If you ever hire a web developer, there will normally come a point where you need to provide administrative access to your host or back-end website administrative section. It’s all part of the process when you work with people like me who develop websites for a living. I routinely need admin access to WordPress to make things happen for my clients. Sometimes I need to access the hosting account. Sometimes both, and sometimes neither. It all depends on what you’re asking your web developer to do.
First time web entrepreneurs might find the request for the “keys to kingdom” a bit startling at first. Those that are a little more seasoned using web developers might find themselves in a bit of a mental quandary as to exactly what is appropriate to share, and what isn’t.
Fortunately, there are ways that we can share credentials and help reduce the amount of vulnerability that might be felt. Here are some ideas to help you understand how this usually plays out.
Before you hand over the keys, make sure you trust them
Trust is something that, to me, is earned. There are unscrupulous people in the world whom given the chance, will wreak havoc on your life, so unfortunately, people are hesitant to trust developers initially. When push comes to shove though, and you need to provide someone access to a vital system, you should already trust the other party to some degree.
Trust can be obtained in a variety of ways.
- Time and experience with the other party will build that trust. After working on a project together or just having known the person for some time can provide enough trust required.
- Research the web developer. Find out from past clients what their experience was like working with the developer. This should be pretty easy to do. The web developer site should also have some testimonials or something similar to help new clients determine if the prospective web developer is trustworthy or not.
- Trust your gut instinct. Like fruit, if it smells bad, you don’t put it mouth to see if it tastes bad also! You throw it away and find better fruit. Same is true with people that perform services for others. If you can’t trust them with the things they need to do the job, why are you using them?
You should always feel comfortable enough to share your information with someone that is presumably trying to help you out.
When that trust is there, and you’re ready to start that development project, here are 3 ways that you ensure that providing your password doesn’t have long term worrying effects.
1. Create a new username and password for the developer
Perhaps the easiest way to protect yourself, and still provide enough access for a web developer to do what they need to do, is to create a unique username and password. The web developer can use the supplied credentials to do their thing, and when all is said and done, you can simply change the password, disable the account, or delete it entirely. If you feel that you might ask for more work later on, disabling or changing the password is probably easier so you don’t have to recreate everything.
While the web developer still has access to your site, and can still do some damage if they wanted to. Trust will always be in play.
2. Change your password during development
Can’t create a new user but you need to supply credentials to the web developer? No worries. All systems that you use should provide the ability to change your password. Another option you have is to change your password prior to starting work, and then provide the web developer the modified credentials. This gives the web developer what they need to get work done, but also does not leak to them your original password. When the work is done, you can change your password back to its original text, or change it to something entirely different.
What you don’t want to do is to provide a password that you use on more than just the site being developed! People are creatures of habit, and I’m sure many of you out there use the exact same password for your Twitter, email and other accounts. By modifying your password for the systems that the developer will be using, you are helping to protect yourself from possible problems.
Important! You wouldn’t want to change a password that is used by other processes. That could be bad, potentially. For instance, you wouldn’t want to change the password used to access your database, unless you change the values in the website as well. Not doing so could bring down your website. Make sure you understand exactly what’s being affected by the change before making the change!
3. Don’t share your password at all
Maybe you don’t want to share your password at all. While its possible to build a website without having access to a production server, it does complicate the issue. Web sites can usually be built in their entirety on a desktop or laptop and then deployed to a production server later on, when all is said and done. If you decide that you don’t want to share your password nor provide access to the systems required for the project, the web developer will then have to perform all their work locally on their desktop or laptop. Expect to be more involved with the process though. There are times when the developer will need information, data or files that just can’t be obtained without those credentials.
I usually don’t meet many people that want me to develop a site for them who also have the ability to install and configure it when I pass all the files over to them. Those people are usually able to develop a site themselves as well, so they normally don’t need someone like me. But in the case where trust might be an issue, you might have the individual build the website, and then use another developer that you do trust to perform the installation and configuration.
As you can see, while this option might be the best security for you, it’s also producing many obstacles that will need to be overcome. The amount of time required for the site to reach production mode will be increased, and not to mention that there might be additional costs incurred by the web developer having to establish a mock site on their local computer for development.
