We have often been asked by users if they should give admin access to plugin developers to fix bugs on their websites.
If it is a free plugin, then you can easily switch to a different one. However, if it is a paid or custom plugin, then you may want to get it fixed.
For some issues, developers may not be able to find the bug and fix it without access to your website.
In this article, we will address if you should give admin access to plugin developers for fixing bugs and how to do it safely.
What Is Admin Access for a WordPress Website?
Giving access to the administrator user role for your WordPress website should make anyone feel uncomfortable.
That’s because a user with the administrator user role has full access to everything on your website. They can install plugins or themes, modify code, update the WordPress database, or even delete user accounts.
To learn more, see our beginner’s guide to WordPress user roles and permissions.
For WordPress security, you need to always protect admin access to your WordPress website.
Why Developers May Need Admin Access to Your Website?
When you report a bug and ask for support, the first thing most good developers do is try to reproduce the issue on their testing site.
If they are able to recreate the issue, then they can solve the problem and update the plugin.
Now, if they can’t replicate the issue that you’re reporting, then it’s impossible for them to fix it.
You are probably wondering why these developers can’t replicate the problem that you are having.
Well, that’s because each site is different.
For instance, there are different web hosting environments and different combinations of WordPress plugins and themes. One or more of these variables can be causing the issue.
When a plugin developer is testing their plugin, they don’t have any other plugins activated, and they’re using the default WordPress theme.
This is why sometimes the bug that you encounter is specific to your site. Maybe it’s a bug with a theme you’re using or with a combination of other plugins you have installed.
In order for plugin developers to fix the bug, they must know what’s causing the issue. This is why they ask for your WordPress admin access, so they can have all the same variables.
Should You Give Admin Access to Developers?
Yes, you should give admin access to your website to trustworthy developers so that they can identify the issue and fix it for you. However, the site you share doesn’t need to be your actual live website.
You see, developers want access so they can see the issue with the same hosting environment, plugins, and theme.
If you can make a copy of your website under the same hosting account, it will have all those variables in place while keeping your real website secure.
This temporary copy of your website is called a staging site.
A staging site is a clone of your live website that is used for testing changes before making them live.
Staging sites help you catch errors so you don’t end up breaking your live website. They also help you safely give developers access to make changes and troubleshoot bugs.
Method 1: Share Admin Access to a Staging Website
Many of the top WordPress hosting companies come with the option to create a staging site with one click.
You should first contact your WordPress hosting provider to see if they offer a 1-click staging site for your WordPress installation.
For more details on how to do it yourself, you can see our tutorial on how to make a staging WordPress site.
After you have set up your staging website, you need to log in to the admin area and add a new user account with the administrator user role.
After that, you can share this new admin user account with the plugin developer.
They can log in to your staging website and make any necessary changes.
Once they have fixed the issue, you can review your staging website and delete the temporary user account you created.
You can now deploy all changes to your live website. This will overwrite your live website and replace it with the staging version.
Note: Some WordPress hosting companies allow you to create a staging site after installing their helper plugin.
The downside of such a staging site is that the admin on the staging site will be able to deploy the changes to your live site without your approval.
In that case, we recommend using the manual method instead.
Method 2: Share Admin Access to a Manual Staging Site
Not all WordPress hosting companies offer 1-click staging websites.
In that case, you may need to manually create a staging website. This staging website will be a copy of your live website.
First, you need to log in to your hosting control panel and create a new subdomain for your staging website (e.g., staging.yourdomain.com).
For this tutorial, we will be using Bluehost. Do note that the steps might vary based on the hosting service you are using.
Once you’re logged in, click on the ‘Settings’ button for the website you wish to create subdomains.
From here, you will need to switch to the ‘Advanced’ tab at the top.
Bluehost will show different tools and settings you can access under the Advanced settings.
Next, you will need to scroll down and navigate to cPanel.
Go ahead and click the ‘Manage’ button.
On the next screen, you’ll see different tools.
Simply click on the MySQL Databases icon located under the Databases section in your hosting account dashboard.
On the next screen, provide a name for your database.
Then click on the ‘Create Database’ button.
Next, you need to create a MySQL user for your database.
Scroll down to the MySQL Users section and provide a username and password for your new database user.
Finally, you need to associate the user account with the database you created earlier under the Add User to Database section.
Simply select the new user in the dropdown, make sure your new database is selected, and then click the ‘Add’ button.
You will be asked to select privileges for the user.
Go ahead and select the ‘All Privileges’ checkbox and then click on the ‘Make changes’ button.
Your database is now ready to be used for your staging website.
Upon activation, you need to click on the Duplicator menu in your WordPress admin sidebar and click on the ‘Create New’ button.
Follow the onscreen instructions to create a Duplicator package for your website.
Once finished, you need to click on the ‘Download Both Files’ button to download the Duplicator package to your computer.
You’ll need to upload both of these files to the file directory of the subdomain you just created. For details, see our guide on how to use FTP to upload files to your WordPress website.
After that, you need to open a new browser tab and enter the subdomain of your staging site like this:
Don’t forget to replace
staging with the actual subdomain and
yourdomain.com with your own domain name.
This will launch the Duplicator installer wizard. Click on the ‘Next’ button to continue.
Now, you’ll be asked to provide the database information. Enter the database details you created earlier.
After that, simply follow the onscreen instructions to continue. Duplicator will unpack the WordPress package and install it for you.
Once finished, your staging website will be ready to visit. However, it is publicly accessible by anyone on the internet, including search engines.
Let’s change that.
Login to your WordPress hosting account dashboard and click on the ‘Directory Privacy’ icon.
Next, you will see different directory folders.
Go ahead and click the ‘Edit’ button for the folder you wish to protect.
After that, you need to select the option to ‘password protect this directory’ checkbox.
You will also be asked to provide a name for the protected directory.
Don’t forget to click on the ‘Save’ button to store your settings.
Note: You’ll need to give this username and password to the developers so that they can access your staging site.
Finally, you need to log in to the WordPress admin area of your new staging website and create a new temporary user account to share with a developer.
Once the developer has fixed the issue, you need to delete their user account.
After that, you need to move your staging site from subdomain to your root domain.
Method 3: Share a Temporary Login Access (Less Secure)
This method allows you to create a temporary account that allows developers to log in to your WordPress website. You can set a fixed duration for the session, which will automatically expire afterward.
Note: This is less secure and will give a third-party developer complete access to your website. Only use this method if you trust the developer and understand the risks involved.
The first thing you need to do is install and activate the Temporary Login Without Password plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, you need to visit the Users » Temporary Logins page and click on the ‘Create New’ button to add a new temporary login account.
This will show a form where you need to enter information for the temporary login you want to add.
First, you need to provide the email address for the developer and then their first and last name.
Click on the ‘Submit’ button to continue.
The plugin will now create a temporary login URL. You need to copy this URL and send it to the developer you want to give temporary access.
Once the developer has finished fixing the issue, you can delete this temporary link. Otherwise, it will automatically expire after the period you set during the login creation.
For more details, see our tutorial on how to create a temporary login link in WordPress.
We hope this article helped you learn whether or not you should give admin access to plugin developers to fix issues on your website.