[ad_1]
[ad_2]
I have just created a Woocommerce website.
I have gone as far as tech support from hosting company and theme developer can go.
I think for the last leg of some web design elements I need to hire a guy from Fiverr. He says he needs admin access to the website to do the work.
After combining the net I've learned that this might be required as part of the job and I can achieve this by creating a temporary user with admin rights.
I will also create a backup copy of my website before I give him any access to do what he needs to do.
My questions are:
1. Can he delete ME (like I will delete him after the work is done) and thus taking over my entire website?
- Can he change his own password or do something that might disable/prevent me from deleting him?
Keep a backup and change your passwords immediately after their work is done
I would rather create a staging site (we have it inside our SiteGround hosting, check out if you have it in yours), and when he is done you can “push” those changes to live site, if that would be something acceptable.
Also, I would monitor each and every step that he does on either a production site or staging site, via some [activity logs plugins](https://wordpress.org/plugins/wp-security-audit-log/), with alerts, so you can “see” ASAP if he does something you don’t like in the dashboard, or something suspicious and timely properly react.
>He says he needs admin access to the website to do the work.
This is probably true. We require admin access for every site we work on.
>I need to hire a guy from Fiverr
This is probably a bad idea. Good luck.
>1. Can he delete ME (like I will delete him after the work is done) and thus taking over my entire website?
Yes. Anyone with an admin account can do this.
Ideally, you should do a couple of things to protect yourself.
1. Get a backup before you add any new admin you haven’t work with before.
2. Use a staging environment so you don’t have to make use of your backup. Worst case scenario, you just push the old site to staging if the wheels fall off.
It doesn’t matter as long as you have access to a domain and hosting environment.
He can delete posts, pages and make any other possible changes inside the WordPress environment.
But he can never take over the website or own it as long as you have access to hosting and domain.
You can anytime get access to your WordPress site if you have access to hosting where WP is hosted.
So even if he deletes you it doesn’t matter.
Other answers are good but this is a good moment to also highlight that your risk of having a rogue freelance developer takeover your site and lock you out becomes exponentially higher the lower your budget is.
1. Yes, he totally can but if you have a backup you’ll be fine in case the unthinkable happens
2. It’s very common to give temporary access to devs. You just have to choose very carefully who you give access to
Yes they can totally take over and delete your account if they have full admin access.
1. I would only give them admin access to the WP website (not your hosting area) — so in case they do something shady, you can always recover your account.
2. I would recommend [installing an Activity Log plugin](https://www.wpbeginner.com/plugins/how-to-monitor-user-activity-in-wordpress-with-simple-history/), so you can keep track of what they’re doing.
3. Make a full backup of your website using a plugin like Duplicator or Updraft (just in case).
4. Once their job is done, I would recommend immediately removing their access or downgrading their privileges to Subscriber level.
5. I would run a Wordfence or similar type of scan on your site to ensure they didn’t hide malicious code somewhere.
With the above said, my general rule of thumb is only give access to folks that you can trust. Make sure this vendor you’re working with have good ratings etc.
All the methods mentioned in the comments make sense.
You should backup, monitor activity, and first of all chose the dev wisely.
If you are concerned re: the access, perhaps this plugin (no affiliation) may be a good solution:
Temporary Login Without Password
[https://wordpress.org/plugins/temporary-login-without-password](https://wordpress.org/plugins/temporary-login-without-password)
Good luck!
Edit: typo
Yep. Honestly a real programmer/hacker can do it regardless
If you own the hosting, you have ultimate control. While someone with full WordPress admin access can delete your account or make damaging changes (like installing malicious plugins or altering settings), you can always regain control through your hosting panel. Worst case, they could delete your account or break the site, but you can create a new admin via phpMyAdmin or restore from a backup. To stay safe, backup your site, monitor their activity, and remove access once their work is done. I hope this helps!
This community has been amazing in covering all aspects of my concerns.
I’ve contacted my hosting company and now I have a staging website. So my plan of action is going to be:
1. Already have installed two plugins to monitor website activity.
2. I’ve synced my production site to the staging site.
3. I’ve created full website backup (downloaded a local copy as well).
4. Will create admin login for the developer on staging website.
5. Once satisfied with the work is over, and without any incident which is how I hope it will be, I’ll delete his account from the staging website.
6. Scan the staging website for any nefarious injections. This developer has pretty good reputation on Fiverr so all should be well.
7. Push staging website to production.
Sound plan?
To address your concerns:
1. Can he delete you and take over the site?
Technically, yes, since admin users have full control, an admin could delete other admins. To avoid this risk, you can limit his access by creating a temporary user with limited rights or revoke admin access once the job is done.
2. Can he change his password or prevent deletion?
Yes, as an admin, he could change his password, but he can’t prevent you from deleting him, as long as you remain an admin. Once his work is done, remove his access promptly.
Always take a full backup before granting admin access to ensure safety.
So I know this wasn’t the question exactly as it was asked but…yes, an admin user *can* wreak havoc…and good backups can save your site, but no amount of backups save your money and sanity. An alternative solution is DO NOT hire someone on fiverr that this is a concern in the first place. No matter what precautions you take, and you should still take proper precautions, do not give someone access without full confidence. Fiverr work sucks anyway.
Hire someone reputable, not a rando you found online. I personally recommend codeable.io for all one off WP work. I am not affiliated nor am I a codeable dev, but I’ve ran an agency for years and used them many times. Your money and security is backed by the supplier, so there’s insurance. Secondly, they pay well and it’s relatively difficult to become one of their devs, so there’s a certain level of oversight in that respect and they have no incentive to fuck around. It seems more expensive at first, but trust me it’s usually *cheaper* to go this route, after you account for headache, botched work, and revision requests.
Clearly you need to consider how much access they need. I would be using a role plugin like User Role Editor and creating a new role for them. You can then choose exactly what access levels they need – do they need access to Users? No – then disable access to users. Disable access to ‘delete_***’ so they cannot remove anything etc.
I have been doing this game too long to trust anyone – occasionally don’t even trust myself. Haha. Only give access to that which someone needs!
How much vetting can you do on the Fiverr guy? Enough to make you feel comfortable with admin access to your site? I am not familiar with Fiverr, but does he have a rating? References? Is he located in Nigeria?
You can clone your admin role and strip it of any important things like changing permissions, etc. Just use one of the top apps.