It is fairly common practice to hire a developer/designer to build and edit a website or have your own webmaster/external SEO expert to maintain your existing one. This process ultimately requires access to your web hosting account. Permissions can be assigned at several different levels in cPanel. When you're considering sharing access to your cPanel hosting account with other collaborators, the type of sharing you'll want to use depends on what level of control you want to offer. In this article, you'll learn how you can give your developer or designer account access safely, get to know the different permission levels, and how to grant and remove hosting account access.

Table of Contents:

• Reasons to Provide Limited Access to Your Hosting Account
• How to Determine the Correct Level of Access for you Developer or Designer
• FastComet Client Area Sub-accounts
• Understanding FastComet Hosting Account Passwords
• How to Manage Editing/Contributor Access in Your Hosting Account
• Considerations
• Security Principles
• Your Hosting Account Access Options
• Trusting Approach: Complete cPanel Access
• SSH Access
• Cautious Approach: Limited Access Level (FTP/PHPMyAdmin)
• Why Limit FTP Users to Specific Directories
• High-Security Approach
• How to Remove Hosting Account Access to your Developer or Designer
• Remove Complete Access to cPanel
• Remove Partial Access via FTP

Reasons to Provide Limited Access to Your Hosting Account

Companies that manage user permissions use the practice known as “least privilege,” which basically means that users get access only to what is absolutely necessary. Limiting the privileges for users and the number of privileged users is one of the five best practices recommended by the National Cybersecurity and Communications Integration Center (NCCIC) at the US Computer Emergency Readiness Team (US-CERT). 

Of course, you probably need to allow account access for certain users, family members, or developers, but here are the main reasons why you should limit that access, and in some cases, restrict it:

• Unrestricted user access could lead to accidental data exposure;
• Unrestricted user access could lead to Intentional privilege misuse & abuse;
• Hackers can use compromised user credentials.

By limiting user access, you narrow down the amount of data employees have access to — and incidentally can compromise — without having to go through any other defenses. This is a recommended practice when you aim to increase the overall security of your online business.

How to Determine the Correct Level of Access for you Developer or Designer

When you initially create your hosting account with FastComet, you are given two separate areas to manage your hosting products and services – the Client Area and the cPanel/WHM Control panel. The Client area provides direct access to Technical Support, Billing information, and other features not directly related to managing the hosting service itself. It allows you to keep your billing information separate from the access information you need to share with your developer. 

FastComet Client Area Sub-accounts

Your FastComet Client Area allows you to create additional sub-accounts. Additional Contacts/Sub-Accounts provide you with the option to give a third-party access to your Client Area. As this area contains sensitive information and grants access to your hosting products, we give you more control over the Contacts/Sub-Accounts permissions. By default, these permissions will be set as: 

• The primary account information will not be visible to sub-accounts on the Client Area home page.
• Available credit balance and the due amount will not be visible to sub-accounts without View & Pay Invoices permissions.
• Hosting products and active services will not be accessible from the Client Area homepage to sub-accounts without the View Products & Services.
• Quick cPanel access on the Client Area homepage will not be accessible to sub-accounts without the View Products & Services permissions.

You can set the access level to control what a person can do to your account once they're logged in.

Each hosting service has its own separate cPanel interface via which you can manage all features of the specific hosting product.

These two separate areas to manage your hosting account are accessed by separate login details. You can allow full access to your cPanel Control panel, but there is no legitimate need for your web designer to be provided access to your Client Area/Billing account.

Understanding FastComet Hosting Account Passwords

The Master Password is your Client Area password, which you set up during the sign-up process. This password is encrypted and can not be retrieved or viewed in plain text anywhere in the system. Only the person who signed up for the service who knows the password can change it or log in to the Client Area. 

The cPanel password for managing your hosting product is randomly generated during the account creation. You can find this in your hosting account welcome email. There you should be able to locate your cPanel URL, cPanel username, and password. The only way to retrieve or change your product cPanel password is by using your Master Password.

How to Manage Editing/Contributor Access in Your Hosting Account

A web developer/designer will often ask for access to your hosting account so that they may set up your website. Here comes the logical question you may ask yourself: Should I give him my username and password? While this is a legitimate request, you still want to be careful who you give access to and how much access you give to them. As the hosting account owner, you decide who has access to your account. 

Considerations

Before you decide to give your web developer access to your hosting account, you may want to consider the following:

• How much do you trust the web developer?
• How much access does he/she really need?
• How much control do you want to have over the account?
• How involved do you want to be in the process of building your website?
• Is there existing data on your hosting account (such as your client list) that you do not want to fall into the wrong hands?

