At some point, anyone with a website who is working with a third party (a web developer, a SEO consultant, etc.) is going to get asked for their "hosting credentials" as casually as they might get asked for their phone number. But if you aren't working with your site every day this can be a confusing question. In this article we'll try to help it all make some sense.
In the simplest terms, this is a user name, password, and information on where to use that information. But it's often not simple. To a great extent, the correct answer will depend on who is asking!
The request could be for any of:
- Your domain registrar's login.
- Your hosting company's client login.
- Your hosting control panel login.
- Your hosting FTP login.
- Your website's dashboard / administrator login.
These forms of credential are listed in order of decreasing importance and risk. Whenever possible you should try to limit the access other people have to your accounts to the lowest level possible.
Just to make things more complicated, depending on your specific setup the first three items in this list could be one, two, or three different logins. Let's look at each and why someone might need them.
Some logins also have a form of two-factor authentication (commonly abbreviated as 2FA). 2FA can range from something fairly simple like a verification question that requires personal information (for example, the name of your first pet), to a method that requires that you enter a time-sensitive code sent to your phone. If you have 2FA enabled, then you may have to relay the code to the person you want to allow into your account.
We have an article that talks about the difference between many of these credentials, see Too many terms! What do Domain, Hosting, Control Panel, Dashboard, Back-end, etc. mean? for more detailed information.
For most people, their web host and their domain registrar are the same. But there's no reason why this has to be the case. It's entirely possible to register your domain at Keisha's Domain Company and have your hosting with Little Bear Hosting. Usually the only reasons why a third party would need access to your domain is if you're transferring it to another registrar (like Abivia) or if you're keeping the registration in the same place but moving the hosting. Exercise extreme caution when giving out credentials to your registration account. Be absolutely certain that you can trust the person you're giving this information to, because anyone with this information can take control of your domain. Also when the work is done if you don't have a two-factor authentication system, change your password so that access is revoked. Even if you trust the person you're working with, there's no guarantee that their systems won't be compromised at a later date, potentially putting you at risk.
- The registrar's URL.
- User name.
Hosting Customer Panel
Your customer panel credentials provide access to changing or ordering new services for your website, email, etc. This is also where you pay your hosting bill and create tickets for technical support. There are few reasons why you would want to provide this information to a third party. For example, if you need to modify your hosting plan. If someone is just working on your website they shouldn't need this information.
- The host customer panel URL.
- User name.
Hosting Control Panel
The control panel is the place where you can create and remove email and FTP accounts (more on FTP below), add subdomains, create databases, install and configure website software, and more. If someone is building a new site for you from scratch then they will need access at this level. If they're just updating content or performing Search Engine Optimization (SEO) for you, they should not normally require this level of access.
Most host control panels don't support 2FA but that is starting to change. When the work is done, you can usually change the control panel from the customer panel. Yes, the terms can be confusing!
- The host control panel URL.
- User name.
If your developer is uploading a large volume of images PDF files, or other media, then they will likely want FTP access. For most hosting control panels, your control panel user name and password will work for FTP, but the account-level FTP credentials will also provide remote access to your entire site. Your control panel should allow you to create a new login that is restricted to the part of your account that they need. For example in Wordpress, you might only want to give them access to your site's wp-content/uploads folder.
- The FTP server address and port number.
- User name.
If you've hired someone to improve your search results, upload new content, or make minor design changes to your site, then these are all the credentials they should need. In fact, it is a good practice to create a specific login for the people you're working with and to only give them the permissions required to do the work you need. In Wordpress you'll need to give them an administrator account. In a more robust CMS you can usually provide more restrictive access. Besides access control, the advantage of creating a separate user account is that you can disable it when the work is done, which means you won't need to reset your own password.
- Your site's admin URL, for Wordpress this would be https://yoursite.ca/wp-admin, for Joomla it is https://yoursite.ca/administrator.
- User name.