• Skip to main content
  • Skip to primary sidebar

How to Minimize Risk of Sharing CPanel Access to Developers

Reading Time: 5 mins. Posted on June 8, 2016, last updated on September 9, 2020 .

Understand the risk of sharing the Cpanel, FTP, or admin access with developers. Precautions to take and how to revoke the access correctly

How to Minimize Risk of Sharing CPanel Access to Developers

Web developers can ask for FTP, Cpanel, and admin details of your site. It is completely legitimate, but still, you want to be careful about how much access you share with them. Moreover, you are well prepared for when things become sour; one can minimize the risk of sharing the Cpanel access details with developers.

So let me help you understand the risk as well as help you in making sure when you want to revoke the access, you have all bases covered.

Details One Can Share with Developers

There are 4 or 5 levels of details one has for a website that one can share with developers.

  1. FTP Access and/or Front-End Admin Access
  2. CPanel Access
  3. Server Root Access
  4. Domain and Hosting Account Access

In most cases, you only need to share the first access details with the developers. In some cases, you may want to share the CPanel details as well with the developers.

Very rarely, you may want to give root-level server access to a developer unless he is managing your servers.

The domain and hosting account access details are only needed if you don’t want to be dealing with the domain’s DNS servers and want the developer to do the management for you.

Sharing any one of the first two access details, aka FTP, CPanel, or Admin, means the developer has full control on your site’s backend.

With FTP details, one may not have CPanel access, but then with the help of config files on the FTP server, one can access the database along with the files.

Similarly, with admin access, one can install plugins to browse the file system or can have access to the database.

Pre Sharing Precautions

To do before sharing access details with anyone, including developers.

Daily of Weekly Backups

If anything can go wrong, it will go wrong. Create a complete backup copy of your site. If you are not sure how to backup, ask your host for step by step guide to backup your site.

Once you have the backup, it is also recommended that you download the backup on your local computer.

Moreover, one should always opt for automated daily or weekly backups from hosts.

If you are using WordPress, opt for Vaultpress service (it is by the people behind WordPress) where you can backup and restore your complete WordPress site with just one click inside WordPress admin. The best part is, you can have hourly or daily backups, and one can restore to a point with only one click.

Besides, if you host your WordPress with managed WP hosting services like WP Engine, you don’t need even Vaultpress, and they will back up and restore it for you.

Trustworthy Freelancers

Backups are not risk-free but are just an option for a disaster recovery process where if a disaster occurs, you can put things back online with minimal loss of data.

So it is always recommended to be hiring freelancers whom you can trust. If you aren’t sure, always use freelancing sites like Upwork when hiring freelancers.

When Sharing Credentials

You will need to share access details with developers for sure but let’s do it the right way.

Create separate FTP accounts

Consider how much you need to share with the developer. You may not need to share super admin details or Cpanel hosting login details. FTP details are just fine.

You can even restrict FTP access to folder levels.

If you have multiple domains in your control panel, it makes much more sense to share only a specific folder for a domain to a developer.

Moreover, with CPanel access details, one can create FTP accounts. So even if you change the CPanel access details later, the developer still has an FTP account access.

Moreover, when sharing FTP details for WordPress, you only need to grant permission on the wp-content folder. One can even be more specific to share the plugins folder to a plugin developer or themes folder to a front end developer. It is a way to protect the config file, which has database access details.

Separate admin accounts

You may also need to share CMS admin details where he may need to be changing things on the front end.

For example, if you want to upload a new theme for your WordPress blog, the developer not only needs to upload plugin using FTP but will also need to activate the theme in the WordPress admin area.

Ideally, you should create a separate admin account for freelancers.

Revoking access the right way

Once you want to revoke access, there are certain things to be considered.

If you have shared Cpanel, access with a developer, you may want to see if they have created any FTP accounts?

There is nothing wrong with creating a separate FTP account, but if you change the Cpanel password and if the freelancer has an FTP account, he will have access to the site’s files and folders using the FTP details he created.

Check FTP account under CPanel to see what users exist if there are a user who doesn’t need FTP access, they should be deleted.

Similarly, if you provided freelancers with WordPress admin details, he can create other admins.

Note if you see additional admins, just changing the password for those admins may not be enough. One can use the lost password option to regain access if they have their email address for the admin account.

Deleting additional admin accounts is always preferred but if you aren’t comfortable deleting them, change the email and the password so that password cannot be recovered using the email is a better choice.

The Staging Approach

You can create a replica of your complete site and provide fill access to the developer.

I prefer using automated staging options from hosts. Every host provides such options, including SiteGround.

If you are using WP Engine for WordPress, you can replicate the live site to the staging server with just one click and provide developer access to the staging server to develop. Once done, you can move the changes to the live site. It makes your live site completely secure.

However, my preferred choice of hosts has always been CloudWays, where you can create a staging site just like WP Engine for any custom CMS type of site.

You can have issues if server settings are different from the development and the live version.

I had Xenforo plugin developed for a client where I could upload big files on the staging server but not on the live server. The issue was with the PHP upload limit configuration, and the client could not explain to the host what needs to be done. I then had to explain to the host what’s required to solve the issue.

Moreover, in XenForo, the style templates are stored in the database, and edit options are within the admin area. So security options often tend to disallow the saving of PHP style code.

Things you Shouldn’t Share

You will never need to share domain registrar details. At most, you will need to change DNS for domains, which is a reasonably simple task. If you are sharing it, make sure you trust the freelancer completely.

Most of my clients share even the domain level access with me. They do it because if I need to verify the domain in Amazon SES by adding the DNS records.

I have root access to many of my client’s dedicated server as well. I do everything for those clients, from setting up the Cpanel accounts for their clients’ to managing the server.

So it is not entirely true that you can’t share critical details with your developers, but the most crucial piece of the puzzle is trust.

Conclusion

If you don’t share the Cpanel access details with a developer, you can’t get the job done. You are not technical enough to be able to follow the instructions and do it. You have to take the risk.

However, you don’t need to share every detail right away. Let there be some work done before you provide more access details.

It’s like handing your credit card to a waiter in a restaurant; under normal circumstances, they are going to charge you for your bill only.

You are Here: Home / Freelancing / How to Minimize Risk of Sharing CPanel Access to Developers

About Shabbir Bhimani

Blogging Since 2009. If I can leave my high paying C# job in an MNC in the midst of global financial crisis of 2008, anybody can do it. @BizTips I guide programmers and developers to Start and Grow an Online Business. Read more about me here.

May I help You With ...

Upwork Proposal
Finding Clients
Start a Store
Start a Blog
 

Or Help Yourself ..

Primary Sidebar

About Shabbir Bhimani

Blogging Since 2009. If I can leave my high paying C# job in an MNC in the midst of global financial crisis of 2008, anybody can do it. @BizTips I guide programmers and developers to Start and Grow an Online Business.

Get in touch with me on LinkedIn or read more about me here.

Let me Guide You to Start and Grow your Online Business

Download my
FREE eBook NOW
to win more clients.
And it is not an annoying pop-up either

Additional menu

  • Twitter
  • Linkedin

BizTips

Shabbir Bhimani: Start and Grow an Online Business

  • Freelancers Start Here
  • Start An eCommerce Store
  • Start A Blog
  • About
  • Archive
  • Disclaimer
  • Contact
  • Glossary

2009 - 2025 All my content & images are licensed as Creative Commons.

WebTurtles LLP. LLPIN: AAL-5288. Hosted with Linode.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT