One of the first things you do when onboarding with a new agency that will do some work on your website is grant them access to various things. Before granting them full access to everything, you should think through what they need to do and what level of access is needed in order for the agency to complete the job.
If you hire an SEO agency, they will likely not need full website access, for example.
Every website contains sensitive data. Emails, users' personal data, billing information, revenue details, and more. It's important that you protect your information while still empowering the agency to do the work they were hired to do.
Levels Of Admin Access
There are different levels of WordPress admin access that range from Subscriber to full access Administrator:
- Subscriber: This is the lowest level of access, mostly for users to post comments on the website. No WP-admin access.
- Contributor: They can add new posts and edit their own posts, but they can not publish these, upload plugins, change settings, or upload media.
- Author: They can write, edit, and publish their own posts. They can also delete their own posts.
- Editor: They have full control of the content sections of the website. They cannot change site settings, install plugins and themes, or add new users.
- Administrator: Full Access (there is also Super Admin for multisite networks)
For example, the SEO Agency can use the Editor role, which will allow them access to the content and useful settings like a WP Meta SEO tool to optimize settings for the desired post/page.
If they need to install a plugin or edit the code, you can always ask your developer or support Agency to do that for them. By doing that, you are limiting the risk of exposing sensitive information.
In addition to wp-admin access, you can limit server access, DNS access, and access to other 3rd party services you might use (Google Search Console, Google Analytics, and many more) through their admin panels as well. This is equally as important because, for example, with the wrong server access someone can easily delete the entire website if they are not careful.
Before granting access to any of your platforms, you should always think about what the Agency needs to do and if this level of access is needed. It's the best way to protect yourself and your data.