The bottom line is trust
The bottom line here is trust. If you don’t trust your web developer, why are you even considering them? Any web developer worth their salt is going to help you feel comfortable, and ultimately prove to you that you can trust them. At the end of the day though, you should keep your username and password safe from others, but sometimes you do need to share your credentials to get stuff done.
How I operate
As a web developer, I usually need to ask for credentials to my client systems. I remember a long time ago when I was handling some of my very first clients how awkward it felt to ask for the administrative username and password to someone’s website. Its ingrained in all our minds to keep them safe and to never give them away, and here I was asking for the keys to their digital kingdom. It took me a little time to get comfortable with the idea, but this experience helps me to understand where others are coming from, hence how these options have come about.
If you and I ever work with each other, I will ask you for access to your systems if and when I need them. Don’t ever just provide me the keys to your kingdom; allow me to ask for them first. I want to make sure that you feel comfortable enough, and I with you before sharing sensitive information.
When I do ask, don’t let it come as a shock to you since I do need these things to do what I need to do. The ideas above are great ways to maintain a little control if you feel you need that control, so use them to your advantage. To do what I do, I don’t necessarily need access to your hosting account, nor your backed WordPress administration to perform web development services, but it does help speed things along when I do have access.
Having a web developer deploy the changes however will always require that credentials be provided.
Have some additional ideas?
How did you feel the first time sharing your username and password with someone? Have some ideas that you would like to add?
Let me know in the comments below. Thanks for reading.
Wayne John is a health coach for people that want to lose weight, gain weight, improve athletic performance, or simply maintain a healthy lifestyle. Wayne has lost over 55 pounds and improves his current health every day by using simple, straight-forward techniques that anyone can integrate into their lives to achieve the same. Contact Wayne today to realize your own health and fitness goals, or get started now by completing and submitting the free Wellness Profile. He also has been developing websites since 1995 and programming solutions for clients even longer. He'd rather be outside having fun in the sun though.
Twitter: kikolani
says:
I usually do the “create a new user” option first, if possible. But if not, then I change my password to something secure but unrelated to any of my other passwords to give out, and then change it back to my usual one after the other person is done with what they needed to do. I trust my main password string to no one!
Twitter: waynejohn
says:
That’s what I ask my clients to do to. Seems to be the most flexible, and it also allows them to tailor the specific rights I’ll need. Hmm…perhaps I should mention that in the article.
I don’t trust anyone with my password either. Even to sysadmins at places of business, they find it a little shocking when everyone else in the company but me will give them their password. At first they think I’m just being stubborn, but then I explain the reality of it and they usually understand.
Twitter: ariherzog
says:
Hear, hear, don’t ever give someone your password — especially if you’re like me and use a mnemonic system for every password on every site. But do create a new user/pass schema for the person so you can delete it later.
I last did this in January when I paid someone to migrate two blogs at ariwriter.com to ariherzog.com. So, I created eight sets of user/pass schemas (one for each wordpress site, one for each ftp access), plus the server user/pass (which I changed for the developer until he was done).
But you’re right about trust. In this case, someone I trusted recommended him and a few emails solidified it.
Twitter: waynejohn
says:
8 sets of usernames and passwords, man that’s a lot. But, I bet you felt in control and it reduced the stress. I’m sure it gave you a a little peace of mind too.
Twitter: ariherzog
says:
It didn’t have to be 8 but like you imply, kept me happy.
Twitter: waynejohn
says:
That’s all that matters, ha
Twitter: easyPblog
says:
Hi Wayne
Got somebody working on my site at the moment but never thought of…
“Create a new username and password for the developer”
Seems obvious now that you’ve mentioned it and it is what I will do in future.
When he first asked for all my info… felt strange giving him “the keys to the kingdom”.
New username and password – I’ll remember next time.
Twitter: waynejohn
says:
If it’s any consolation, you’re in very good company. I’m only well aware of these things due to my proximity to the issue each and every day.
Twitter: easyPblog
says:
All seems so obvious… now that you’ve pointed it out.
