Things To Consider Before Giving A WordPress Plugin Developer Admin Access To Your Site

Have you ever found yourself in a situation where a plugin author requests administrator access to your site for troubleshooting purposes? That’s the question posed by WPBeginner along with a couple of tips to help you decide whether you answer yes or no. Over the years, I’ve given access to a couple of plugin authors for the sake of troubleshooting but I always make sure to delete their account when finished.

Recently, I found myself in a situation where the plugin author needed admin access to experience the problem first-hand. Instead of creating a new account, I scheduled a Google Hangout. Within Google Hangout is a screen sharing application. Using the app, I was able to walk the plugin author through the process of replicating the bug without giving them administrator access.

Screen Sharing App Withing Google Hangouts
Screen Sharing App Withing Google Hangouts

Alternatively, you can use the screen sharing option built into Skype. This keeps the communication channel private and most plugin developers I’ve interacted with have a Skype account. You don’t need any credits to perform a screen sharing call using data. The video sessions were scheduled with plugin developers after I exhausted all other support options.

Giving Admin Access Should Be The Last Resort

Giving administrator access should be considered as the last resort. If you need to give them access, make sure you trust the plugin author. Look at their profile as well as their support forum history. If the author has a history of being malicious, there’s a good chance someone reported them. If possible, give them access to a staging site or a sub-domain that mirrors the live site. If you need to give them access to the live site, make sure you back up everything first in case the author changes files to try to fix the issue.

When they’re finished, inspect the user administration screen to see if any additional users with administrator privileges were created. If so, delete them and find out why that was necessary to diagnose the problem. In most cases, this type of action is unnecessary and would make me highly suspicious of their actions.

Not all plugin authors have malicious intentions. The tips I outlined are precautionary measures to protect your site.

Have You Been Burned By A Developer?

With that in mind, I’m curious as to whether or not you’ve been burned by a theme or plugin developer? Did you give them administrator access and end up with a site in worse shape? Have you ever had to restore a backup thanks to a developer making a troubleshooting mistake?

If you have any additional tips or advice, you’re welcome to share them in the comments.


23 responses to “Things To Consider Before Giving A WordPress Plugin Developer Admin Access To Your Site”

  1. Plugin support over Hangouts is really inconvenient for plugin authors and most would no let you do that, particularly if you aren’t paying explicitly for support. There’s tons of huge drawbacks doing that. Further, if you’re going to give me a subsite to work with, that’s fine but it **has** to be having the same bug itself. Giving me access to a subsite that doesn’t exactly replicate this issue you are using on the main site is usually totally useless in terms of getting the issue solved.

    While I agree you should be reviewing authors, that should have been done before installing the plugin on your site to begin with. You wouldn’t want to install a plugin on your site that’s by an author with known issues. Once its on your site, you shouldn’t have any issues trusting the people behind it. If someone really wanted to hack your site, and they were the author of a plugin, they could just issue and update that simply adds users in the code, particularly if it is not hosted on

    Its important before giving someone access to your site to make full database and files backups. Number one, that solves the “developer turned malicious issue” since you can just restore from backup. Number two, you should be doing backups anyways. Number 3, things happen sometimes on remote sites. I know a hugely popular site that once was taken down by the output of a single var_dump being added to it on a VPS server.

    If you feel uncomfortable with someone in the backend, a good idea would be to ask the developer why he would like the access. 9 out of less than 10 times, there’s a very good reason, and most developers will be happy to answer you. You can also ask what they are planning on doing, or a list of things they will try.

    In short, if you don’t trust the author of the plugin being in your backend, and you don’t want to setup a staging site, you probably shouldn’t be using that plugin to begin with.

    • All good points indeed but I did mention that the hangout option was my last resort if the other support options still made the developer confused as to why the problem was occurring. The hangout enables them to see for themselves the problem I’m experience and how to reproduce it.

      I agree that Hangouts and video calls over Skype are not the most efficient ways of handling support but it’s great for a last resort option.

  2. In general giving admin access to anyone to your own site is similar to handing them the keys to your home – often it’s the easiest and quickest way, and it’s always the most dangerous one. Using support tickets by providing extensive details of the issue, screenshots, use cases and complete scenarios is always helpful. Screen sharing helps most of the time, but sometimes the site owner is unable to help with everything or doesn’t have a complete access to everything needed (for example, a plain DB access which could sometimes be revealed through wp-admin/options.php from superadmins).