In answering those questions, you will determine how much access you are comfortable giving to your web designer.

Security Principles

You may also want to keep these security principles in mind when deciding how much access to grant your web developer:

• Only give someone enough access to do what they need to do and nothing more.
• If someone no longer needs access, remove their access; this is typically done by changing password(s).
• As the old saying goes, it is better to be safe than sorry.

Your Hosting Account Access Options

Taking everything above into consideration, you have several options here:

Trusting Approach: Complete cPanel Access

To grant your developer full cPanel access, you should provide them your cPanel username and password.

• This is a more powerful access level, and you won't want to give it out often. Use with caution. Anyone who receives cPanel account web interface access will have near-total control to add, delete, change, and truncate your database, deface your website, or download your business secrets and your client's details.
• When you provide complete cPanel access to your developer, he has complete access to all messages in all email addresses associated with your account.
• This is most likely used for complex sites with custom development work.
• This option grants the ability to install software or programming environments.
• Your website collaborators will have access to the database utilities for the purpose of database administration and modification.
• When you provide any form of cPanel access, you cannot avoid granting the ability to access files under the account (via SSH/FTP).

It is highly recommended to change your cPanel password after the team of your website developer & designers are ready with the changes on your website. This is done for security measures.

SSH Access

Typically, SSH is used more frequently by IT Ops than developers. For IT engineers who need to administer systems remotely, SSH would be the preferred method as it is a fast and easy way to connect. 

• Note that this is a huge security risk, and use it with caution. Anyone who receives SSH  access will have near-total control to add, delete, change, and truncate your database, deface your website, or download your business secrets and your client's details.

Cautious Approach: Limited Access Level (FTP/PHPMyAdmin)

If you wish to give a partial level of access to your developer, we recommend NOT giving them access to the cPanel. 

Make sure to install PHPMyAdmin on an Addon domain, a Subdomain, or a subfolder of your website via Softaculous. After that, create a MySQL database and user. There is a detailed explanation of how to do that in our MySQL Database and Uses tutorial. Ensure and provide the proper MySQL database, user, Ensure, and the user's credentials to your developer.

You should also set up an FTP user account in cPanel that has limited access to specific directories.

For the purpose of managing your account access, you may create as many FTP accounts as you need and allow access to certain directories for each one of the accounts. You can perform this by accessing your cPanel and choosing the FTP Accounts icon:

Here is what you will see on the page:

• Login - the login name of the user you are creating, note that any name you give will have the mandatory [email protected].
• Password - the password the specific user is going to access his account with;
• Password (again) - repeat the password from above;
• Strength (Why?) - you can check the strength of your password from this field. Next to it is the “Password Generator” button which can generate a password for your user.
• Directory (/home/user/) - here you should add the exact path to the folder you wish to grant your user with access (e.g. /home/user/public_html/themes);
• Quota - from here, you can set a restriction on the maximum megabytes allowed for the user to upload. Note that if you decide to use the input field, the value you set will be megabytes (MB).

• The last thing to do here is to press the Create FTP Account button in order to create your desired account. You will have to provide the user with the following credentials for access to the FTP account:

• Host Name - your.domain.com;

• Username - The one set in the FTP Client section;

• Password - The one set in the FTP Client section;

• Port - 21.

Why Limit FTP Users to Specific Directories

One of the most common circumstances to restrict FTP users is to prevent them from applying changes to certain parts of your website. Limiting access can also be useful if you want to make it possible for users to upload media files, but you don’t want to give them access to other areas.

Probably, the most important concern to allow access to certain directories for an FTP user is security. An FTP user with full or root access can execute destructive commands.

High-Security Approach

You can request your web developer or SEO expert provide you with a list of instructions for the required changes, and you can make them on their behalf and upload the website files yourself.

How to Remove Hosting Account Access to your Developer or Designer

Remove Complete Access to cPanel

To remove complete access to your hosting account, it is recommended to reset your cPanel password after your designer/developer is ready with the changes on your website. This is required for security measures.

Remove Partial Access via FTP

If you have created FTP accounts for your developer, review your FTP accounts area in cPanel and either change the password for any FTP accounts or delete the accounts.

If you experience any difficulties, you can always count on our technical support team and ask for assistance by opening a new support ticket.

Related articles

• How to Update Plugin Manually via FTP
• How to Use .htaccess File to Customize or Improve Your Website
• How to Enable Keep-Alive for Apache Servers
• How to Properly Run a Website Speed Test