Whether you’re getting support for an issue or bringing on a new developer, there comes a time when you’ll need to give a developer access to your website. But you need to figure out how to do this without compromising your site’s security.
Bad practices like giving developers your admin username and your own password are prevalent and can result in major security issues. On the other hand, most developers just want to do their job without jumping through hoops.
There’s a right and a wrong way to give developers access to WordPress, and we want to help you do it right. This article will walk you through how to give developers access to WordPress efficiently and safely.
Table of contents
Why secure access is important
There are many times that you may need to give a developer access to WordPress. Maybe you’ve run into a serious issue and need a developer to debug your WordPress site. Maybe you’ve contracted a temporary developer to add a particular feature or you’re bringing someone on full-time.
Whatever the case, you now need to give someone, more than likely a stranger, admin access to your WordPress site. This comes with a number of risks, including:
- Leaking usernames or passwords when giving the developer access to their account
- Data privacy concerns related to the developer’s access to data
- Accidental breaking or unauthorized changes made by the developer
- Malicious intent (although rare)
- Security vulnerabilities introduced by custom code
- Non-compliance with regulations due to changes made by the developer
You need to take the proper precautions to protect your website and your admin account.
Some of these precautions include giving the developer their own account, which you can block or revoke if needed. It also means giving them access to their account in a secure way, and not just emailing them a username and password.
On the other hand, being too strict and not providing the proper permissions will just make the developer’s life harder. You’ll need to strike a balance – and that’s exactly what we’ll help you do in this post.
The do’s of WordPress developer access
Before we go into some of the suggested ways to give developers access to WordPress safely, there are a few best practices you should follow. Here are some key things you should always do:
- Create a new user account – One thing you definitely should not do is give developers access to your main admin account. Developers, temporary or permanent, should always have their own account.
- Force first-time login password change – By forcing the developer to set a new password when first logging into their account, you ensure that the initial password shared with the developer can’t be used by a bad actor to log in.
- Use secure communication channels – Be wary when sending out account credentials over insecure channels. These can be intercepted by third parties.
- Set limits on access – If you’re giving a developer temporary access, remember to close the account once they’re finished. You can also use things like geo-blocking and limiting user login IP addresses to further improve your login security. This has various benefits, including added protection against brute force attacks.
- Log actions taken by the developer – By logging changes made by the developer, you can check for everything ranging from potential compliance issues introduced to causes of bugs or plugin conflicts.
- Audit new code and plugins – If a developer adds custom code to your site or installs plugins from outside the official WordPress repository, it’s worth having someone look over the code to make sure it’s written securely and there’s nothing unwanted hidden inside.
How to safely give a developer access to WordPress
When you’re granting a developer access to your website, they’ll more than likely need to be given admin privileges to be able to do their job properly. This gives them full access to your website and the ability to make sensitive changes, so you should be very careful and follow the principle of least privilege.
These methods will ensure that your site remains secure while allowing your developer the necessary permissions to do their work.
Create dedicated user accounts
Rather than handing over your own account’s password, the best thing to do is create a new user account for your developer. This ensures they’re given the necessary permissions to do their work, and that their activities can be monitored.
1: In the WordPress dashboard, head to Users > Add New User.
2: Fill in all the necessary details, and select the Administrator role – most other roles are too restricted for developers to do their job, but you can check WordPress’ documentation on roles and capabilities.
3: Send the developer their username and password over a secure channel, or tick the Send User Notification box so they’re automatically notified.
Tip: You can use Melapress Login Security to force the developer to change their password on the initial login.
You may wish to use a User Role Editor plugin to create a custom role and remove some unnecessary permissions.
1: Install User Role Editor through Plugins > Add New.
2: Navigate to Users > User Role Editor. Click Add Role in the right bar and create a new role for developers.
3: Assign capabilities based on what is necessary for the developer to do their job. You may wish to restrict certain permissions that may be unnecessary, depending on what the developer was hired to do, like creating new users, deleting pages, editing blog posts, or publishing pages themselves.
4: Go back to Users > All Users and click to Edit the developer account you created. Scroll to Role and set it to the new role you created.
Secure the account
Another good practice is to add login security features to your site, like setting strict password policies or password expiration. With Melapress Login Security, you can tailor your login security policies to specific roles.
1: Install Melapress Login Security from Plugins > Add New or purchase the premium version.
2: Navigate to Login Security > Login Security Policies and tick Enable login security policies.
3: Configure your site-wide policies (applies to all users, including your admin account) as you wish.
4: Hover the Role-based policies tab and select your custom developer role.
5: Untick Inherit login security policies. Now set the developer role’s custom policies. You may wish to be more strict than your site-wide roles, set a password expiration policy, restrict IP, or restrict user login times to your working days.
One policy feature worth pointing out is the login IP limit. Here, you can restrict the number of IPs the developers (or anyone else) can log in from. Should the user try to log in from a different IP, they will receive an error message.
IPs can easily be reset through the user account page, ensuring work can go ahead after getting the all-clear.