    A pre-final step is backing up the entire site together with the database (or just an archive of the wp-content/ folder which is often not sufficient) so that the developer can test that locally, profile with his/her toolset etc. Keep in mind that your admin user hash is also in your database, together with your wp-config.php details in your WordPress folder!

    In case admin access is needed (whether it’s plugin/theme author or a WordPress consultant), a handy set of plugins is ThreeWP Activity Monitor and WordPress File Monitor Plus – the first one keeps a complete log of the user activity across the site, the second one reports the changed files every few hours.

    As I said at the beginning, it’s always dangerous to share your admin access to anyone, even if it’s a recognized consultant, but there are a bunch of preventive options or monitoring that could be applied to capture most possible scenarios (including using monitoring plugins to prevent malicious attacks).

    • Thanks for the plugin mentions. Good to know that there is a simple plugin that can log what a new user does on the site, just in case. I bet Stream by X Team would fit into that list of monitoring plugins.

  3. Why are you hiring people that you don’t trust?

    If you don’t trust a developer enough to give them admin access to your site, then why would you install any plugin that they built for your site?

    There’s also the issue of cost as well. If I’m developing a wordpress plugin for someone then I don’t mind if the client restricts my access and requires me to things in an indirect way (And frankly, I’d prefer to work on a staging server: there’d be much less chance of making expensive mistakes). But it’d take the client longer, and probably increase my hours. Which is fine, as long as the client has the budget.

    • I didn’t hire anyone. This is about support for freely available plugins and themes. If I hired a developer, I’d obviously already trust them to make whatever changes are necessary to get things working without losing my data.

  4. There aren’t many situations in which you would need to give someone access to a production site. I did give admin access to Alex Rabe once, to debug something in an earlier version of the NextGen gallery plugin, but I knew and trusted him. Every other time I’ve needed to get someoen to test something, I’ve just given access to a test site.

    • Agreed but for the times I have, it’s only because I really trusted the developer and I monitored the site as they were working on it. These days, if I have a problem that the developer can’t reproduce, even after I’ve explained in the forum or a ticket how to do it, I invite them to a screenshare to see how I do it. The past two times I’ve done this has resulted in the plugin being patched and thus fixed.

      Also, my test site is on my local server only available to me so that doesn’t help matters.

  5. In my line of business (WPML Contractor and WordPress Consultant) I need access to people’s sites. If people cannot (or like you say in your article don’t want to) give me access, then it simply is impossible for me to do my job.

    There is no way that I would accept doing my work via a Google Hangout or Skype call, that simply is not the way I work and I should not have to instruct the client to jump to this and then that screen.

    This has to do with being reputable and having made a name in the industry. Would I even be a WPML Contractor if I would not be trustworthy? No, of course not!

    Your article really is the wrong approach, instead of seeding fear, you could have approached this from a much more positive angle.

    • See, there is a big difference between a user of a free plugin and a paid client. If a client is paying you, the trust factor is probably already there. A developer of a free plugin I’m using doesn’t not get my trust automatically. I do background checks etc but it’s been a long time since I’ve had to give a dev Admin access to the site to see the problem for themselves. That’s what the screen sharing is for.

      If I give you money, you sure as heck better fix things and do so without losing my data :)

      • Although you explained things in your article, I think that perhaps you could have chosen a different title for your post…

        • Looking back at it, maybe you’re right. I could have generalized and said “Things To Consider Before Giving Plugin and Theme Developers Admin Access To Your Site” something besides just WordPress Developers. I know the damage is done but I can still change the title.

          • Well, for what it’s worth, I changed the title to say WordPress Plugin Developers as that’s who I’ve had experience with and who I was mostly talking about with the article.

  6. Piet – why wouldn’t you use Skype?

    To the rest – When I needed extra help, or there was a bug on a theme/plugin. I contacted the author and got the bug fixed, he/she/it helped me via Skype.

    If you are getting paid by client and client wants to do it via Skype…then you Skype.

    I have NEVER given anyone admin access to any of my sites. and I will never do it.

    Reputation is biased.

    If you NEED to have full admin access then there is an issue there. You should be able to instruct your client on how to fix things. Think about this if you get paid by hourly rate.

    So many developers inflate the time it takes to fix the issues/errors.

    • Miroslav, I said I don’t use Skype (screen sharing) to let people jump to this and that screen when my job is to do a WPML/Site Assessment.

      Thing is that the people commenting here hardly have any reason giving other people access to their site(s), because they know very well what they’re doing.
      But we (developers) are a minority when it comes to the broader picture of WordPress powering over 20% of the www.

