When I used to work on clients’ projects, I often needed access to their site. In fact, it sometimes it was more than their WordPress site. When they gave me access to their online store, I always thought that it was like someone had given me a key to the front door of their brick-and-mortar shop. Now I know that isn’t a fair comparison, because in the latter case all their products were at my finger tips. On the other hand, consider all the things available to me once I was inside that virtual door.
Back to your WordPress site.
I remember fondly those days when my clients had such trust in me that, without a moment’s hesitation, they would send me their very own username and password. There were even a few instances where the email I received not only had the login to their site, but to several social platforms, their MailChimp account, their FTP and their hosting login.
Too much info = security risk
As much as I appreciated their confidence in me to not share all their personal data, after I recovered from my shock, I made my first recommendation. Create a new username and password solely for me, something they could easily delete when I was done.
But even then, I discovered that many clients never deleted my admin login. Sometimes I would get notified of updates to their site, which told me that I was still an authorized user. Or they would contact me a year later and when I asked for access, they simply replied, Just use your old login info. It’s still there.
I also recall when someone would ask me about deleting the user account of the person who created their site. In some cases, the relationship had come to a not-so-positive ending, and the client no longer wanted to allow them access, but at the same time they don’t know if there would be negative implications if that person was removed. Typically, I would suggest they delete that account, assign that user’s content to their username; but still they were often afraid that something would go wrong. No one should ever be put in that position.
In reality, you will need someone to access your online store at some point. And if you are granting full or limited user access, there is a process for safely sharing access to your site.
Don’t share your username and password. Create new ones for them.
Sending your own login information is risky, but it’s easy to create a new one and assign them the appropriate level of user access. Normally, you can just tick the box to send them their login. If you choose to do it another way, make sure to copy that password down before adding them as a user.
Give them limited user access
There are a few plugins for WordPress that allow you to create or edit user roles. One example of this is the free plugin User Role Editor. Editing existing roles or creating new ones is easy. It allows you to choose what capabilities a specific user role gets.
For example, you could give them access to everything, but not allow them to be able to delete any posts or pages while they are in there. It can be fine-tuned down to the smallest detail.
User accounts for support: delete them
It’s critical to remember to delete those people who you have given access to your site, once they are no longer needed. The key here is to remember. That is where a plugin like Support Me comes in handy. With it, you create the support user name and, here’s the good news, you will be able to add an expiration date to make sure it gets deleted. It can be set to expire in minutes, hours or even days. Not sure of how long their account is needed? Set it for a minimum amount of time. If need be, you can always give them additional access time.
When you give someone access to your site, never do it without a bit of thought. You will want to make sure you know and trust that person, or that they are part of a reputable WordPress business or vendor. Handing over those keys can be scary so make sure you are prepared.
We are often quick to post a problem somewhere, say like Facebook. Someone you don’t know comes in, with a friendly face and offers to help you for free. It’s tempting, right? But as much as I am an optimistic person and believe that most people can be trusted, well, that’s not always true and a lot of damage can be done in a small amount of time. So be careful.
One last tip
When you are giving some access, take the time to back up your site. Don’t assume your host is doing it because you don’t know how long ago it was. Do a manual backup, there and then. And if you are looking for a backup solution, I wrote an article here on backing up your backup and it offers some good ideas for keeping your site backed up.