I’ll know next time.
Cheers Wayne
Twitter: CyberCoder
says:
Excellent post Wayne!
One of the things I like about Dreamhost is when I need the actual backend access, clients can give me access without giving me any login or password information.
Twitter: waynejohn
says:
Thanks David! Most hosts will offer the ability, at least they should. They would be incorrect to think that every customer they have will never need to share their account. I don’t think I’d use a host that didn’t offer some way to do this.
Great advice Wayne. I have to admit that I do still feel funny about handing over passwords (or money, when I’m buying a domain from someone) even when I know they’re trustworthy. Sites with feedback systems can be quite helpful.
Twitter: waynejohn
says:
Thanks Art, I know I’d feel funny too if I had to. Fortunately, it’s rare that I have to, but I have had to in the past. That funny feeling, it’s a good thing.
Would you say a comments area like what I have here would qualify as a feedback system?
Twitter: justynabizdra
says:
Great tips Wayne. I remember that when I asked you for help in one of my projects, you recommended that I create new username and password for you, and it was great.
I don’t give out my passwords, also create unique ones and my Roboform remembers them for me
Twitter: waynejohn
says:
Our working together helped me define this post! So I owe some inspirational credit to you for that. I always try to keep my customers peace of mind in tact, and it’s these types of things that can cause stress in a relationship if mishandled. Giving you the power to pull the plug on me is perhaps the best way to provide that peace of mind. It leaves you in control, as it should be.
Roboform…need to look that one up. I’ve been hesitant to write anything down anywhere. Yes, I keep everything in my head…but sometimes that fails. I always have thoughts of someone finding the list, or losing the list.
If I lose my mind, then it wouldn’t matter. hahaha
Since most of my clients come from people i’ve helped one way or another (from forums), i don’t have the trust problem. Things go like this: guy posts on forum, and i can help him fix his problem. I ask for his passwords. Since he’s desperate, he’ll give them to me else he won’t be able to solve his problem. Now keep in mind these are all easy to solve problems, doesn’t take me more than 5-10 minutes to fix them. About half of those will later ask me to provide more work because they realize they’re wasting their time trying to do it by themselves. At that point they already trust me and we can talk about the money.
Twitter: waynejohn
says:
Do you charge for your help with the smaller 5-10 minute jobs, or just accept something like a shout-out on Twitter or similar?
That’s pretty cool that it works out for you like that. Didn’t even consider those that are part of a community and how this might work for them. Thanks for that insight!
I don’t charge for those 5 minute jobs, i do them because i’m a “good person”
They’re just to show people i know what i’m doing and that i can be trusted.
it is interesting
you help people solve their problem and you not charge for that but he/she will ‘advertise’ your skills to others. It is new way to promote for me 
thanks for the share Maria, wayne too 
Twitter: waynejohn
says:
I’ll do the same. I sometimes just ask for a shout-out on Twitter for the small jobs. A little advertising is always nice.
Hi Wayne,
I agree 200% with the #don’t share the password to anyone at all!
I personally even write down my password in a book at home, and delete from my PC lol..
Though it would be hard for a client in the situation where they have to give their passwords to someone I guess, as they would not really know whether the person can be trusted or not, since they met online..
Thanks.
Twitter: waynejohn
says:
Hi Kimi, nice to have you here, welcome! Thanks for taking time to share your thoughts.
I’ve thought about keeping a notebook by my desk, perhaps in a locked drawer or safe (joking) with all my passwords. After all the sites and personal passwords, one could easily fill an entire notebook with sites, usernames and passwords. lol
Cheers!
Twitter: sticky_business
says:
I actually had a client send me a file that had ALL of his passwords in it…like, All of them – for Everything. Good thing I’m a nice person
Twitter: waynejohn
says:
Darn good thing! Ha!
A file with passwords, it would have been a great blessing if it landed in the hands of people engaged in ID thefts. Our passwords should be top confidential and it’s always safer to create new ones and then delete the account after use. I keep changing my password and think of the hardest one whenever I intend to change. It’s amazing to learn about how America is experiencing thousands of ID thefts everyday. You just posted a very important article Wayne.
