Understand the risk of sharing the Cpanel, FTP, or admin access with developers. Precautions to take and how to revoke the access correctly
Web developers can ask for FTP, Cpanel, and admin details of your site. It is completely legitimate, but still, you want to be careful about how much access you share with them. Moreover, you are well prepared for when things become sour; one can minimize the risk of sharing the Cpanel access details with developers.
So let me help you understand the risk as well as help you in making sure when you want to revoke the access, you have all bases covered.
Details One Can Share with Developers
There are 4 or 5 levels of details one has for a website that one can share with developers.
- FTP Access and/or Front-End Admin Access
- CPanel Access
- Server Root Access
- Domain and Hosting Account Access
In most cases, you only need to share the first access details with the developers. In some cases, you may want to share the CPanel details as well with the developers.
Very rarely, you may want to give root-level server access to a developer unless he is managing your servers.
The domain and hosting account access details are only needed if you don’t want to be dealing with the domain’s DNS servers and want the developer to do the management for you.
Sharing any one of the first two access details, aka FTP, CPanel, or Admin, means the developer has full control on your site’s backend.
With FTP details, one may not have CPanel access, but then with the help of config files on the FTP server, one can access the database along with the files.
Similarly, with admin access, one can install plugins to browse the file system or can have access to the database.
Pre Sharing Precautions
To do before sharing access details with anyone, including developers.
Daily of Weekly Backups
If anything can go wrong, it will go wrong. Create a complete backup copy of your site. If you are not sure how to backup, ask your host for step by step guide to backup your site.
Once you have the backup, it is also recommended that you download the backup on your local computer.
Moreover, one should always opt for automated daily or weekly backups from hosts.
If you are using WordPress, opt for Vaultpress service (it is by the people behind WordPress) where you can backup and restore your complete WordPress site with just one click inside WordPress admin. The best part is, you can have hourly or daily backups, and one can restore to a point with only one click.
Besides, if you host your WordPress with managed WP hosting services like WP Engine, you don’t need even Vaultpress, and they will back up and restore it for you.
Trustworthy Freelancers
Backups are not risk-free but are just an option for a disaster recovery process where if a disaster occurs, you can put things back online with minimal loss of data.
So it is always recommended to be hiring freelancers whom you can trust. If you aren’t sure, always use freelancing sites like Upwork when hiring freelancers.
When Sharing Credentials
You will need to share access details with developers for sure but let’s do it the right way.
Create separate FTP accounts
Consider how much you need to share with the developer. You may not need to share super admin details or Cpanel hosting login details. FTP details are just fine.
You can even restrict FTP access to folder levels.
If you have multiple domains in your control panel, it makes much more sense to share only a specific folder for a domain to a developer.
Moreover, with CPanel access details, one can create FTP accounts. So even if you change the CPanel access details later, the developer still has an FTP account access.
Moreover, when sharing FTP details for WordPress, you only need to grant permission on the wp-content folder. One can even be more specific to share the plugins folder to a plugin developer or themes folder to a front end developer. It is a way to protect the config file, which has database access details.
Separate admin accounts
You may also need to share CMS admin details where he may need to be changing things on the front end.
For example, if you want to upload a new theme for your WordPress blog, the developer not only needs to upload plugin using FTP but will also need to activate the theme in the WordPress admin area.
Ideally, you should create a separate admin account for freelancers.
Revoking access the right way
Once you want to revoke access, there are certain things to be considered.
If you have shared Cpanel, access with a developer, you may want to see if they have created any FTP accounts?
There is nothing wrong with creating a separate FTP account, but if you change the Cpanel password and if the freelancer has an FTP account, he will have access to the site’s files and folders using the FTP details he created.
Check FTP account under CPanel to see what users exist if there are a user who doesn’t need FTP access, they should be deleted.
Similarly, if you provided freelancers with WordPress admin details, he can create other admins.
Note if you see additional admins, just changing the password for those admins may not be enough. One can use the lost password option to regain access if they have their email address for the admin account.
Deleting additional admin accounts is always preferred but if you aren’t comfortable deleting them, change the email and the password so that password cannot be recovered using the email is a better choice.
The Staging Approach
You can create a replica of your complete site and provide fill access to the developer.
I prefer using automated staging options from hosts. Every host provides such options, including SiteGround.
If you are using WP Engine for WordPress, you can replicate the live site to the staging server with just one click and provide developer access to the staging server to develop. Once done, you can move the changes to the live site. It makes your live site completely secure.
However, my preferred choice of hosts has always been CloudWays, where you can create a staging site just like WP Engine for any custom CMS type of site.
You can have issues if server settings are different from the development and the live version.
I had Xenforo plugin developed for a client where I could upload big files on the staging server but not on the live server. The issue was with the PHP upload limit configuration, and the client could not explain to the host what needs to be done. I then had to explain to the host what’s required to solve the issue.
Moreover, in XenForo, the style templates are stored in the database, and edit options are within the admin area. So security options often tend to disallow the saving of PHP style code.
Things you Shouldn’t Share
You will never need to share domain registrar details. At most, you will need to change DNS for domains, which is a reasonably simple task. If you are sharing it, make sure you trust the freelancer completely.
Most of my clients share even the domain level access with me. They do it because if I need to verify the domain in Amazon SES by adding the DNS records.
I have root access to many of my client’s dedicated server as well. I do everything for those clients, from setting up the Cpanel accounts for their clients’ to managing the server.
So it is not entirely true that you can’t share critical details with your developers, but the most crucial piece of the puzzle is trust.
Conclusion
If you don’t share the Cpanel access details with a developer, you can’t get the job done. You are not technical enough to be able to follow the instructions and do it. You have to take the risk.
However, you don’t need to share every detail right away. Let there be some work done before you provide more access details.
It’s like handing your credit card to a waiter in a restaurant; under normal circumstances, they are going to charge you for your bill only.
