Giving a developer access to your server feels like handing someone the keys to your business. Done carelessly, it creates real security risks. Done properly, it is a routine and safe process that enables effective remote work. This guide explains exactly how to do it right.
Never Do This
- Never share your root server password over WhatsApp or email in plain text
- Never give root access when a restricted account will do
- Never share the same credentials you use for other systems
- Never give permanent access to a developer working on a short-term project
Level 1: cPanel Access (Websites on Shared Hosting)
If your site is on shared cPanel hosting, you have several options for granting access safely:
- Sub-account with limited permissions: In cPanel, go to Account Preferences → Manage External Authentication or create a separate cPanel user with restricted access
- FTP account: Create a dedicated FTP account in cPanel with access limited to a specific folder. This lets a developer upload files without accessing email, databases, or other site configs
- WordPress admin account: Create a dedicated administrator account in WordPress for the developer. Do not share your own admin account — you want to be able to remove their access independently
Level 2: VPS/Root Server Access
For VPS servers, the principle is minimum necessary access:
- Create a new sudo user: Never share the root account. Create a new Linux user with sudo privileges instead. This gives full server access but maintains an audit trail
- SSH key authentication: Instead of a password, generate an SSH key pair and add the developer's public key to the server. This is more secure than a password and cannot be guessed or brute-forced
- Restrict by IP (optional): If your developer works from a fixed IP address, configure your firewall (UFW or iptables) to only accept SSH connections from that IP
Step-by-Step: Creating a Secure SSH User
- SSH into your server as root:
ssh root@your-server-ip - Create new user:
adduser developerName - Add to sudo group:
usermod -aG sudo developerName - Ask developer to send you their public SSH key (usually in
~/.ssh/id_rsa.pub) - Add their key:
mkdir -p /home/developerName/.ssh && echo "their-public-key" >> /home/developerName/.ssh/authorized_keys - Set permissions:
chmod 700 /home/developerName/.ssh && chmod 600 /home/developerName/.ssh/authorized_keys
Sharing Credentials Securely
Never send passwords or credentials in plain text over email or WhatsApp. Use one of these methods:
- Bitwarden Send: Free, creates a secure link that expires after use
- 1Password: Share a vault item directly with the developer
- OneTimeSecret (onetimesecret.com): Free tool — the link can only be opened once then it is destroyed
Revoking Access When Work Is Complete
This step is critical and often forgotten. When a developer's project ends:
- Delete their Linux/server user account
- Remove their SSH key from authorized_keys
- Change any shared passwords (cPanel, database, WordPress)
- Review the cPanel access log for any unusual activity before closing out
Related Reading
- cPanel vs VPS Hosting — understanding your server environment is the first step
- My Website Was Hacked — What to Do — what happens if access controls fail
Need Help Setting Up Secure Server Access?
NextCode Solutions can configure secure SSH access, create restricted user accounts, and set up proper access controls for your VPS or dedicated server.
Get Server Help