Free WordPress Security Mini Course

Is It OK To Outsource Work on My WordPress Site?

This is an interesting question I get from people all the time. While WordPress is certainly a cleaner interface than other content management systems (i.e. Joomla, Drupal, let’s even throw in Pligg to round it out), WordPress still is a technical program with a learning curve. Sure there are themes out there to make your site “pretty”. Sure there are plugins to make your wordpress site do the same things an expensive corporate site does. And sure there are thousands of developers in the healthy support community. But when the brainstorming sessions end and the workers turn their nose to the computer screen to start, they may start scratching their heads wondering where to start and how to actually achieve all their lofty goals.

That’s where sites like Elance enter the picture. I have had overwhelming success in the past with Elance providers. I had a logo designed just this week (btw… I wrote the email before I went to bed and had 7 logo concepts in my email box by the time I woke up!). I had a custom plugin programmed to do some complex features on a clients’ site (yes, I outsourced work that was outsourced to me… and I still made a profit!). I’ve hired copywriters, squeeze page designers, ad banner designers, full website designers… in fact, just about anything you need done on a website can be outsourced.

Outsourcing is usually inexpensive and fast, but there are some risks involved when it comes to wordpress security. Here’s a list of things that most outsource providers will ask for when you hire them for your project:

  • They will probably need a username and password for your wordpress site
  • If they are programming a plugin or something that deals with the SQL database, they may need access to your database
  • They will probably need FTP access
  • Depending on the project, they may even ask for access to your host (your CPanel for example)

Wow! That’s a scary list! Read over that list one more time then take a deep breath. Here are some tips for dealing with these outsourcing issues:

  1. Before ever handing over a single username or password, ask yourself “Do they really need this access?” And always, ALWAYS, question why they need access. Don’t be afraid to say “Hey, I don’t really feel comfortable giving out that type of access. Can you explain why you need that information?”
  2. You can usually set up special accounts for these things. You can log into your host and set up a special FTP account just for this user that only gives them access to certain parts of your account (just the wp-content folder for example). You can also setup a specific username/password just for that user in wordpress and even install login loggers that track their activity inside your wordpress account (For example, see http://wordpress.org/extend/plugins/login-logger/ or http://wordpress.org/extend/plugins/audit-trail/ or http://wordpress.org/extend/plugins/log-user-access/ or http://wordpress.org/extend/plugins/bluetrait-event-viewer/).
  3. Watch your log files closely during the time the provider is working on your site.
  4. Most importantly, and the primary reason for this post… once your outsource provider has completed their job, DELETE their access!! I can’t stress this point enough. There are too many times where I assist someone in their wordpress site and they still have usernames/passwords from people that worked on their site months before. I don’t care if that person was the most honest Christian person you ever met… you probably met them online where anyone can appear to be a good person. Besides, even if they were a good person, there’s no telling if their own accounts got hacked and some evil-doer found your site’s info.

To sum up this post, ASK why people need permission, GIVE them limited access, WATCH their activity, then DELETE their access when they are done.

Leave a Reply