Getting Started

Working With Web Developers – The Hosting Handoff

Hiring or working with a web developer - what hosting access to give, what to keep yourself, and how to avoid the trap of losing control of your own site.

5 min read

Most small businesses hire developers or agencies to build their website. The handoff — who gets what access, who pays for hosting, who owns what — is where things commonly go wrong. Sites built years ago end up locked to developers who’ve moved on. Renewals lapse. Domains expire. This guide explains the access boundaries that protect you while still letting developers do their work.

The cardinal rule

You own the hosting account and domain. Developer accesses them with credentials you provide.

Common antipattern: agency registers domain in their name, opens hosting account in their name, pays for both, charges you monthly “to manage.” If you part ways with the agency, getting your assets back ranges from annoying to nightmare.

Better: you own everything; you grant developer access.

What you should own/control directly

  • Domain registration — In your name, your billing email.
  • Hosting account — In your name, on your credit card.
  • Email addresses on your domain — Especially admin@, billing@, primary contact.
  • SSL certificates — Usually AutoSSL on your hosting, no separate ownership needed.
  • WordPress admin account — Even if developer is doing work, have an admin account you can log in as.
  • Third-party services (Stripe, Mailchimp, etc.) — In your business name with you as primary contact.

What developer gets access to

  • WordPress admin user account (their own, not yours).
  • cPanel access — your password OR an additional cPanel team user with limited permissions. Team users guide.
  • SFTP credentials for file uploads.
  • Database credentials if needed.
  • DNS management access (only if they handle DNS for you).

Never share your password — give them their own credentials you can revoke.

Setup checklist when hiring a developer

  1. Domain in your name with you as registrant. Confirm in WHOIS.
  2. Hosting account in your name with your billing details.
  3. Add a WordPress admin user for the developer (their own email, their own password).
  4. Add a cPanel team user for the developer with relevant permissions.
  5. Add an SFTP user with access only to needed directories.
  6. Document everything in a single place (password manager, encrypted document).

When project completes

  1. Developer hands off documentation (what’s installed, configuration, integrations).
  2. You verify you can access cPanel and WordPress admin.
  3. You change all relevant passwords (just in case credentials leaked, even with trusted developer).
  4. Remove developer’s team user if no longer needed, or change to read-only access.
  5. Update WordPress admin password if developer ever had access to your account.
  6. Document final state of site for future reference.

Ongoing maintenance arrangements

After launch, common arrangements:

Self-managed

  • You handle updates, backups, content changes.
  • Developer available hourly for emergencies/complex tasks.
  • Cheapest; requires you to maintain skills.

Maintenance retainer

  • Monthly fee covers updates, backups, security monitoring.
  • Common for sites generating real revenue.
  • $30-200/month range typically.

Full management

  • Developer handles hosting, maintenance, content updates, performance.
  • You focus only on content/marketing direction.
  • Higher cost but appropriate for some.

Whichever arrangement: ALWAYS retain own access to hosting account. “I forgot the password” or “the agency closed and I can’t reach them” should not be possible.

Red flags from agencies

  • “We’ll register the domain for you” with no plan to transfer ownership.
  • “We use our own hosting; you can’t see it directly.”
  • Vague pricing on “maintenance” that suspiciously matches what hosting+small agency margin would cost.
  • Won’t provide direct hosting credentials.
  • “Our proprietary CMS” — locks you to them for ongoing changes.
  • Refusing to discuss handoff terms upfront.

None are necessarily fraud; some agencies have legitimate reasons for their model. But all are signs to negotiate access and exit terms explicitly before signing.

Getting a site back from an unresponsive developer

Sometimes happens. Steps:

  1. If domain is in your name, transfer to your preferred registrar. ICANN process; can’t be blocked.
  2. If hosting is in their name, your options are limited. Consider building a new site at your own hosting and switching DNS once ready. Migration guide.
  3. If domain is in their name, escalate via ICANN registrar transfer policies; document attempts; may need legal help if developer refuses.
  4. Going forward: never let this happen again.

Documentation you should maintain

  • Hosting login (cPanel URL, username, password — in password manager).
  • Domain registrar login.
  • WordPress admin login.
  • Database credentials.
  • Email account credentials.
  • Third-party services and credentials.
  • Developer/agency contact information.
  • Current theme and major plugins with licenses.
  • Approximate site value and last major update date.

Update once a year or whenever major changes happen. Future-you will thank present-you.

Specific things to discuss before hiring

  • Who owns the design files / source code? (Should be you, after full payment.)
  • If we part ways, do I get hand-off documentation?
  • What’s included in “maintenance” specifically?
  • How are emergencies (site down, hacked) handled?
  • Response time expectations.
  • What happens to our hosting and domain if we end the relationship?

Written answers go in the contract.

Working effectively with a developer

  • Specific feedback beats vague. “The footer on the contact page is misaligned on mobile” beats “looks bad.”
  • Use staging sites for review. Developer builds in staging, you review, approve, they push to live. Staging.
  • Batched feedback works better than constant requests. One round-trip per week.
  • Trust technical decisions. If developer recommends against a specific plugin, don’t insist.
  • Push back on bloat. “Do we really need all these features?” — sometimes scope creeps unproductively.

Common questions

“Developer says I shouldn’t have admin access — that’s normal for security.” No it’s not. You should have admin access to your own site. Developer can use their own account for daily work.

“They want to charge me $50/month forever for ‘hosting management.'” If reasonable maintenance covers it, fine. If you’re getting nothing identifiable, no.

“I’m being charged $100/month for hosting that I see on iWebVault costs $5/month.” Markup is normal for managed services; 20x markup is excessive. Ask what’s included.

“Can I keep working with my developer but move hosting to iWebVault?” Yes — migrate hosting, give developer access to new hosting. Developer’s expertise transfers; hosting is fungible.

“My developer disappeared. Site is up but I can’t make changes.” Have hosting access? Reset WordPress admin password via cPanel: WordPress Manager or phpMyAdmin. If no hosting access, you may need new hosting + migration.

What’s next

The core insight: developers are valuable for what they build, not for being middlemen on your hosting bills. Own your domain, your hosting account, your accounts. Grant access for work. Pay developers for their actual time and expertise. The relationship stays clean; if you part ways, you keep everything that matters.

Was this helpful?

Filed under agency communication hosting handoff project management web developer
Marcus A. Chen
About the author

Marcus A. Chen

iWebVault Team — writing setup guides, tutorials and answers for offshore, anonymous and DMCA-ignored hosting customers.

188 KB articles Website ↗
Continue reading

More from the Knowledge Base

View all articles