Creating a dedicated FTP account
Finally, you should also create a dedicated FTP account for your developer if they’ll need to access your WordPress website files. You’ll need to access your hosting control panel; we’ll use cPanel for this example.
1: Log in to cPanel and scroll down to FTP Accounts.
2: Create a new FTP account for your developer. If you want to limit access or revoke access, you can set the Directory to your WordPress root or another subdirectory.
3: Send FTP account credentials to the developer through a secure connection.
With isolated accounts, you can keep a close eye on your developer’s actions.
WordPress developer access best practices
You now know the steps for providing developers access to your WordPress site, but there are still some important best practices to cover. Stick to these tips before giving anyone you don’t know admin rights.
Hire trustworthy developers
It’s important to hire skilled developers you can trust. Dedicated platforms like Upwork can track developer references and ratings, or you can search on LinkedIn or other WordPress platforms.
Reliable developers often have a professional website and a portfolio showcasing their previous work, as well as a large contact and client base that can serve as references.
Good developers will automatically follow most login security best practices and you have a far lower risk of them introducing buggy code or having any kind of malicious intent. They’re experienced and know how to work on a site securely.
Backup your website
One of the most important things you can do to minimize potential damage is to back up your website right before you hand over access to a developer. This way, if something goes wrong, you can just roll back your website to a working version.
Your website host may come with their own manual backup solution, so check your hosting dashboard. Otherwise, you can use a WordPress plugin to create a manual backup.
Create a staging site
Besides creating a backup, it’s also good practice to create a staging site. This creates a copy of your site that developers can work on without affecting your live website.
A staging site prevents disruptions on your live site should some new code go awry, and allows you to thoroughly test and review any new changes before they go live in case of unexpected or hidden errors.
Once the developer is finished, you can review the changes and port them to your live site.
Your hosting provider may have a built-in way to create staging sites in their dashboard, or you can install a plugin like WP Staging.
1: Install WP Staging from Plugins > Add New.
2: From WP Staging > Staging Sites, click Create Staging Site. Enter the necessary info then click Start Cloning.
3: Click Open Staging Site; you can then send developers there to work.
Use login restrictions
It’s a good idea to restrict developer user accounts. For example, does your developer need 24/7 access to your website, or should they only be working Monday to Friday during the day? Should their passwords expire periodically?
Above, we showed you how to set up Melapress Login Security and create role-based policies. Here are some policies you may wish to implement.
1: Password policies – Set strict password requirements, ensuring that developer accounts with admin access can’t be easily breached.
2: Password expiration – If you’re bringing on a developer long-term, consider having their password expire. This reduces the impact of any account breaches or leaks.
3: Reset password on first login – Similarly, you can force them to create a new password when they log in, so if the email with their initial password is leaked, no one will be able to get in.
4: Failed login policies – Deactivate accounts after a certain number of failed logins, preventing brute force attacks.
5: Restrict user login times – Only allow developers to log in during normal working hours.
6: Limit IP addresses – Only allow developers to log in from known IP addresses, preventing account breaches.
Set up audit logs
Even if you hire a trustworthy developer with plenty of references, keeping an eye on their actions is just best practice. If anything does go wrong, you’ll be able to easily track down the cause of the issue, see what changes were made, and revert them.
For this, you’ll need an activity log plugin like WP Activity Log.
1: From Plugins > Add New, install WP Activity Log, or install the premium version after purchasing it from Melapress.
2: In WP Activity Log > Log Viewer, click Filter View at the top and type in the developer account’s username. Or just keep an eye on any critical-severity log entries.
3: In WP Activity Log > Reports, you can generate a full report of a particular user’s actions rather than needing to filter the list of all actions. Filter by a specific User and anything else you wish to filter by, then click Generate Report. You’ll find your new report in the Generated & saved reports tab.
4: Optionally, set up notifications in WP Activity Log > Email & SMS Notifications. This will alert you of any dangerous actions the developer might take, or just send you a summary of their actions each day.
Also, consider installing Melapress File Monitor to track specifically how your website files are being modified.
1: Install Melapress File Monitor in Plugins > Add New. Follow the setup wizard prompts.
2: Check the new File Monitoring section periodically for any sign of changed files.
Remove access when no longer needed
Once your developer has completed their work, you should promptly remove access to any user accounts and FTP accounts they were using. This way, no one else can break into these high-privilege accounts to use them for their own nefarious purposes.
1: Navigate to Users > All Users. Click Delete below the temporary developer account.
2: Optionally, instead scroll to New Password to set a new password.
3: Log in to your hosting panel (cPanel in this example). Scroll down to FTP Accounts and open it. Locate the developer FTP account you created and click Change Password or Delete.
Safe and secure developer access
Granting your developer access to WordPress doesn’t have to be a security risk. Best practices like backing up your website, using temporary login plugins, removing unused accounts, and setting up audit logs can all ensure your site stays safe and secure even if you do run into issues.
Installing security plugins like WP Activity Log and Melapress File Monitor can help you keep an eye on developers as they do their work. You can keep your site safe and look out for unwanted changes while giving developers space to do their work efficiently.