One of the first things you do, when you’re onboarding with new agencies that will do some kind of work on your website, is to grant them access. Before granting them full access you should think, what they need to do, and what level of access is needed in order for the agency to complete the job.
If you are hiring an agency for SEO, likely they will not need full website access. You might say, well, I trust these folks, and what if they outsource the work? Will you trust the third party hired from UpWork?
Every website contains sensitive data, like emails, all kinds of personal data, billing, and revenue details depending on the business, and more. Imagine, someone exports the list of all users you have and send that to your competitor.
Levels Of Admin Access
There are different levels of WordPress admin access from lowest Subscriber to full access Administrator:
- Subscriber: This is the lowest level of access, mostly for users to post comments on the website. No WP-admin access.
- Contributor: They can add new posts and edit their own posts, but they can not publish these, or upload plugins, change settings, upload media.
- Author: They can write, edit, and publish their own posts. They can also delete their own posts.
- Editor: They have full control of the content sections of the website. They do not have access to change site settings, install plugins and themes, or add new users.
- Administrator: Full Access (there is also Super Admin for multisite networks)
So, in our case, SEO Agency can use the Editor role, and it will allow them access to the entire content, including Yoast settings for the desired post/page.
In case they need to install a plugin or edit the code, you can always ask your developer or support Agency to do that for them, and by doing that you are limiting the risk.
On top of wp-admin access, we also have server access, DNS access, and access to other 3rd party services you might use (Google Search Console, Google Analytics, and many more). For example, with server access, you can easily delete the entire website if you are not careful.
Conclusion
So, before granting access to these you should always think about what the Agency needs to do, and if this level of access is needed. If you are in doubt, be free to ask your developer or support agency.