Twitter: waynejohn
says:
I believe so too. Too many out there go about this the wrong way. I’ve learned that from experience. I’m an honest chap, and would never abuse anyone’s trust in that manner, but there are those that will, and do out there. I felt it’s important for people to know this. Even without all the ID thefts that take place, password protection is paramount to your digital survival, as it were.
lucky for the guys that know themselves how to setup wordpress, install a nice template and can optimize the blog themselves
although, I have to admit I faced this problem once when I needed a web developer to create a booking system for my site, and I have to give them access. But it’s a trust worthy company, so there was no problem. till now, no one hacked my site:D and in case someone does, I know who’s the No.1 suspect:D
Twitter: waynejohn
says:
Well, there’s plenty of reading to do out there that will tell you step by step how to do pretty much anything you want to do. It’s just not some peoples cup o tea.
But I believe ANYONE has the ability to do it for themselves if they exert enough effort, and time isn’t an issue. Heh, I’ve been banging my head on issues since I was 13….perhaps that’s why I’m an odd bird sometimes. lol
I hope your site never gets hacked! That would be a terrible experience.
Cheers Alex! thanks for leaving your two cents!
this is a hard one
I usually don’t trust freelancers, but if I really need to give access to one, I try to look for one that has a great feedback (i talk about freelancer.com here) and then I change the password and I’ll give him the credentials…. And after he finished the job, I change the password back to the initial one. I never give them that pass, because it’s my pass that I use for ftp, mail etc…
Twitter: waynejohn
says:
That’s the approach you should take. One might also backup everything before providing access too. There might be a time when that backup is handy to undo whatever might be done.
Another point that I should add to the article. lol
Thanks for commenting Jake!
Hey Wayne, Having worked as a developer in my life things cannot get accomplished if they cannot give you password. Unless you set the hosting for them. What I would do is have them create, or have the system administrator a temporary password that would give the developer restricted administrative privileges.
Twitter: waynejohn
says:
If you can fine tune permissions, you should have a good amount of control on the dev for sure.
By the way, I’ve modified your name to be more in tune with my obsessive/compulsive needs. lol You get the keywords, I get the name.
Twitter: charlestonlow75
says:
Wayne,
Thanks again for the great tips. Feel insecure handing anyone my password though, so I prefer a more complicate way but its best for security purpose.
Twitter: crimjcareer
says:
Hi Wayne,
This is a great topic and a dilemma that tends to come a lot if you do online marketing. One idea I had was to have a duplicate of your website on a separate hosting account and have the developer work on that version and document the changes to the code, so you can make the changes yourself on the real version. Of course this is not a perfect solution, but it might be worth considering. When I use WordPress I use the WP-DB-Backup to send a backup to my email before any work is started. Also, sometimes the changes can be made by just tweaking the CSS file, so you can just send them the CSS file and they can send it back to you after they have made the changes.
Twitter: waynejohn
says:
That’s usually a great way to work it, Charles. When I develop for a client, I do so off-site. Meaning either local on my laptop, or on a site that is considered a development environment. We programmers can copy a site and replicate it anywhere to create a nice way to introduce new functionality to the site, while not impacting existing visitors. When development is done, all the changes get “deployed” to the production server. Viola! New functionality, and the impact to the end users of the site is lessened.
Great to have you here Charles, thanks for taking a few moments to share your thoughts on this.
Twitter: search.homes16yahoo.com
says:
You know what I like about this post Wayne? When you actually admitted that it took you a little while to get comfortable with the idea of having to ask someone to the “keys” to their website. A lot of individuals out there actually likes to “jump” into the idea of having to access personal and secret information of different individuals. This point alone makes it worthwhile to know that you do value personal access information of your clients even from the start
Twitter: waynejohn
says:
Thanks, I’m certainly not like that at all. After all, I get paid to help people, why would I ever jeopardize that?
Thanks for leaving your thoughts, Lin. Hope to see more of you!
Twitter: blondishnet
says:
Trust is huge. As a developer and designer, I cannot rely on my reputation in the WordPress community all the time because… well, unless a client has worked with me before, they do not know my work ethic, but not know what I charged the previous client or what went on during that past project.
