I’m looking at taking on a new developer for my small business. I would like to grant them access to the site to see what plugins are there, what configuration there is etc but *without the ability to change anything*.
I would like them to see the current setup, to enable them to analyse and quote for work, but as we don’t have a contract in place yet, or have agreed a price, I do not want to give them the ability to change anything. I trust them enough to give them access to see everything that’s running (small security risk, I know), and do trust them but would rather not give full admin access before getting a contract and agreeing terms etc. I’d be happy with them seeing pretty much everything, I just feel that seeing what is running would enable us both to go into an agreement with eyes open.
Thanks for any advice.
[ad_2]
Development is their job, they’re not going to do anything to ruin their own business by sabotaging your website.
Just give developers full access, so they can do their job. If you trust them, what’s the issue? If you don’t trust them, then perhaps you shouldn’t be using them as a developer…
Depends why you want to do this. If you want to prevent the site from getting screwed up, make a full site backup first or set up a staging site that is a copy of the main site where you don’t have to worry about them screwing anything up.
Another option is to take screenshots of your list of plugins and versions, your theme and version, WP version. Or do a screenshare with them where you control the mouse and they tell you what they want to look at.
It is possible to create custom user roles with custom capabilities, but it may require custom coding and may not give you the level of fine grained access control you would need to achieve this. WordPress’s user roles and capabilities system is pretty underdeveloped compared to other CMS’s.
You can create a Staging site that is a clone but wholly independent of your production site.
Then give them the keys to the Staging Kingdom.
Else, there are ways to create custom roles via dev or plugins such as PublishPress.
My 2 cents: go the staging route. Nothing more frustrating than not having access to key parts of the site. If I was limited, my estimate would include that fact and that the actual cost could be more once I was give full access.
Also, have the dev work on the Staging site. Do not push data up. Production is the source of data truth.
just share screen or maybe use remote access using TeamViewer or any other software you’re comfortable with.
An analogy. Would you take your car to a garage and then refuse to give the garage your keys or even unlock the car for them?
An analogy. Would you take your car to a garage and then refuse to give the garage your keys or even unlock the car for them?
There are plugins and other tools that allow you to export a “status log” of your WordPress instance with all of the live details like server/PHP version, configuration, plugins, theme, etc.
I would recommend sending that.
They don’t need logins because a “back end” view without a look at the code is almost useless (unless every single option and customization has been click-configured).
I also wouldn’t recommend providing them access to the server because files in the WP root directory contain secrets (db credentials which can allow them to escalate permissions to admin)
If you’ve had a conversation with the developer, thoroughly explained the situation, and they still can’t provide an estimate, that’s a red flag to me.
If the problem is so complicated that they need to triage the problem to see how deep the problem is, you need to understand that you’re likely going to end up in an “open estimate” or “hourly work” type agreement.
The safest method is also one of the most complicated for non-technical users, but is absolutely the safest. As another user said, provide a backup of the site that’s fully sanitized. To do this, you’d need to be familiar enough with the way WordPress works (be a developer yourself) to pull a full backup (files, db), stage it, sanitize it, and then package it. You’d sanitize it by removing all plugins, files, data (customers, orders, API keys, things in the db records) you don’t want them to see or have access to (wp-config.php, .htaccess, php.ini, etc). Additionally, you could stage the backup, create a new admin/password, delete all other users and reassign the content to the new admin, and package the staging db back up.
“BackWPup” is a good free backup plugin that allows you to create a “backup job” where you can remove database tables, files, plugins, themes, from your backups. But you need to ensure wp-core and functionality essential db tables are still included. The passwords in the database are hashed, but if you’re not changing users in the backup, I would change all elevated user account passwords on the live site or ensure you have 2fa enabled on the site for aims.
If after all of that you feel you can’t or don’t want to do the items listed above, you’re going to have to lean in on faith and really make sure this dev is someone you know and trust. I’ve seen jilted developers do things they should be ashamed of after having lost bids or not getting what they want during the process. Most times it was a sole developer who had no business, reputation, or stake to lose (remote, independent contractor, etc). You never know what someone is capable of, and trusting someone implicitly when we have the technology to not have to, is tough for me.
My best recommendation is to find a good (local if possible) agency partner who you can build a relationship with and have them help maintain your site.
1. Take a backup, 2) install Simple History plugin, 3) give them admin acccess.
Without admin access, we devs, can’t estimate, can’t see theme files, can’t see all posts, pages etc..
view only access to admin area to see list of plugins means nothing… if that is the only reason, you can list out plugins and their versions to them. I am sure there will be more they would like to look into.
Edit: to clarify I also mean give them staging access.