Steps to take before hiring a developer?

pratiken
(@pratiken)

9 years, 7 months ago
Hi everyone,
My small business has finally gotten to the point where I simply don’t have time to maintain my website, so I have found a WP developer to take on the small tasks and tweaks I have piling up.

The developer is highly rated and has a strong portfolio, but I still have trust issues when it comes to handing over the username/password to the admin panel. I’ve only ever had a single account for the site, the primary admin account. Should I give him that main account?? Should I create a new account with admin privileges?

This is a Woocommerce site, but I assume he won’t have access to customers’ credit card information, etc.

Moreover, it’s not so much the developer I’m concerned about but his computer’s security. What if his computer is compromised? I’ll make a FULL backup of the entire site before handing it over, just in case. But do you have any other tips/tricks before I engage in this?

I don’t need to give him any CPANEL/WHM information, since the tasks I have are all on the WP site.

Thanks everyone!
- This topic was modified 9 years, 7 months ago by pratiken.

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator t-p
(@t-p)

9 years, 7 months ago
https://www.google.com/search?q=how+to+choeese+a+wordpress+developer&ie=utf-8&oe=utf-8#q=how+to+choose+a+wordpress+developer
- This reply was modified 9 years, 7 months ago by t-p.
Maria Daniel Deepak
(@mariadanieldeepak)

9 years, 7 months ago

Hello @pratiken,

Developers won’t ruin their career/job themselves. They understand and value their clients privacy. Your way of thinking would have come from any bad experiences you’ve heard or seen.

Anyone could compromise your website with a Username and Password. If you don’t trust, then don’t offer the job to the concerned person.

If you’re not comfortable, you can, with the help of lawyer, enter into a legal contract with the developer before offering the job.

jon
(@adiant)

9 years, 7 months ago

“Should I give him that main account?? Should I create a new account with admin privileges?” – there is a definitive answer to this that is not related to WordPress.

Long established fundamentals of Computer Security tell you to never share usernames. Doing so really reduces your ability to diagnose and control a security breach. In fact, at my last employer before retiring 10 years ago, an excellent person was fired on the spot when her manager found out she had used someone else’s username while “someone else” was on vacation. Just once! That is how important the folks in charge of Computer Security considered the one person/one username rule was.

In WordPress terms, it is the difference between shutting down your entire site versus disabling one username if a security issue occurs. It is a lot easier to figure out what happened, too.

This is not really an issue of Trust. Bad things happen to good people, including infected computers. Even the best antimalware software occasionally misses a brand new piece of malware.

Nightly backups are essential. I do incremental backups of my entire Linux server to Cloud storage using (open source) Duplicity, which allows me to turn the time machine back to any date (but always the same time, in the middle of the night) since I first built the server. For commercial shared hosting, I cannot run Duplicity directly, so I plan to use (open source) sftp on my Linux server to copy the shared hosting files and database each night, then use Duplicity to incrementally backup to Cloud storage from my Linux server copy. I’ve been pleasantly surprised at just how small the nightly incremental is.

In general, I would treat the developer like a well meaning human being — being human means mistakes and external factors can happen — just as you should an employee, and help your developer deal with potential issues. As well as backup, you should be doing monitoring to detect when something goes wrong.