Why Ex-Employees and Clients Could Pose a Threat to Your Website

As a busy website owner, you can’t manage everything. Eventually, you may need to bring on additional team members, freelancers, developers, or agencies to help with maintenance, content creation, or other tasks. These people may require access to your WordPress dashboard – but this could put your business at risk.

The more people who have access to your website, the greater the risk of data breaches, which can be disastrous for your business. Thankfully, you don’t have to choose between collaborating with specialists and keeping your website safe.

In this article, we’ll explore why ex-employees, clients, and other business partners may pose serious risks to your WordPress website. We’ll then share three tips you can use to collaborate safely. Let’s get started!

Why former employees could pose a threat to your business

Many business relationships come to an end. Perhaps an employee leaves for a new job, a customer chooses not to renew their contact, or a contractor completes their project.

Even if a relationship ends amicably, it’s still smart to remove ex-employees and business contacts from your WordPress website. Your website is one of your most valuable assets, but it can be used against you.

A disgruntled ex-employee may steal and publish confidential data. This is exactly what happened to food delivery service Chowbus. According to reports, an ex-employee stole the information of up to 800,000 Chowbus customers and emailed this data to “nearly all” of them.

This kind of data breach can be devastating to your reputation. It can also have serious financial consequences.

The 2011 Epsilon breach is thought to be the most expensive data breach of the 21st century, costing the email marketing company up to $4 billion. With the costs so high, it’s unsurprising that the majority of small companies close their doors following a breach.

A third party with a grudge may also deface your website. If your site is visibly hacked, it can destroy consumer trust in your business. You may also become blacklisted by Google, which can cause your traffic to plummet.

Malicious former employees may also sell your WordPress data to your biggest competitor, or use it to gain an unlawful competitive advantage in their new job. With the economic uncertainty surrounding COVID-19, many people are feeling increased financial pressure. For someone who still has access to your website, the potential financial rewards may prove difficult to resist.

Finally, an unhappy business contact may delete your WordPress data or even your entire website. If you haven’t created a backup, you could wake up to discover that years of hard work is gone forever.

How to protect your website from ex-employees and clients (3 key tips)

Whenever someone parts ways with your business, it’s important to remove them from your website. An ex-employee, contractor, partner, or any other contact who retains access to your WordPress dashboard is a potential threat to your business.

Regardless of whether you already have a team of collaborators or you have a startup and are considering bringing your first employees on board, it’s time to put a deprovisioning process in place. Here are three tips for protecting your WordPress website and your business against ex-employees, clients, and other parties who may try to use your website against you.

1. Create security policies and documentation

Hopefully, you foresee a long, happy relationship with all your employees and business contacts. However, it’s still smart to have a written deprovisioning plan in place. Then, if you ever need to revoke someone’s access from your WordPress site, you’ll have clear instructions that you (or your team) can follow.

Removing access to company accounts is one of those frustrating bits of administration that’s easy to delay, particularly if you trust the person in question or parted on good terms. However, the longer you wait to revoke access, the greater the risk to your business.

A study by identity and access management provider OneLogin discovered that 25 percent of respondents took longer than a week to deprovision ex-employees. Even more worryingly, a further 25 percent were unsure how long ex-employee accounts remained active.

To close this security loophole as quickly as possible, you should set a deadline for each step in the process. Any uncertainty or confusion can increase how long it takes to secure your website.

For this reason, your policy should clearly define who is responsible for each step. This accountability can be a powerful motivator, encouraging your staff to complete the process as quickly as possible.

Revoking access to your WordPress website is a solid place to start. However, it’s also wise to remove former users from any additional apps and services that are related to your business.

To make this process easier, your policy should define all the applications and services that employees and other business contacts have access to. Then, when you part ways with them you’ll know what accounts you need to delete.

2. Don’t rely solely on passwords

Protecting your WordPress website with a long, complicated password is a security best practice. However, there are plenty of additional mechanisms that you can apply, too.

Some techniques, such as Two-Factor Authentication (2FA) can make it more difficult for ex-employees and business contacts to access your site, even if they retain a valid username and password. For example, if you block an ex-employee from your 2FA app, then they’ll be unable to access your WordPress dashboard even if you don’t immediately change their password.

You can also restrict login access to specific IP addresses. By doing so, you’ll have greater control over who can see your dashboard. Once you part ways with a business contact, you can block the IP address(es) associated with their account.

This doesn’t guarantee that a malicious third party will be unable to access your website. However, IP blocking can be effective when used in combination with other security techniques, such as changing their password, deleting their account, or suspending their 2FA.

By deploying multiple security measures, you can make it difficult for even the most determined hacker to break into your WordPress website.

3. Restrict access or deny it completely

There’s one powerful way to protect your website against ex-employees, clients, and other business partners – don’t give them access in the first place. Just because someone requires the use of your dashboard doesn’t mean you need to hand over login details.

Not everyone is a WordPress expert, so giving someone unrestricted access to your dashboard can actually make their job more difficult. There’s also the chance that they may accidentally damage your site.

This includes deleting important data, installing insecure plugins, or even deleting your website entirely. This would be disastrous for you, but would also be incredibly stressful for the party responsible.

If someone requires access to your WordPress dashboard to carry out their responsibilities, then you may want to consider using ManageWP’s Collaborate feature. It enables you to delegate work and provide restricted access to certain parts of your website without having to share your WordPress login details.

You can even provide read-only access, which guarantees collaborators won’t accidentally delete any important data:

Deprovisioning ex-employees with ManageWP's Collaboration feature.

Once you part ways, you can remove the collaborator from your ManageWP account. Since they never had access to your WordPress login details, you don’t need to worry about changing your password or deleting any user accounts:

ManageWP's Manage Collaborators settings.

If you’re working with a large number of collaborators, then you can also create ManageWP groups. Grouping can be particularly useful when collaborating with external organizations, as you can remove an entire team with ease.


As your website grows, you may decide to enlist the services of specialists such as WordPress developers, freelancers, or agencies. This will often require these third parties to access your WordPress dashboard. This can seem daunting, but it doesn’t have to put your website at risk.

By using tools such as ManageWP’s Collaborate feature, you can control exactly what information and features others have access to. You can also use it to revoke access as soon as it’s no longer required. This is essential when working with third parties, but it’s also wise to remove ex-employees who may inadvertently open your site to attacks.

Do you have any questions about how ManageWP’s Collaborate feature can help protect your website? Ask away in the comments section below!

Image credits: Pexels.

Will Morris

Will Morris is a staff writer at WordCandy.co. When he's not writing about WordPress, he likes to gig his stand-up comedy routine on the local circuit.


Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!