Display

Choose how you want to view this site. Your choices are saved on this device.

Text size
Page width
Theme

Security & maintenance

Sharing access with contractors: safer handover patterns

Updated 2026-04-11 · Practical guide for NZ small businesses

Short answer: Create named accounts, time-bound access, and a handover pack (repos, DNS, keys)—never “one password everyone shares forever”.

Agencies appreciate clarity too; ambiguity causes slow fixes and duplicated effort.

Patterns that scale down to one-person shops

  • Named CMS users with roles; disable when the contract ends.
  • Project vault for secrets instead of Slack DMs of root passwords.
  • Read-only dashboards for stakeholders who only need analytics.

Handover minimum artefacts

List hosting, registrar, DNS, email provider, repo URL, deployment method, payment plugins, and cron jobs. Include environment variables without committing secrets to git.

Legal and commercial clarity

Who owns code, licences, and third-party API keys after the project? Sort this when everyone is friendly—post-dispute recovery is slow.

Frequently asked questions

They asked for my main Google login—normal?

Prefer granting access to specific properties (Analytics, Search Console) over full account sharing.

Freelancer disappeared with credentials—now what?

Use registrar/host recovery flows, prove domain ownership, rotate everything, and rebuild access from known owners.