Support » Fixing WordPress » Contractor Access

  • Hi,

    Please bear with this and I hope you can help.

    Recently we contracted a freelance web-based worker to work on our WordPress website. We required them to fix some issues with the site that included a change to menu functionality, content and layout.

    While in discussions about taking the job, we found the worker very competent and we trusted them enough to create a new admin user account on our WordPress site. We provided them the DB password.

    Immediately following proving the the WP-login the developer also requested Cpanel password, and while we would usually be reluctant to provide this, because it also provides access to email accounts, this was a new site and we had no issue with providing the Cpanel info. The developer then also requested FTP login info, and we provided that.

    We provided the developer this access before agreeing terms with them to do the work and the purpose of this was to provide them a transparent view of what we already had so they best provide us with a quote and timeframe for the work.

    We agreed terms and contracted the freelancer to work with us (a 2-3 day job). 24 hours into the job the freelancer requested the website’s main wp-admin user accont login info. We wanted to know why and they said that this provided them access to “the folder” we asked what folders and got not reply, we pressed for an answer and were told that this login info allowed the contractor to edit the css and page templates, however it is our understanding this can be done from the Themes editor panel under any site admin user, which they were.

    We resisted providing this login info, our concern was that the main wp-admin user account could be used to delete and reset other users and would hand over complete control of our site. Again, we pressed the contractor for why they needed this logon and they would not answer us clearly merely repeating the need to access css and templet file… they eventually withdrew from the contract.

    This caused us considerable problems because we had negotiated the job over a few days and we were working to a deadline, we had rejected other contractors in favour of the contractor we’d chosen and the breakdown has impacted on us in terms of the completion of the work and our ability to contract other developers.

    To be clear this is our website, we are not a service provider.

    While WordPress may be a great software we feel we are always vulnerable when hiring developer services, especially when it comes down to what level of access to provide them as different developers will request different access. A developer/programmer needs to be able to do their work and there is no point in us preventing them from doing it because of bad information or bad experiences. This leads us to our inevitable question…

    1. What does a developer need access to? And
    2. What is the best way to set up developer access.

    We feel providing them a wp-admin User access to the site and database password should be enough. There are plugins for WP that would allow a user to download site files if the wanted or needed to.

    3. So why the Cpanel and wp-admin site owner login details?

    I appreciate your help on this because it help us contract work better when we are informed about what we need.

Viewing 2 replies - 1 through 2 (of 2 total)
  • First off, there are a lot of times when a developer will need access to the site as an adminstrator, FTP, cPanel. For the majority of work that’s needed to make sure that eveything goes smoothly, especailly if there’s a problem with a change that’a made. I can’t count the amount of times that a simple typo has made a site that I’m working on crash, so at a minimum FTP is needed to make sure that I can still update the files.

    Having said that, there is no reason whatsoever to hand over your own administrator account details. All administrators have access to the same things, so any of them can do anything. This does include editing and removing other users.

    What they are asking for is too much- espcially when thre’s no formal agreement for them to actually do the work. First lesson: never ahnd over anything until there’s a contract in place, even if it’s just a verbal one.

    The best thing to do is let them have the access that they need, and as I said before, that can include cPanel and full administrator access. When they’re finished, delete their administratora ccount and change the passwords for cPanel, the database and any other systems that they use.

    In this case I’d also recommend looking at what they’ve actually changed just to see if there’s anything there that shouldn’t be. That’s just me being alittle too paranoid about these things, but it never hurts to verify that nothing “extra” has been added that shouldn’t have been.

    If I am working on a client’s website, I need a minimum of FTP – but full access is most desired.

    In your shoes, I understand being somewhat worried about providing that type of access.

    With that being said, I would look into a staging website solution where you can give them access to that website without it effecting production sites.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Contractor Access’ is closed to new replies.