My suggestion is to include a Privacy Policy in your contract or verbal/ written agreement and list the legalese. You CAN be held accountable for screwing over a client if you have a computer and ISP, especially IF they might have the means to track you down.
State in your privacy policy that you hold all passwords given with the utmost confidentially. However, outside of your contract, repeat this and never outright ask for it if you do not need certain access. There are people that will just toss their login and account info at you. I make sure to tell them to not be as flippant with their security – reason, maybe they might have hired me to design and develop their site, but not the logo. Can the logo designer be trusted? Can I be trusted?
However…. in the end, I agree with you – it is all in the trust factor.
Twitter: waynejohn
says:
You make a good point there. Sometimes there is more than a single person or party involved in the development, and all of them need to be trusted. One thing though, graphics can be done without access to any systems. In fact, I’d say that the graphics people might deliver to the web developers to have their graphics included in the overall project.
The less exposure the credentials have, the less risk of naughtiness there be.
I think I just turned into a pirate…
Awesome to have you here Nile, and thank you for leaving such a thoughtful comment.
I believe that creating a separate account and password is the right approach but like you said it all comes down to trust, if you cannot trust the person, there’s no point hiring him because no matter what you do you will still be worried about the damages he can do to your website,given the fact that now he has full access to it-oh well i guess sometimes it’s worth taking the risk unless you want to get it all done by yourself!
Twitter: waynejohn
says:
I believe everyone should be able to find at least one person that can do the job and be trustworthy; not causing one to lose sleep with worry. People just need to look and not accept the first person they find. Shop around, like you do for grapefruit…except the squeezing part… haha
Twitter: dayafterstore
says:
I was thinking of paying someone to update the look of my site and make some cosmetic changes. But at this point, the only person I believe in are friends and family…
Twitter: waynejohn
says:
Yes, and even friends and family come with their own set of problems.
What’s the old saying, never work with family?
If you need anything done, you can always ask me. If I ever do you wrong, all you need to do is come here and leave a comment, or on Twitter, or on Facebook. Thing is, if I’m not trustworthy, I wouldn’t be able to work and make money. It’s part of what I do and if I were to ever screw that up, which I never would in the first place, I’d lose my livelihood. Not a good thing.
By the way, like the lightsaber video on you site.
Twitter: CyberCoder
says:
Wayne,
Excellent points!
This is exactly what I tell clients. When people like you and I are this transparent, it is impossible for us to hide. We can not afford the bad press, and it is too easy for people to hit us where it hurts.
Don’t do online business with anyone who is not transparent with their business on Social Media and their own web page. If they are hiding from the public that should be the first red Flag!
Twitter: waynejohn
says:
That is oh so true!
A few days ago i had some problems with a banner for a campaign and i asked for help from the guy who oversee the campaign and he told me that he need admin rights to do something inside. I create in wordpress a new user with admin rights for him and the problems whose resolved. I never talk it before with this guy but i know he’s reputation.
Twitter: waynejohn
says:
Sound’s to me like you took the right approach. Cheers Patel!
Twitter: vergentcom
says:
Wait, how is it possible to build a web site without having access to a production server? I completely understand and respect the need for security, but if someone asked me to develop a web site but wouldn’t give me log in access to their server, I would refuse to create the site. That said, I have never actually run into this problem. . . I must have a trustworthy face! lol!
Twitter: waynejohn
says:
I’m glad you asked, check this page out: http://www.waynejohn.com/tag/wampserver/ This is how.
Twitter: easyPblog
says:
Hi Wayne
I set up a local install on my PC by following this tutorial..
http://sixrevisions.com/tutorials/web-development-tutorials/using-xampp-for-local-wordpress-theme-development/
Fantastic step by step tutorial showing how to install XAMPP, set up a database, install wordpress and populate the site with content.
I still come back to this article when installing XAMPP on a new PC.
Comments are really flowing on this one Wayne.
Well done.
Twitter: waynejohn
says:
XAMPP and WAMP are pretty much the same beast. They both offer up MySQL, Apache and PHP, the three things you need to develop locally.
