Once you have signed up with an SEO provider and they’re setting the SEO campaign up, it’s not uncommon for them to request access to your Web Hosting logins, cPanel logins or FTP (File Transfer Protocol) details.
It’s an expected request, as placing or editing certain files on your server is necessary. However, this is sensitive information that grants a great deal of control over your digital assets (including, in most cases, your business e-mail accounts) to your provider.
It’s a big ask, especially since you’re likely only just at the beginning of this relationship with your SEO. It’s the same level of crazy as cutting a house key for someone you’ve been seeing for a week.
Why Do SEOs Need cPanel/FTP Access?
The common reasons that SEO’s will need to access your cPanel or have FTP access is to place files on your server, these files are more often than not:
- Google verification file to manage your website in Google Search Console (formerly Webmaster Tools)
- To edit you .htaccess file to create redirects or disallow bots from accessing certain pages of your website
- To edit certain parts of the website that aren’t accessible through your Content Management System (CMS)
Typically, these are once off tasks that an SEO would need to do at the beginning of a campaign.
The Safest Approach
Every business who relies on their digital assets should have a relationship with a locally based IT professional.
It’s important to ensure these services are local so that they are held accountable by local consumer protection laws.
Because these the tasks where SEOs need your cPanel/FTP details are a once off; it’s best to have your SEO send these files to your IT provider who can then check the files and implement them on your server themselves.
Extra Tips For Your Digital Security
Ensure that you’re not giving more access to your SEO or digital marketing providers than is absolutely necessary.
A few ways to avoid the common mistakes that I often see clients making are:
Provide SEOs with their own login details for your website and not the main/administrator login details. Ensure that they don’t have access to edit core files such as the header/footers or function files.
Never give login details to your e-mail accounts, especially if they are connected with your domain name. Everything your digital marketing providers need access to (like Google Analytics or Google Ads) can be provided by inviting their e-mail address to the account as a manager (and not as an Owner).
Never give Manage Users access to Analytics. Giving Manage Users access means that they can add whoever they like and remove whoever they like from the account, including you. That historical data in Google Analytics is invaluable and you don’t want your account held ransom. Edit permissions is usually all an SEO provider needs.
Would These Measures Annoy My SEO?
More than likely.
Yes, it is far more convenient for us SEOs to have unrestricted access – it does make the job quicker and easier.
But ultimately, I’d respect any client’s wishes to ensure their digital assets are safe and as long as there are ways for me to complete the work, the inconvenience is far from unbearable.
Why Do You Need To Take These Measures?
Sadly, the digital marketing industry is highly unregulated.
That means the people who can call themselves digital marketing professionals are not required to achieve a certain level of education, credentials or adhere to any industry body before being able to pose as “experts”.
Some SEO companies have been known to put malicious code on client websites and even create additional entry points to the website, so they can still access it even if passwords have been changed or their logins removed.
This is done to ensure that the website starts to perform poorly if a client decides to leave, hoping that the client will return since there’s a clear correlation with leaving the SEO provider and things going bad.
I’ve even seen a client suddenly have problems with their e-mails after leaving their overseas provider as they had the client’s web hosting logins – it was a lot of work liaising with the hosting company to get all the passwords reset and to rectify everything.
Of course, these are worst-case scenarios. You do limit the potential of this happening with local providers, but it’s always good to ensure the security of your digital assets as they continue play a greater role in most business’ marketing communications.
