Should I give my web developer my username and password? On the surface of it, this seems like quite the quandary.
After all, how will your developer be able to make changes to your site if they do not have the login details? But, on the other hand, how can you be confident that you’re not exposing your site to unnecessary risk?
The answer is deceptively simple – WordPress allows you to create new accounts for anyone who needs access to the admin backend of your site. For added security, it even lets them set their own password.
Never grant admin access to anybody who you don’t know or trust.
Whilst sharing passwords is an absolute no-no, granting any form of access to your website without first making sure the recipient is genuine and trustworthy is equally dangerous.
Sharing is not always a good thing
At some point or other you’ve probably been lectured about the importance of not sharing login details. But as is often the case with computer security, convenience all too often wins out over best practice.
This is all well and good, until your website gets hacked. Cleaning up after a malicious actor takes a lot of time and money that could be better invested elsewhere. That’s why we like to be proactive about security at the eggcup breakfast bar!
The good news is there’s no need to give in to the temptation of convenience. I’m going to walk you through a solution that is almost as simple as sharing your own login details, but much more secure. And better yet, it’ll only take a couple of minutes, I promise!
How do I give someone access to my WordPress site?
Time needed: 2 minutes
Learn how to grant admin access to your website securely and without sharing login details with anybody else!
- Log in to your admin dashboard
Go to example.com/wp-admin/ (replace ‘example.com‘ with your own website domain). Log in using your administrator account. If you don’t have an admin login yourself, contact the person who set up your website.
- Add a new user
Once logged in, go to ‘Users‘ –> ‘Add new‘ in the sidebar menu.
- Enter a username for the new user
If you’re granting me access to your site, enter the username as ‘ipegg‘ (without the inverted commas). Otherwise use the name of your developer – natch! Once set, the username cannot be changed, so don’t use their email address.
- Enter an email address
Again, if granting me access, enter the email address you’ve been using to correspond with me. Otherwise use your developer’s email address.
- Important! Check a checkbox
Make sure ‘Send user notification‘ is checked. Otherwise, I won’t know that I’ve been granted access to your site (unless you tell me and send me my details manually, which kinda defeats the whole purpose of this tutorial!).
- Important! Grant admin access
In the ‘Role‘ dropdown menu, be sure to change the role to ‘Administrator‘. I can’t work my magic without an admin account!
- Create the new user account
Hit ‘Add new user‘. I will then get an email about my shiny new account and will be able to securely set my own password.
- Congratulations!
You’ve just granted your developer administrator access to your site without having to insecurely email your login details. This approach also carries the considerable benefit that you can revoke access to your site at any time by simply removing the account you just created.
User accounts should always be named after an actual person, rather than using generic names such as ‘eggcupweb’.
The idea is to discourage people from sharing logins, which is bad form, old chap! This approach also makes it easier to keep an audit trail so that we know precisely who’s doing what on your website.
What are the risks of sharing passwords?
As a rule of thumb, most people share their logins using email. Problem is, email is not secure. It never has been and quite possibly never will be. Transmitting sensitive information via email is therefore rather risky.
As soon as you email somebody else your password, there is the danger it could be intercepted on the way. There are also now two copies of your password in two separate places. Wherever there is a copy of your password there is a place where it can stolen from.
Even if you had the perfect technical security measures in place, there is still the human element to consider. Can you trust the recipient not to share your login details with anybody else?
These dangers are magnified further if you’re in the habit of reusing passwords across different accounts. By sharing your website login you could also unintentionally be sharing access to other platforms too.
Conclusion
Once you’ve set the precedent to share passwords, you’ve lost control over the security of your website. Learning how to safely grant access to your WordPress site isn’t going to fix all potential security problems within your business, but it’s a step in the right direction.
If your WordPress isn’t behaving, or if you’re concerned about the security of your site, hit the button below and we’ll arrange a consultation.