Admin and server level access

Posted on


Level of access to the admin features in WordPress is different for each client and website and a certain amount of judgement is required in each case. Ultimately, it is your website, and HdK will give you the access you want. However, in doing so, we want to make sure you’re aware of any risks and make you aware that responsibilities may get blurred.

We do not want to restrict you from doing things you need to do on a regular basis and during the development process, as we learn more about you, we may be able to make adjustments to the access we give you. Occasionally, though some things are best left to developers for good reason and we’ll do our best to explore that with you.


Using WordPress’s system, we distinguish between Editors and Admin. We typically leave Admin access to HdK developers. Editor access is given to clients. It is important to note that these are just terms and most people understand the access they get as an editor is what others might mean by admin. It is simply a way of describing access levels.

Ultimately, a client having full admin can easily break things on the site and that is what we seek to avoid. HdK know this from experience building and managing hundreds of websites. We do not say this to protect any commercial interest. We want our clients to enjoy managing their own content in the confidence that it is safe to do so.

Equally, if something does go wrong as a result of a client having access to certain features, it can take HdK longer to understand the issue and can end up costing more to fix the problem.

Our guiding principle is to give the client access to as much as possible particularly things they are likely to change regularly. Sometimes, the budget agreed for the website means it might be more cost effective for HdK to change something that only needs changing very occasionally, than building in the ability for the client to update it themselves. If you have a support package with HdK this is typically the sort of thing that will be covered. If not, we can give you a quote.


One area we do not usually give access to are plugins – the applications and features created by third parties that we often use and customise for your website.

There are over 54,000 plugins created by third party developers around the world. The quality of programming for plugins is not guaranteed and as such some plugins are better than others.

At HdK we assess the quality of the plugin before integrating it with your website. Every plugin is a potential vector for problems. Having a non-developer pick any plugin from the vast amount of plugins available on the web, makes it harder for us as your developer to own responsibility for any problems that arise.

These problems can be as bad as the plugin having a vulnerability that lets hackers into the site, or as simple as clashing with another plugin, causing pages to disappear or show ugly warnings and errors on the site.

Here are two examples of plugins and the reasons why we believe it is best to reduce client’s access to them.

The Advanced Custom Fields plugin

This plugin services all the fields for content on the site. These fields are all directly related to pieces of the scripts in the template. One toggle set the wrong way, will sooner or later cause a cascade effect of problems. Custom Fields should only be touched by the developers of the website.

Even when a client is warned and is careful to avoid touching custom fields, it has been known to happen accidentally, as there are direct links to each Custom Field right in the edit pages. These links are not there for editors (which is safe), but they are there for admins.

Finding and fixing the cause of a problem resulting from an accidental change in a custom field setting, can be very time consuming, and might even result in missing content on various pages that is not easily recovered.

Members plugin

This is the plugin we use to make sure that Editors can edit the navigation menus.  Someone with admin access could easily change access levels for all other users, which might cause problems when one of those users touches something they shouldn’t touch, like for example the Custom Fields.


Similar reasoning applies to having access to the servers. There are a lot of things that could potentially go wrong with your website. There are many different set ups and sometimes someone with a little knowledge can cause the most damage. Our approach is to meet with the person online to assess their experience, explain what we know about the set up of the project and to make sure everyone is aware of the risks involved. Any access after that needs to be co-ordinated carefully to make sure that back ups are available and HdK developers are on hand should anything go wrong. Ultimately, we can hand over full responsibility to another party if required but we prefer to do this in a safe and controlled way to ensure that security and customer privacy is always maintained.