It may not be who you think.
You might be surprised how many times that I speak to potential clients and they are not certain about the answers to the questions above. You may not know the answers to those questions for your own website. If that’s the case, you’re in pretty good company.
Let’s peel back the layers of the onion that is WordPress website ownership and control. We are going to take a look at it from a position of least to most control.
Who Controls Your WordPress Website?
Some people may think, “I have administrative control of my WordPress website so that’s all I need.” Not so fast. WordPress has a variety of user levels, from subscriber to administrator. A WordPress website can have multiple administrators. A WordPress administrator has what are called “super administrative” capabilities, which is to say that an administrator can change the account settings of any other user including another administrator. If you have a WordPress website you should strive to limit the number of administrators to only as many as you need.
Each administrator account is linked to an individual email address. Anyone with control over an administrator’s email address can prompt the website to change his or her own password. Once the administrator has gained access to the website they, with that super administrative power, can change anybody else’s password including another administrator’s.
If you are an administrator on your WordPress website and you want to remove another user’s administrative access, but still keep them as a user of the website, you cannot simply change their password. You need to first change their role on the website to something less than administrator, and then change their password. A website user who is not an administrator cannot change their own role to administrator.
You might ask yourself, “why not just delete the user?” That is certainly an option. We have come across situations, however, where the website owner did not necessarily want to immediately flag the fact that the user no longer had administrative controls, but simply wanted to remove those administrative controls from the individual.
Even if you alone have administrative control of the WordPress website, however, you still do not necessarily have full control over the website.
Who Controls the Website Host?
In a situation where you are attempting to prevent access to your website, perhaps from an individual with whom you have had a falling out, removing their administrative access from the WordPress website alone may not be sufficient.
Most website developers rightfully ask for access, and usually administrative access, to the website hosting account. The website host is where all the files and the database that together constitute the WordPress website reside. We almost always ask for such access. It is just a fact that to technically troubleshoot a problematic website one often needs access to the hosting environment.
The problem here is that a person with administrative access to the hosting account has more control over the WordPress website than an administrator of the WordPress website. At the hosting level, and without getting technical, it is possible to remove users from a WordPress website, even administrator users. If you do not know who has administrative access to your hosting account, you should find that out immediately. Anyone with administrative access has the capability to do great damage to your website, including by eliminating users from the website (including administrators), and even adding extraneous information to or defacing the site, or taking the entire website offline. (And if your email is hosted there, too, they can also muck that up completely.)
If you have administrative access to your hosting account, you likely can add or remove other users at your discretion, with different levels of access. You can also change their passwords. Generally speaking, I advise my clients, if they have had a falling out with their web developer, to remove the former developer’s access from the hosting account, and to change every password associated with the hosting account.
Believe it or not, just because you have complete administrative control over the website and over the hosting account, you still don’t have full control over your website. There is still a more important level of control: domain control.
Who Controls the Domain?
Whoever controls the domain, let’s say it is example.com, has the keys to the kingdom (and here we thought we were going to stick with the onion metaphor). If you control the domain you control whether a website exists, whether email can be sent to addresses within that domain, and any other matter associated with that domain.
Many times people understandably confuse the domain with a website. But a person could conceivably set up only email for a domain and have no website for it, or simply own the domain to prevent other people from owning it. You might think of a domain as a piece of land and the website as nothing but a structure on it.
The ownership of a domain is established at the domain registrar. There are many domain registrars out there. At the domain registrar, a person registers the domain and sets up who the owner (registrant), technical, and administrative contacts are. Each can be different. You may get a notice every year or so to make sure that your domain registration information is correct. Those emails typically are not scams but are required to be sent to you by the registrar.
We have seen too many occasions where an unscrupulous website developer registers the domain for his or her own client, but in the developer’s own name rather than in the client’s name. If there is a falling-out between the developer and the client, guess who owns the domain? Correct. The developer.
Now, it is also not uncommon that a developer may ask for access to the domain registrar account. That is a legitimate request as there can be occasions where access is necessary for technical troubleshooting or where changes relating to your online presence need to happen and can happen only at the registrar level.
It is a good practice, especially if you have shared your domain registrar account information with another person, to change your password regularly. A developer may gripe that they cannot access the registrar on occasion, but that’s okay. They can explain to you why they need access and you can choose whether or not to give them the new password (but never email it and never use the same password across multiple accounts!)
So Do You Control your Online Presence?
A bit scary, right? After reading this and thinking about it, do you know who controls your online presence? Make sure to put on your task list to identify precisely who has access, and what kind of access, to your WordPress website, your hosting account, and very importantly, your domain registrar account. If you want to do some research on your own about your own domain, we highly recommend the “super tool” from mxtoolbox.com.