    • It should be noted most of the developers here don’t take on client work, but instead are plugin or theme authors. I don’t get paid for support unless you buy premium support. In which case you still have a ton of people to manage. Skype/Hangouts is a horrible way of doing things. If you have 300,0000 clients, and 1% pay for premium support, that’s 3000 users. If I did every fix via hangouts or skype for every one of those users I would never have time to eat.

      Like the original WPBeginner post said, its fine if you don’t want to give main site access, but the staging site needs to replicate the same behavior.

      Necessarily speaking, walking a client through debugging is a horrible waste of time. You have to get the clients to install browser extensions for certain situations, plus then you have to waste the client’s time doing the debugging. If they’ve hired me, or they’re using my plugin, they shouldn’t have an issue with me back there. Theoretically, like I said earlier, the difference between you giving me backend access and me pushing an update of my plugin that gives me that is nothing. While I’d never do the latter, there are some nefarious people out there that would. If you trust my plugin or theme on your site, you’ve invested trust in me.

      Reputation might be baised but only you influence your trust in me as a plugin author. If you install my plugin, you trust me. If you install Piet’s plugin, you trust him. If you don’t, then you shouldn’t be installing our plugins.

      There’s also alot of good reasons for needing full admin (subsite or non subsite). For example, if you have a site where you have a plugin that adds fields to the edit user tab that only admins are supposed to have access to, and thus would be protected by a capability check to edit_users, there’s no other alternative to debugging that. Sure, technically you could make a custom subscriber role with that capability, but most role and capability plugins out there either don’t work, or would take 50x as long for the client to add that role as it would take for me to solve the initial problem to begin with.

      • In my case, you wouldn’t be walking a client through the hangout, I’d be walking the developer through the hangout to understand when and how my issue is appearing. Not once in my article did I mention clients which I consider people who are paying someone else. I’m also not advocating that Hangouts/Skype be the preferred way of getting things fixed. It’s a last resort option and it’s been successful to me and the plugin authors I’ve worked with.

  7. I do wordpress consulting and troubleshooting and I request an administrator login so that I can step through everything much more quicly and effectively. If you have any doubts, make sure you have a complete backup of your site, database, etc. And create an admin account just for the session. After the session blow the new admin login away.

    It is a little restrictive having to have someone else control the session when you are the expert. Ultimately, you have to decide what is right for your situation, however if you’re using plugins whose author’s you don’t trust, you may have to look at the types of plugins you’re installing.

    • If I know what I’m doing and just want to show the developer the problem I’m experiencing, then Skype video and hangouts are the quickest, simplest ways to do that.

  8. While bug fixing via screen sharing being a possibility, it is not very practical. I have tried it. There is no dispute that one should be wise about who they are giving wp admin access to. But that is a different issue altogether. I provide WordPress theme trouble shooting and I do not request for wp admin access unless that is the only way left. Most often developers can spot common bugs via developer console of the browser and suggest a fix that can be executed by the user himself.

    If the developer requires admin access to the site, the user can create a temp admin account for the developer and once the issue is fixed the user can delete that account. This is the most practical solution I have encountered. If you as a developer go into a screen sharing session with an inexperienced user, a simple bug fix that could be done in 5 mins on your own could be dragged out to beyond 30 mins. It is not a pleasant thing.

  9. I’m a very active plugin author in the repository and have had many opportunities to help others out using my plugin. Many of the times users have had no problem granting me access to their sites.

    I always ask first if it is ok, and then insist they make a temporary administrator account, and follow up with a reminder that they can and should now delete the account.

    I find, more often than not, users just pass along their login credentials. Another major issue for debugging options is when the plugin author needs access to the FTP account to confirm file structures or to make sure files are being uploaded into the right location etc.

    One time I received a message via twitter asking for assistance, and we got on skype and within 15 minutes we had the issue resolved.

    Helpful, knowledgeable and trustworthy plugin/theme authors are a great thing, but I would be very careful who I trust….remember, ANYONE can create and upload a plugin, but not everyone is a trustworthy individual with good intentions.

  10. I never liked asking for Admin access when I worked doing support for Gravity Forms. While it did allow me to resolve an issue quickly 9/10 times, it was putting me in a position where issues/errors could then be blamed on me/rocketgenius. Thankfully, that never happened, but I felt like I was exposing the company to risk. What happens if a user comes back and blames us for their site having new or other issues? It becomes a mess!


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: