Ultimate Guide to Sharing User Access Safely

For any online business, sharing user access is inevitable. At one point or another, you are going to have to let someone inside your systems. It might be for a quick fix or long-term work. Whatever the case, sharing user access puts your business at risk. Once you accept this, you can get in the right frame of mind to do it safely.

None of us like to think that the next person we depend on for help is going to be the wolf in sheep’s clothing. The reality is, however, that you never know who is going to be the one to pull the wool over your eyes. Theft and fraud can happen at any time, so you need to guard your systems to reduce the risk of it happening to you.

FreeUp takes very seriously the safety and security of all our clients and the freelancers who work through the marketplace. We always do everything in our power to ensure that everyone is free to work and grow their businesses without having to worry about getting cheated. There is a limit, however, to what we at FreeUp can do to protect all of you. This is why we have put together this ultimate guide to sharing user access safely.

Use these tips to protect your accounts to minimize your exposure to those who might seek to exploit you and your business.

The Main Thing When Sharing User Access

If you just don’t have the time right now to read through all of these tips, the single most important one we can share with you is this:

Do not ever give out your main account information to anyone, no matter what.

There is absolutely no reason why anyone would need to access a website, marketplace store, CMS, or any other platform or tool using your credentials. There are always ways to grant access to someone who needs to get into that system. Even when someone needs top-level access, you can create that level of user access without giving yours away.

You should never give away your main account information because this is what the system will use to verify ownership. It is the top-level information that gives ultimate access to anyone who has it. It’s the master key, so to speak, and giving it away is like turning over ownership. If you don’t want to do that, then simply do not ever share your main credentials.

Now, if you’ve come this far, we have several more tips for you on sharing user access safely.

Set Specific User Access

Building from the main idea of never giving away your main account information, the first step to sharing user access safely is always creating specific access for each person. This is done by creating a different User account for each person who needs to access that system. Each User should then be given only the permission levels that they need to do their work.

If you aren’t sure what these permission levels are, don’t just guess. There are always ways to find out how to properly set up user access for specific tasks. Different platforms will have different processes for this, so the best source of information is the platform itself. Contact customer service and get their help. There are also various articles you can consult on the subject of sharing user access safely.

We can’t outline each process for every tool out there in this article, but we have here the steps to take for three of the major platforms used in eCommerce:  Amazon, Shopify and WordPress. The general tips apply across the board, for any tool or platform you are sharing user access for.

Amazon User Permissions

When you create your Amazon Seller Central account, only you have access. You are the Primary user – the account administrator – and have access to every tool, feature, and page in your account.

To share user access with another person, you must have a Professional selling account. If you’re on an individual account and you need help on it, it’s wise to work only with Amazon seller support to resolve any issues. You can also make use of the forums to get advice from other sellers on how they resolved similar issues.

Here are the basics of granting Amazon access as a Professional seller to a secondary user. In that post, you will also read about adding a layer of security with a non-disclosure agreement and adding user permissions slowly until you have built a higher level of trust with that person. Having a non-disclosure agreement is a good idea for whatever kind work you are hiring for, Amazon or not. Building trust is also very important in all hiring situations.

It’s good to note that although user account credentials are unique and confidential, you can change or remove access at any time from your end. Make sure, however, that you do not make a user an Admin by granting them overall View and Edit permissions. This gives them access to the User Permissions Page where they can change any permissions at will.

Shopify

This popular eCommerce site builder allows subscribers to create staff accounts for others to access certain areas of a store. Like Amazon, you can set specific permissions for each user account so that they don’t gain access to sensitive information. Depending on your pricing plan, you can create one or unlimited users:  one user on Shopify Lite, 2 users on Basic Shopify, 5 users on the Shopify plan, 15 users on Advanced Shopify, and unlimited users on Shopify Plus.

Owner permissions allow total access to a Shopify store, including accounts and financials. You want to keep this level access for yourself only. Ownership of a Shopify store can be transferred, so be careful not to do this by accident.

Full permissions allow a user to access all the sections of the store, except for the sensitive account and financial information. Limited permissions restrict access to certain sections of the store. This is what you want to pay attention to so that you are sharing user access for only the areas that a user needs to get into.

If you are on the Shopify plan and use Shopify POS, you can create a PIN for a user that allows access to the POS only. To do this, you need to access the Shopify POS staff screen on an iPad. There is no limit to how many POS staff accounts you can create. Note that users with Full permissions can also add or remove POS access using the app. Monitor POS access carefully to avoid fraud. The user who processes a POS checkout is linked to that sale and they appear in the POS and Shopify admin order details.

WordPress

A fresh WordPress installation comes with five default user roles:  Administrator, Editor, Author, Contributor, and Subscriber. The infographic below neatly displays the default permissions allowed for these basic roles.

Administrators on WordPress can do anything on the site. You should reserve this role for yourself. Admins can even delete other Admin users. Be especially careful if you are running a multi-user site since Admins can access everything.

If someone is building the site for you or fixing a bug, they will need Administrator access. Because of all the different combinations of hosting and themes and plugins, it’s not easy to tell what’s wrong with a site without thorough testing. In these cases, you have no choice but to allow access. Be sure, however, that you restrict this user’s access when their work is done. You can always reinstate access if you need them to do another task on the site.

Editors have full control over the content areas of a WordPress site. This role was created for blog managers, since WordPress was initially a blogging platform. Authors have limited access to content sections. By default, they can create, edit, publish and delete their own posts. They cannot create new categories, touch the posts of other users or moderate comments on any posts.

