicious intent, incompetent developers or perhaps you want to prevent access to other sites you are hosting.
However, a developer needs enough access to get the job done and anything too restrictive ends up being too constricting.
First, let’s look at things from the perspective of a web developer:
I was hired to customize a WordPress theme for an existing website purchased from another provider. This particular client did not want to grant access to his hosting account.
Normally, I would make an initial site backup via FTP, backup the database via the control panel and end up with two site clones: a complete original backup for safekeeping and another one for development on our testing server.
However, my client had not worked with me prior and understandably did not want to grant full access to his hosting account.
Therefore, I worked around the restrictions. I have a readily available WordPress testing environment on my development server and received his WordPress theme via email. Eventually I hit a brick wall when the changes he requested required sorting through his actual data.
I needed to clone his content which meant access to his database. The end result was a lot of wasted back and forth versus if I had access to everything I requested there would be no need to stop, email him for data requests, apply it to testing servers, send him the new files so he can upload, wonder why it doesn’t change on the live site, stop, request more files from him, etc, etc.
It’s constricting when a client grants limited access to their website. It rarely happens but when it does it’s like trying to work with ones hands and body tied to the chair. We need access to many things not just files.
Uploading a site may require configurations in many different places and most of the time the steps needed are too difficult to instruct over email or phone to someone who has limited technical experience especially when we can just login and take care of it in under ten minutes without having to explain away years of our field in a matter of minutes.
Imagine taking your vehicle to a mechanic, demanding his tools and ordering him to tell you how to turn the wrench. You feel less risk this way but is it really practical?
Fortunately there are measures you can take while giving your developer the access he or she needs:
Backup your data (database, files, host settings, everything) before you give someone access. Regular backups should be a normal part of your site maintenance. If not, at least do this before you allow someone access.
Always ask what control panels, utilities, directories, etc that he/she needs access to and ask them to explain why.
Get to know who you are working with. Do they test on a development environment? Do they backup files before working on them? Will they employ others to help with your site? How will they store your username/password for future access? Do they have enough experience to restore your site in case something goes wrong?
If the programmer doesn’t need database access you can assign them an FTP account without giving them control panel access. Giving them a domain.com/programmer is fine if you know how to move around files and change settings. If not, trust them with main directory access.
The main reason a developer would need access to your hosting control panel is to set up a database. Learn how to do this yourself and all you have to do is email your developer the set up information.
There are other reasons for needing hosting control panel access. Ask your developer why they would need access.
Some companies allow the assignment of account management profiles with only enough access to particular features. For example, GoDaddy has an AccountExec tool for hosting only or domain management only. The rest of your information and settings are isolated from this account.
Never allow anyone to make CSS or core file changes (such as theme files) via a content management system control panel such as WordPress or Joomla. The main reason is most CMS do not have a restore utility in case a change doesn’t work out as expected.
Change all passwords after the project is complete.
Overall, it is most important to work with someone you trust and feel confident in their abilities. However, you should keep regular site back ups because even the best of us make mistakes from time to time.
Full access to the entire hosting account is ideal for web developers but don’t feel bad if you feel the urgency to protect your data. It is, for many of us, an investment worth protecting.