I haven’t had a chance to play with XAMPP at all, but that tutorial looks really good and thorough.
I’ve been seeing a little uptick in the comments lately on most of my posts recently. I wonder if since I posted my fear if I’m getting a little more unrestrained with my writing, and perhaps that is coming through and connecting with more people. Not sure, don’t want to over analyze it…just let it flow. hahaha
Twitter: easyPblog
says:
Hi Wayne
That article got me started with WordPress and I’ve not looked back since.
One thing the article doesn’t cover is moving your local install to a live site, but I have a link to an article that does if anyone wants to know how.
Have a good weekend Wayne – go easy on the blogging.
Twitter: waynejohn
says:
Yup, I have one of those articles too. See the link I replied to Jenn with a few comments upward.
Twitter: vergentcom
says:
Hi guys! Gotcha–yep, I’m familiar with using a development server to develop a site, but eventually the client is going to want you to take it live for them. . . which seems darn near impossible to do if they don’t give you login credentials! I guess they could do the changeover themselves, but like you said–if someone has that kind of expertise, they probably wouldn’t have hired you in the first place. Nevertheless, I do agree that it’s important to be careful about blindly giving away server access. You make really great points there!
Twitter: waynejohn
says:
Gotcha! Yes, giving them the source is really the only option I see at that point. One thing that is really cool about the .Net framework is that you can create an installer for the site…but that’s a completely different ballgame, and not one I usually speak about on here. Everyone I interact with is usually php and MySQL, not C# and ASP.net.
Twitter: vergentcom
says:
Wow, I didn’t know that about .net! Yeah, it seems like PHP and MySQL are the leaders. That’s my own poison of choice in fact. Have a great weekend!
Twitter: waynejohn
says:
You too!
Twitter: ayanami_rei
says:
We use SSH keys, no password is ever needed. When the developer is done, you merely revoke the key.
And yep, on trust — I totally agree, that’s super valuable resource for any freelancer.
Twitter: waynejohn
says:
Yup, great way to do it, I think. lol I’m not familiar with using SSH as I’ve been a Windows guy for most of my life. (don’t throw stones just yet) and usually have alternative ways to do these things.
I’m getting my head wrapped around all that is linux et al over the course of time. I’m in no rush.
Very good article, not something I’ve thought about until the other day when I was asked to revamp a customer’s website. Prior to this I’ve always hosted customer sites on their behalf.
Twitter: waynejohn
says:
Ugh, I used to host for others too. Became burdensome and the maintenance aspect was just a time drain. I finally decided that I didn’t want to spend weekends dealing with all the backups and shtuff you have to do. I’d rather spend my time writing code and making things happen and deploying the end result to a server the customer can maintain.
Nice to have you here, Chris. Thanks for taking time to comment!
It’s very hard for us to trust somebody especially if you don’t know him personally. Credentials is very important for you to give them the chance to work with you. Otherwise, lack of trust might cause you in trouble.
To be honest, if someone does not trust their web developer enough to provide access details, then I would question why they picked that developer in the first place.
At the end of the day, a dodgy developer could put backdoor access to your site in any php file, so being careful with passwords is not going to stop anyone with malicious motivation who has worked on your site from re-gaining access.
That said, anyone with a dynamic site should be making regular backups, and it is always worth making sure that you do back up before allowing anyone else access, so if anything goes wrong, you will have a copy.
Twitter: roppets
says:
Hey thanks for sharing your ideas.
Trust is indeed important in business whether it’s large or small. I just wanna share my experience when I first started freelancing. During our planning phase, my client would normally give me the login details. Since we’re working by teams of 3, we are all sharing the same logins. The thing is all 3 of us is accountable in the login. If one of us would do something nasty, we’re all dead!
Security has always been a concern and i personally go with creating a new id and password,i think it is the most safe and easy way to go.well if you trust the developer and you know he is not a nutter then maybe you dont need to take these “extra precautions” but its always better to go with the safer side.
This is one of the great articles and I fully agree that have another set of password and only go forward if you have trust in your developer. Change the password as soon as the work is over.