What Level of Access Should I Give My Client?

why password security is so importantFrom the Mailbag… “Cindy” asks how much access should her clients have to their WordPress site.

For those of you who own a website and retain an outside vendor, you may be interested in this post.

Hi Kurt!

Wanted to get your input. I have a client that involves several different agencies and volunteer board members. I was hired to manage the website and an app, which is available on Apple and Google.

When I started, nothing was set up correctly and no one knew any of the passwords! After beating my head against a wall for months (for which I got paid), I have been able to sort it all out and keep records of the logins.

The current treasurer seem to have trouble with Excel. I had to give her the Apple ID login so she could update the banking info. They didn’t want me to do it with them over the phone. Now she wants all the passwords and security questions. And she has asked for the login information for the WordPress website so she can “upload files.”

I am reluctant to share this information, yet I know it is theirs and they pay me to manage things. BUT, I don’t want to be responsible if one of these bozos decides to login and changes something then forgets what they did. These people struggle with Word and Excel let along HTML and developer stuff.

If I was terminated, I would obviously turn over all the information.

How do you handle it and what is reasonable for me to expect to maintain some control?

Thanks for your input!


My response may surprise you, but I think it’s a Win-Win for all involved…

Dear Cindy-Lou

I understand your reticence. You’re not being territorial. You’re being responsible. You may even be trying to save some work for yourself.

But, it is their website.

And they’re paying you to protect it.

If they screw anything up, you can probably just go back to an earlier version of the page using the WordPress Editor.

If they ROYALLY screw up the whole site, you should have backups set. I would make sure their web host is backing up the site. But I would also use something like Updraft, which has an excellent free version. You can set it up to backup on a schedule. (Recommended)

Rather than storing the backup on the server, I prefer having it emailed to me or stored in Dropbox or Google Docs.

I’ve used some others you will find if you do a search for ‘backups’ or ‘backup plugins.’ Look for plugins with a significant number of installations and superior ratings.

Updraft is pretty good.

I recently worked with a client who had refused to back up their WordPress site for years! Then one day, their database got corrupted. When that happens, you can suffer all kinds of bad things…

  • Loss of content that took years to create.
  • Loss of apps, plugins or custom programming that may not be replaceable.
  • Downtime resulting in lost sales.
  • Loss of site control access.

For my client, it was the latter. They could not log in to the site. They paid to restore an original backup of the site and they had an intern print out every page of the site so they could re-create those pages manually.

Fortunately, they didn’t update the site much in 4 years, so there wasn’t as much work as if they had written a weekly blog post.

If you ain’t backin’ up the site, you are ASKING for trouble! 

The second thing I might do is give them EDITOR access and keep the Admin access to yourself. There really isn’t anything they would really need to do with anything more than Editor credentials.

There are 4 levels of credentials in WordPress: Subscriber, Writer, Editor and Admin. In this case, I think you retain sole access as Admin, unless they specifically ask for Admin access.

If you get terminated, that would be a terrible thing, but I’m sure you would do the right thing and turn over everything.

However, if you get hit by a bus, they still have options…

  1. You (and/or your team) would have all access credentials stored in a secure place, possibly using LastPass or another password manager and they could take over quickly.
  2. They can contact their host and take control using cPanel and updating logins directly through the database.

Hope this helps!

Now my answer would be a little different for website owners who have an employee or VA or web developer working on the site. I would really recommend that you have all of the WordPress logins, FTP access and own & control the domain name.

What do you think? Have you ever been put in this situation before? 

Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge