We have often been asked by users if they should give admin access to plugin developers to fix bugs on their websites.
If it is a free plugin, then you can easily switch to a different one. However, if it is a paid or custom plugin, then you may want to get it fixed.
For some issues, developers may not be able to find the bug and fix it without access to your website.
In this article, we will address if you should give admin access to plugin developers for fixing bugs and how to do it safely.
What Is Admin Access for a WordPress Website?
Admin access for a WordPress website means login access to the WordPress admin area with the administrator user role.
Giving access to the administrator user role for your WordPress website should make anyone feel uncomfortable.
That’s because a user with the administrator user role has full access to everything on your website. They can install plugins or themes, modify code, update the WordPress database, or even delete user accounts.
To learn more, see our beginner’s guide to WordPress user roles and permissions.
For WordPress security, you need to always protect admin access to your WordPress website.
Why Developers May Need Admin Access to Your Website?
When you report a bug and ask for support, the first thing most good developers do is try to reproduce the issue on their testing site.
If they are able to recreate the issue, then they can solve the problem and update the plugin.
Now, if they can’t replicate the issue that you’re reporting, then it’s impossible for them to fix it.
You are probably wondering why these developers can’t replicate the problem that you are having.
Well, that’s because each site is different.
For instance, there are different web hosting environments and different combinations of WordPress plugins and themes. One or more of these variables can be causing the issue.
When a plugin developer is testing their plugin, they don’t have any other plugins activated, and they’re using the default WordPress theme.
This is why sometimes the bug that you encounter is specific to your site. Maybe it’s a bug with a theme you’re using or with a combination of other plugins you have installed.
In order for plugin developers to fix the bug, they must know what’s causing the issue. This is why they ask for your WordPress admin access, so they can have all the same variables.
Should You Give Admin Access to Developers?
Yes, you should give admin access to your website to trustworthy developers so that they can identify the issue and fix it for you. However, the site you share doesn’t need to be your actual live website.
You see, developers want access so they can see the issue with the same hosting environment, plugins, and theme.
If you can make a copy of your website under the same hosting account, it will have all those variables in place while keeping your real website secure.
This temporary copy of your website is called a staging site.
A staging site is a clone of your live website that is used for testing changes before making them live.
Staging sites help you catch errors so you don’t end up breaking your live website. They also help you safely give developers access to make changes and troubleshoot bugs.
Method 1: Share Admin Access to a Staging Website
Many of the top WordPress hosting companies come with the option to create a staging site with one click.
You should first contact your WordPress hosting provider to see if they offer a 1-click staging site for your WordPress installation.
For more details on how to do it yourself, you can see our tutorial on how to make a staging WordPress site.
After you have set up your staging website, you need to log in to the admin area and add a new user account with the administrator user role.
After that, you can share this new admin user account with the plugin developer.
They can log in to your staging website and make any necessary changes.
Once they have fixed the issue, you can review your staging website and delete the temporary user account you created.
You can now deploy all changes to your live website. This will overwrite your live website and replace it with the staging version.
Note: Some WordPress hosting companies allow you to create a staging site after installing their helper plugin.
The downside of such a staging site is that the admin on the staging site will be able to deploy the changes to your live site without your approval.
In that case, we recommend using the manual method instead.
Method 2: Share Admin Access to a Manual Staging Site
Not all WordPress hosting companies offer 1-click staging websites.
In that case, you may need to manually create a staging website. This staging website will be a copy of your live website.
First, you need to log in to your hosting control panel and create a new subdomain for your staging website (e.g., staging.yourdomain.com).
For this tutorial, we will be using Bluehost. Do note that the steps might vary based on the hosting service you are using.
Once you’re logged in, click on the ‘Settings’ button for the website you wish to create subdomains.
From here, you will need to switch to the ‘Advanced’ tab at the top.
Bluehost will show different tools and settings you can access under the Advanced settings.
Next, you will need to scroll down and navigate to cPanel.
Go ahead and click the ‘Manage’ button.
