If you need to hire a developer, designer or any other type of contractor, there will likely come a point where they need to access your hosting account. If you’re using a control panel that allows multiple account logins, you may be able to create a login with limited access for the contractor to use. If you’re using a control panel like CPanel, one which only provides a single sign on, things can get a little more complicated.
Providing a stranger with your account login has risks, especially when there is live data on the account. If the contractor is someone you’ve only recently met from a site like Elancer, Guru, or Freelancer, you should lean to the side of caution. This isn’t to say that these developers are bad (I myself can be found on each site). It’s more of a warning to be aware that some lack a moral compass. Doing something damaging to your existing data or outright stealing information is well within the realm of possibility.
So what can you do in order to provide a developer access to your CPanel account? Depending on what the developer needs to do, you may be able to grant access to specific functions.
Create an FTP Account
If the developer needs to access your file system, you can easily create an FTP account in CPanel. We provide a tutorial here which can guide you through the process. Once the account is created, it will provide the developer access to the chosen directory (and it’s subdirectories) so they can work with the files within. Often times, this is all that is needed.
Once the developer has finished their work, you can delete the FTP account to remove access.
Install the Application Yourself
If the developer will be using an off the shelf piece of software such as WordPress, Joomla, Drupal or Prestashop, they would typically need access to your account in order to setup a database. To avoid giving them access for this task, you can install the software yourself. If you have Softaculous or Fantastico on your CPanel account, you can instantly install any of the applications I’ve mentioned, along with hundreds of others. It will create the file system, database and database user in about one minute.
Some applications require you to manually create a database. Application frameworks like Codeigniter, CakePHP, and Laravel are pieces of code used to build on. There is no database until you create one. Fortunately, we also have a tutorial on manually creating a database in CPanel.
Having a new site developed when you have a reseller account is an easy process. Simply create a CPanel account for the developer to use. You can also limit the features of the account, such as removing Email or SSH. Instead of purchasing a domain, you can setup the account using a subdomain of an existing domain. For instance, if you have example.com on your reseller account, you can create this account using the domain dev.example.com.
Once the developer has completed their work, you will have a full working site in a real environment. From there you can backup the account and copy the files into your live location.
If you are a web developer, this is a great way to manage your own development. I make frequent use of creating under CPanel accounts because it allows me to work in a live environment without affecting the real website.
What to do after giving a developer your login
In some cases you may have to provide the master login for your account. If that’s the case, there are steps you must take in order to limit the various risks involved.
Make sure you have real contact information for the developer. Get as much information as you can. A single email address will not do it, especially if it’s a GMail, Yahoo! or other disposable address. At the very least, get a phone number.
Sign a contract. I myself have signed NDAs (non disclosure agreement) which are used to protect the client. I understand why they are necessary. Some developers like to show off their client list, which is fine. If you are OK with the developer doing so, put that in the NDA, but make sure there is information contained to prevent them from taking or utilizing your data without your consent.
Backup your data. CPanel makes this very easy. We have a tutorial which walks you through taking a full CPanel backup which automatically includes your files, email, database and more. If the developer breaks something that they can not fix, you will have a backup of your site.
Always change your password after you’ve allowed anyone into your control panel. Make sure it is a difficult password to guess. It’s also recommended to change the passwords on anything else you’ve given the developer access to, including databases, email, and content management systems.
Run a virus scan after they are finished. Part of my work has involved cleaning up after various developers. I could tell some very horrible stories of what I’ve found in customer accounts. The worst has been finding hacked files that were infected with malware. These files were likely from less than reputable sources, so the developer who installed them may not have been aware of their infections. The customer would pay the developer and soon after find their websites hacked or being used to blast out thousands of spam emails a day. This causes more headaches because a web host will often shut down a site if it is spamming, regardless of why it happened.
If you have an account with 6Scan or Sucuri, run it as well. If you do not have one, it’s recommend that you purchase one. Both companies make it their business to clean up hacked sites and prevent future issues. Even if you aren’t allowing a contractor into your site, either of these services are good to have to help prevent future issues.
Now that you have the tips to help you give a web developer access to your hosting account, you will have a much better chance of keeping your account safe. As a web developer and server technician, I know what can happen when bad developers get into your system. The information provided should help reduce the risk. If you have any additional tips, feel free to leave them in the comments section below.