Whether you’re a freelance developer or you work as part of a larger agency, at some point you will have to deal with the boundaries of your client relationships.
That can include things like communicating with clients about expectations or negotiating fees, salaries and work scope, but it also includes technical aspects of that relationship, like how much control over their WordPress site they should have.
If you’re building a site for them from scratch, should you give them admin access? If you’re building and managing a site, do they need to use the dashboard at all? How about if you’re building it but not managing or making updates? Should they be given access before you hand over the wheel or only after everything’s completed?
Some clients may come to you with a site already setup, in which case you may be the one needing admin access. How do you ensure a client doesn’t accidentally undo all your hard work?
Even if it’s not your fault, broken sites almost always make the developer look bad. You need a way to client-proof your WordPress site to some degree, even if it means un-client-proofing it down the road.
When Clients Should/Shouldn’t Have Access
In order to answer the question, “Should my client have access to the WordPress admin dashboard?” you need to have a clear understanding of exactly what type of working relationship you plan to have with the client now and in the future.
Generally speaking, there are two different types of clients: those that want you to build a site and maintain it over time, and those that want you to build a site and hand it over later.
A client that wants you to build and maintain a site (or just fix/rebuild/maintain a site that already exists) may do so for a number of reasons. They may know enough about coding to do it themselves, but they simply don’t have the time to develop a site properly and want to focus on other aspects of their business.
Alternatively, they may not know anything about coding and rely on you to direct their every whim.
You’re looking for knowledge: How much code does the client know? How likely will they be to screw something up?
WordPress developer Jayson Cote said in response to a Quora thread on the topic that it’s about the client’s comfort level:
“For us, it depends on the client and their comfort level for maintaining their website. Some of our clients do not want admin access because they rely on us for running updates and installing new plugins for functional features.”
Of course, there are still good reasons to give them admin access, even if they’re not exactly WordPress-savvy. In the same thread, Morten Rand-Hendriksen, staff author at lynda.com, adds that it “comes down to the ownership of the site”
“In the end it boils down to who owns the site. We are strong proponents of the idea that a client is the de-facto owner of her own site once we are done. That means their name is on the domain, the hosting solution, and the site itself. That also means they have access to admin and the means to update the site and move to a different host or developer if they so choose.”
But even if you decide to give a client some (or full) access to the WordPress backend, there may be times when you’re making updates, performing maintenance, or otherwise changing the site and don’t want something to break as the result of a client messing around.
In this case, you want to client-proof certain aspects of the site, whether permanently or temporarily, to ensure that nothing gets changed without your knowledge.
Client-Proofing Your WordPress Backend
Here are a few things to do if you want to client-proof your backend. Some will require code that may be harder to change down the line, so consider whether or not you want to keep them in place for the long haul before you implement them.
Set Up User Roles
The first thing should be to set up temporary (or permanent, as the case may be) user roles in WordPress. If possible, there should only really be one administrator role, but depending on the situation you may need more than one – especially if you plan to turn over the site to the client later on.
Users can include:
- SuperAdmin (available on multisite installations only) – who has full access to the site network.
- Administrator – who has access to all features within a single site
- Editor – who can take control over the publishing and management of all posts and pages on a website, and additionally perform comments moderation without limitation
- Author – who can manage, publish and edit his own posts.
- Contributor – who can manage his own posts, but cannot publish them
- A Subscriber – who only has read privileges, and cannot make any changes to the website
Set roles appropriately based on who you want to have access to which parts of the site. Remember to delete any old or inactive accounts and keep in mind that you can block the user without deleting their account if needed.
Take Proper Security Measures
You also want to make sure that if clients are setting their own login and passwords, that they don’t use “admin” as a login, but create a unique username and use a complex password. The fewer people that have access to a site’s admin panel, the less risk there is of being hacked or otherwise compromised.
Simplify the Dashboard
Even if you give a client access, they may not know enough about WordPress to justify them seeing every option available (or they may prefer to only see what they need so as not to be confused). Simplifying the dashboard, therefore, allows you to de-clutter unnecessary areas while protecting the core parts of the site you’re working on.
The easiest way to do this is by using a plugin. WP Admin UI Customize, for example, allows you to adjust the way a given user sees the wp-admin dashboard from a single visual interface. No coding, no mess.
Developer Jeff Brock prefers to use the Admin Menu Editor plugin, which lets you rename, reorder, and hide items in the left navigation menu, and (in the pro version) allows you to hide items by individual user.
You want to hide anything that is completely unnecessary for a client or may confuse them, like the WordPress news or Quick Draft features, or navigation items that they shouldn’t need to access.
Login and Double Check
After you’ve finished simplifying the site, you want to login as a potential user to see if there’s anything still showing that you may not want them to see, or areas that they can access where you might not want them to go.
You should also create instructions for users who may not know what to do with the areas they can access. If you’re handing over access to users later on, make sure that you go back and re-add features that they may want access to later on
Ultimately, whether or not you decide to give access to your clients is a case-by-case decision. There are some clients that may not want access to the site at all, and will rely on you for everything, while other clients may demand full administrative roles from the get-go.
If you’re concerned about the level of WordPress expertise of your clients (who have access), consider addressing the issues directly with them and let them know that you can create a user role for them that will help them manage their account with minimal interference.
You may find that less code-savvy clients still want to see what you’re doing, but don’t actually want to mess around with your system too much.