On the next screen, you’ll see different tools.
Simply click on the MySQL Databases icon located under the Databases section in your hosting account dashboard.
On the next screen, provide a name for your database.
Then click on the ‘Create Database’ button.
Next, you need to create a MySQL user for your database.
Scroll down to the MySQL Users section and provide a username and password for your new database user.
Finally, you need to associate the user account with the database you created earlier under the Add User to Database section.
Simply select the new user in the dropdown, make sure your new database is selected, and then click the ‘Add’ button.
You will be asked to select privileges for the user.
Go ahead and select the ‘All Privileges’ checkbox and then click on the ‘Make changes’ button.
Your database is now ready to be used for your staging website.
Next, you need to install and activate the Duplicator plugin on your live WordPress site. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, you need to click on the Duplicator menu in your WordPress admin sidebar and click on the ‘Create New’ button.
Follow the onscreen instructions to create a Duplicator package for your website.
Once finished, you need to click on the ‘Download Both Files’ button to download the Duplicator package to your computer.
You’ll need to upload both of these files to the file directory of the subdomain you just created. For details, see our guide on how to use FTP to upload files to your WordPress website.
After that, you need to open a new browser tab and enter the subdomain of your staging site like this:
https://staging.yourdomain.com/installer.php
Don’t forget to replace staging
with the actual subdomain and yourdomain.com
with your own domain name.
This will launch the Duplicator installer wizard. Click on the ‘Next’ button to continue.
Now, you’ll be asked to provide the database information. Enter the database details you created earlier.
After that, simply follow the onscreen instructions to continue. Duplicator will unpack the WordPress package and install it for you.
Once finished, your staging website will be ready to visit. However, it is publicly accessible by anyone on the internet, including search engines.
Let’s change that.
Login to your WordPress hosting account dashboard and click on the ‘Directory Privacy’ icon.
Next, you will see different directory folders.
Go ahead and click the ‘Edit’ button for the folder you wish to protect.
After that, you need to select the option to ‘password protect this directory’ checkbox.
You will also be asked to provide a name for the protected directory.
Don’t forget to click on the ‘Save’ button to store your settings.
Note: You’ll need to give this username and password to the developers so that they can access your staging site.
Finally, you need to log in to the WordPress admin area of your new staging website and create a new temporary user account to share with a developer.
Once the developer has fixed the issue, you need to delete their user account.
After that, you need to move your staging site from a subdomain to your root domain.
Method 3: Share a Temporary Login Access (Less Secure)
This method allows you to create a temporary account that allows developers to log in to your WordPress website. You can set a fixed duration for the session, which will automatically expire afterward.
Note: This is less secure and will give a third-party developer complete access to your website. Only use this method if you trust the developer and understand the risks involved.
The first thing you need to do is install and activate the Temporary Login Without Password plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, you need to visit the Users » Temporary Logins page and click on the ‘Create New’ button to add a new temporary login account.
This will show a form where you need to enter information for the temporary login you want to add.
First, you need to provide the email address for the developer and then their first and last name.
Click on the ‘Submit’ button to continue.
The plugin will now create a temporary login URL. You need to copy this URL and send it to the developer you want to give temporary access.
Once the developer has finished fixing the issue, you can delete this temporary link. Otherwise, it will automatically expire after the period you set during the login creation.
For more details, see our tutorial on how to create a temporary login link in WordPress.
We hope this article helped you learn whether or not you should give admin access to plugin developers to fix issues on your website.
You may also like our article on how to track user activity in WordPress and the best WordPress security plugins to protect your website.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Mrteesurez
Thanks for the insight! This is a tricky situation, and it’s something I’ve encountered before. I once gave admin access to a developer to fix a plugin issue, and while everything turned out fine, I realized how risky it could be. Now, I always create a temporary admin account with limited access and delete it once the job is done. In this article I found using staging sites for testing to be a safer option. This way, I protect my main site while still allowing developers to work on fixes. It’s crucial to balance trust with caution to safeguard your website’s security and integrity.
