Least-privilege credentials and break-glass access for owners
Short answer: Give staff and agencies the minimum access that lets them do their job—and keep a separate “break glass” owner path so you are never locked out of DNS, billing, or the CMS.
Most NZ SME incidents trace to shared passwords, ex-contractors who still have FTP, or one Google account that controls everything with no backup MFA device.
Roles that should exist on a typical site
- Owner: billing, domain registrar, DNS, emergency admin—ideally two trusted people can reach these.
- Editor / Author: can publish content but not install plugins or change users.
- Developer: staging + production deploy access via keys, not shared root passwords.
Break-glass kit (store offline)
Registrar login, DNS provider, hosting panel, primary CMS admin, and recovery codes for MFA. Test recovery once a year—discovering stale phone numbers during a crisis is expensive.
Offboarding checklist
When someone leaves, revoke CMS users, rotate shared secrets they touched, and audit integrations (forms, email SMTP, payment gateways) for tokens tied to their email.
Frequently asked questions
Is a shared 1Password vault enough?
It helps—pair it with individual accounts where the platform supports it so audit logs show who acted.
Should the owner use the same login as the agency?
No. Agencies should have their own user with a documented role; shared owner credentials erase accountability.