Have you ever found yourself in a situation where a plugin author requests administrator access to your site for troubleshooting purposes? That’s the question posed by WPBeginner along with a couple of tips to help you decide whether you answer yes or no. Over the years, I’ve given access to a couple of plugin authors for the sake of troubleshooting but I always make sure to delete their account when finished.
Recently, I found myself in a situation where the plugin author needed admin access to experience the problem first-hand. Instead of creating a new account, I scheduled a Google Hangout. Within Google Hangout is a screen sharing application. Using the app, I was able to walk the plugin author through the process of replicating the bug without giving them administrator access.
Alternatively, you can use the screen sharing option built into Skype. This keeps the communication channel private and most plugin developers I’ve interacted with have a Skype account. You don’t need any credits to perform a screen sharing call using data. The video sessions were scheduled with plugin developers after I exhausted all other support options.
Giving Admin Access Should Be The Last Resort
Giving administrator access should be considered as the last resort. If you need to give them access, make sure you trust the plugin author. Look at their WP.org profile as well as their support forum history. If the author has a history of being malicious, there’s a good chance someone reported them. If possible, give them access to a staging site or a sub-domain that mirrors the live site. If you need to give them access to the live site, make sure you back up everything first in case the author changes files to try to fix the issue.
When they’re finished, inspect the user administration screen to see if any additional users with administrator privileges were created. If so, delete them and find out why that was necessary to diagnose the problem. In most cases, this type of action is unnecessary and would make me highly suspicious of their actions.
Not all plugin authors have malicious intentions. The tips I outlined are precautionary measures to protect your site.
Have You Been Burned By A Developer?
With that in mind, I’m curious as to whether or not you’ve been burned by a theme or plugin developer? Did you give them administrator access and end up with a site in worse shape? Have you ever had to restore a backup thanks to a developer making a troubleshooting mistake?
If you have any additional tips or advice, you’re welcome to share them in the comments.
Plugin support over Hangouts is really inconvenient for plugin authors and most would no let you do that, particularly if you aren’t paying explicitly for support. There’s tons of huge drawbacks doing that. Further, if you’re going to give me a subsite to work with, that’s fine but it **has** to be having the same bug itself. Giving me access to a subsite that doesn’t exactly replicate this issue you are using on the main site is usually totally useless in terms of getting the issue solved.
While I agree you should be reviewing authors, that should have been done before installing the plugin on your site to begin with. You wouldn’t want to install a plugin on your site that’s by an author with known issues. Once its on your site, you shouldn’t have any issues trusting the people behind it. If someone really wanted to hack your site, and they were the author of a plugin, they could just issue and update that simply adds users in the code, particularly if it is not hosted on WordPress.org.
Its important before giving someone access to your site to make full database and files backups. Number one, that solves the “developer turned malicious issue” since you can just restore from backup. Number two, you should be doing backups anyways. Number 3, things happen sometimes on remote sites. I know a hugely popular site that once was taken down by the output of a single var_dump being added to it on a VPS server.
If you feel uncomfortable with someone in the backend, a good idea would be to ask the developer why he would like the access. 9 out of less than 10 times, there’s a very good reason, and most developers will be happy to answer you. You can also ask what they are planning on doing, or a list of things they will try.
In short, if you don’t trust the author of the plugin being in your backend, and you don’t want to setup a staging site, you probably shouldn’t be using that plugin to begin with.