The Contributor role is the safest for newly hired writers. They can add and edit posts, but they can’t publish them. The only setback for these users is that they can’t upload media, so they can’t add new images to their posts. Subscribers can only edit their user profiles, so this role is only good for a site that requires people to log in before they can read posts.

If you run a Multisite Network, there is another level of access – Super Admin access. Do not give this type of access to anyone unless absolutely necessary. A Super Admin can delete entire sites on the network and make changes that take effect throughout the network in addition to anything that a default Administrator can do.

You cannot always be sure that you can trust someone you’ve hired before sharing user access to your blog content. Although they cannot steal product, if they have a mind to, they can wipe your blog clean – or at least all the posts you paid them to write. One solution is to generate regular backups of all your content. This is a good idea anyway, just in case something else goes wrong with the site.

Another solution is to customize roles through the use of a plugin for user management. This way, you can prevent Authors from being able to publish and delete their own posts, for instance. You can also create your own fully customized roles so that sharing user access to your site becomes easier. With certain plugins, you can create more defined access than the default roles allow. This way, it’s less of a hassle and you’re more likely to keep your site secure.

Why Hires Sometimes Cheat

Beyond the technical side of sharing user access, it’s important to note the main reasons why someone might want to take advantage of you, so that you are prepared. To really be safe, you need to recognize the signs of malicious intent so you can prevent bad behavior before it starts.

Payback

In many cases where a hire steals or does something to damage you or your business, it’s because they have felt mistreated. It may be that the pay was too low, tasks were added beyond the scope of your initial agreement, you demanded more hours than they were willing to render, you were disrespectful to them, and the like.

These situations are rarely cut and dry, but they can still be easily avoided.

Low Pay

You may not realize when you post a job that the person you are hiring wants a better rate. Some people from cultures that encourage open communication will tell you so. When their desired rate doesn’t suit your budget, however, they may take to the job anyway out of desperation. Other people are not so forthcoming and will grin and bear it until the pressures of need overwhelm their better judgment. Soon, they will feel underpaid and seek ways to get whatever compensation they feel is missing.

Avoid the dangers of disgruntled hires by managing your expectations when hiring on a low budget. Don’t try to get more for your money when you know that the work doesn’t match the rate – and you should know this before you hire. There are websites where you can research the going rates for different tasks. Don’t hire someone unless you’re sure that they are happy with the rate you’re offering.

Out of Scope Work

Even when a hire is happy with the rate you are offering for certain tasks, you can’t just ask them to do other things for the same rate. The rate you agreed on was for a specific set of tasks – it covers only the scope of work that you started out with. If you want them to do other work for you, talk about it like it’s a separate job, because it is. Start from the beginning with your budget. If they are not happy with the rate, you can meet their desired rate or find someone else.

For every task or set of tasks you’re hiring for, you must find this balance with a hire between work and pay. Once that’s agreed, create a document that outlines your expectations for work. This ensures that you both stay on the same page by having something to reference. The document should begin with the scope of tasks and the details of how you prefer that they are performed.

If you see an opportunity to add tasks as you gain confidence in a new hire, always ask them first. Make sure that they have the hours available and that they want to do those tasks. Don’t try to manipulate them in any way to make them more willing to do the extra work.

Lack of Respect

Freelancers are business owners like yourself. They may not run multimillion-dollar online stores, but they are still business owners. More likely than not, they escaped the nine-to-five grind just like you did. Most likely, it was because they couldn’t cope with that condescending employer-employee structure that is so common in the corporate world. If they wouldn’t tolerate it then, they are not going to tolerate it now, especially when freelancing doesn’t come along with great health and social security benefits. Don’t push them over the edge by treating them like they owe you a favor or that they should be ever so grateful that you hired them.

Desperation

Sometimes, people do awful things that they would not do under normal circumstances. A hire who was originally happy with the rate, the scope of work, the hours, and their professional relationship with you might suddenly become unhappy. Perhaps they ran into some trouble and don’t know how to get out.

Avoid being the victim of a desperate act of theft or sabotage by watching for signs. Anyone whose behavior suddenly changes is going through something. You don’t have to know exactly what it is, but you can surely reach out, even if it’s just to let them know that you care. You should be checking in with hires regularly, anyway, to strengthen your relationship and make sure work is flowing smoothly. The more you meet with them, the easier it will be to spot red flags. Plus, the better you treat them and the more effort you put into getting to know them, the less likely it will be for them to target you.

The Con

It’s always a good sign when you find someone who is eager to work with your business. Watch out, however, for anyone who seems too eager to join your team. This may indicate a level of excitement that does not stem from that good place of having values and interests that are in line with yours.

No matter what you do, there is always the chance that you’ve hired a con artist. This person is not mistreated or in trouble. It is simply their plan from the very beginning to get something from you. Again, you can avoid falling victim to a scammer by being vigilant so that you can see the signs.

Final Thoughts

Whenever possible, set up Multi-factor Authentication on each of your accounts to ensure that you’re always in control. Amazon, Shopify, and WordPress all have this security feature available.

Don’t forget to monitor your account activity. One way or another, every eCommerce platform and tool will allow you to view sales activity, for instance, so you can track payments and spot any strange shipments. Investigate anything that looks out of place. If some monkey business has been going on, at least you will have found it out early on so you can minimize your losses.

If you notice a problem developing between you and a hire, address it. Even if it seems like a small issue, don’t ignore it. Nip it in the bud so it has no chance to fester and grow. Most misunderstandings and disagreements can be worked out by just having a good talk where each party is open and honest.

If you see anything suspicious at all, particularly on your FreeUp account, do not hesitate to reach out. Let us know what you’re facing and we will do all that we can to investigate your concerns and resolve the issue.