Jiří Vaněk
I didn’t quite understand the sentence that temporary access is less secure. In what way exactly? You mention that the developer would gain full access to the site. But wouldn’t they have that anyway if I create a temporary administrator user for them? Or did I misunderstand something?
WPBeginner Support
The difference would be temporary access to your staging site or your live site. If a staging site breaks then you can update it without your visitors knowing something broke while if you give access to your live site they could cause an issue that your visitors see.
Admin
Mrteesurez
Thanks for pointing out the difference between giving access to a staging site versus a live site—this is such an important tip! I’ve experienced firsthand how risky it can be to give someone access to a live site. A small change can lead to unexpected issues that visitors see immediately, which can harm your site’s reputation. Using a staging site provides that extra layer of protection, allowing you to test everything first. One needs to be more cautious regarding giving access to developers. Great advice!
Mark
Thanks for the article, I totally get the need for trust / co-operation.
1. What about sending a backup of your site to the plugin developer and letting them create a staging site?
2. But perhaps the bigger issue, for me, is whether you’re exposing yourself to fraud if you’re running an eCommerce site and pass access to a plugin developer?
WPBeginner Staff
David,
Thanks for leaving a comment. First, we did not say it is the web hosting companies’ jobs to do this.
However from our experience, when you ask nicely most of them are happy to do this for you. Specially if you’re on a cPanel web host. Why?
Because it takes literally few clicks to move an existing site to a new subdomain on the server end.
I won’t get in a debate about WP is easy to use or not because that’s your opinion. I have success stories of users who started learning from WPBeginner in 2009 and today are running successful web design agencies of their own. Others who have started much recently and used our resources to build a website which helped them grow their businesses.
-Syed
David Fraiser
Great article except for the part where you lead users to think that it is somehow the web hosting companies job to set up a test environment for them. This isn’t true. While many hosting companies have support staff who are well-versed in WordPress and other software, it isn’t part of their job to set up a test site for a user.
In fact most hosting companies have specific clauses prohibiting help with 3rd party apps. I realize your articles are geared towards WP n00bs, but if they aren’t capable of replicating a WP install, then they probably shouldn’t be using WP to begin with. Or better yet, they should hire a knowledgeable Developer to do it for them.
WP is deceptive in that to USE it is very simple, and most anyone can do it; but to CUSTOMIZE it requires knowing what you’re doing. It’s not all “push a button and it’s going to be just like I want it to be.”
You do a disservice to your less knowledgeable readers by giving them the wrong information.
WPBeginner Staff
You can use robots.txt file to block a site from getting indexed.
WPBeginner Staff
Totally agree with your points.
lisaleague
I’ve had excellent support from reputable developers, and I like to return the favor by providing a great review.
I think another key is to provide a clear description of the issue, and screencasts are very helpful.
fil
okay I know now
Travis Pflanz
I would add that you should ALWAYS ask the developer to let you know exactly what the problem is and which files they changed to fix the problem… Especially if you give them FTP access.
I’ve seem developers go in and change the core of a plugin that was not theirs, then when that plugin updates, the whole situation returns.
If there is a conflict with a specific plugin, I always inform both developers and create a public thread somewhere – whether on wordpress.org or one of their sites – and direct both developers to that thread. This way they can (hopefully) work together to fix the issue.
Mohammed
Hi wpbeginner,
Thank you very much for this great article this is exactly what I need to know about what if I should give the plugin/theme developer admin access or not and what can I do about that.
Pam
This is great guidance, thank you!
Question – does having a copy of the site affect the search engines? In other words, would I get penalized for having “duplicate content”? If so, how would I prevent search engines from crawling my staging site?
Meks
Nice post WPbeginer.
Generally speaking the best way to solve bug and help your user is to have access to their WP admin.
So far we haven’t found any of our customers refusing to send us their WP admin details
I would say that is trust between users and developers
Paul Lambert
Good advice – thanks