As a freelancer/consultant I use freelancer sites like PeoplePerHour or upwork to get gigs. One of the issues evident in every job I have done is the disregard for security.

Most IT or web related jobs done on PPH are going to involve the exchange of sensitive data, which is required in order to do the job. Clients will gladly share everything with multiple freelancers without a second thought, including their logins for control panels, hosting accounts, domain registrars, website and everything else.

This unconscious sharing of such details has massive security implications which I will address below and offer better and more secure alternatives.

Security Bad Practices

Your login details are for your own use, and everything that is done with your login credentials links back to you. If you share these credentials with multiple people and there is a security breach, you will have no idea who is responsible. If you are an employee and have a boss, then you will most certainly be blamed for the security breach, which could cost your company dearly.

You should not post any sensitive information in the job chat/discussion on the freelancer site (unless they are temporary logins which will be revoked). These conversations will most likely be stored in plain text and not encrypted in any way. Certainly, in the case of PeoplePerHour, I have asked them directly and they have confirmed this is the case.

Hackers are everywhere

Thousands of sites get hacked and data is stolen every single day. Most of them are unaware they have even been hacked and the breach can go unnoticed for months or even years in some cases.

If any of the freelancer sites suffer a security breach, the hackers will have access to any data which is not encrypted, which includes all those login details that clients have entered in the chat with their freelancers. Not forgetting that the support staff can also read all your discussions as well, so any dishonest support agent could simply lift your login details and use them for illicit purposes.

Sadly there are also a lot of unscrupulous freelancers out there too, who will intentionally do damage to your systems in order to generate more work for themselves, or may seek revenge in the event of a dispute or disagreement. I had had several jobs cleaning up after such situations.

SECURITY GOOD PRACTICES

Ideally, you should find a single reliable freelancer/company who you are happy with and stick with them, rather than using a different freelancer each time. Not only is this better for security, but using multiple freelancers can also cause other problems as they are oblivious to what work their predecessor has done, and so will often break or undo each other’s work.

Sticking with the same person/company creates a relationship as well as a recurring income, which will, in turn, result in better quality of work, fewer issues and less expense as they will know your systems and the work they have done before and be more inclined to keep you happy.

Plus any decent freelancer/contractor will use a task/project manager and will keep notes on the work he does for ongoing clients which also improves communication and project management.

Do not post sensitive information in the workstream/chat. An exception would be if you are providing a temp login which will be revoked once the job is done.

If you do need to give a freelancer (or anyone) temporary access to your accounts or website, then ideally you should provide them with their own login, not give them yours, which you should revoke (delete) once the job is done.

If it is not possible to create a separate login for your freelancer, then you should always change your passwords after the job has been completed.

HOW TO SECURELY SHARE YOUR DATA

everyone should use a password manager

Cloud document sharing

Everyone has access to cloud storage and the ability to share files and documents FOR FREE.

I come across a surprising number of people who are unaware of this, but every single Windows user has access to OneDrive by default. It is part of Windows operating system and allows you to sync up to 5GB of files to the cloud for free. You can then share these files with anyone simply by sending them a link.

Even if you do not use Windows, you can still get a free Microsoft /
OneDrive account.

So you could temporarily put all the info you need to share into a text file or word doc, and share that link with your freelancer. Once the job is done, unshare that file and delete it.

NOTE: This is also not an ideal method and still not very secure to have your login stored in plain text, but it is certainly better and putting them into your workstream where they be on display forever or sending them via email.

If you do not know how to share files with OneDrive, then please read this article “how to share files with others using OneDrive“.

You can also do the same with Google Drive, which you also already have access to if you have a free Gmail account.

Use a password manager

Using a password manager is something I recommend to everyone. It will remember all your passwords and other personal info for you, software licenses, bank details etc. It will automatically log you into websites, fill in forms, generate strong passwords for you and more.

The two solutions I generally recommend are LastPass and Dashlane, both of which offer a free edition, although there are many other apps available which vary in features and simplicity.

Password managers are also the most secure way to share logins and other sensitive information with your freelancer and then revoke the share once the job is done. You simply choose to share a login, enter the freelancers email address, and it will send them a share request. If they already use the same password manager, then job done, otherwise, they simply need to register for the free version in order to accept your share request.

As a result the login details are never shared in plain text, as the freelancer will only use the password manager.

WORDPRESS ACCESS

I am going to mention WordPress specifically because this is somehting I deal with a lot, since I build, support and manage WordPress websites.

In almost every WordPress job I do, clients will send me their own admin login, which they have sent to every freelancer before me, who still have access as the password has never been changed.

If you need to give someone permanent access, then create a new admin user just for them, if just need to provide temp access, then I suggest using the “temporary login without passwordplugin , which will allow you to provide a temporary login which will automatically expire after x number of days.

Related Posts

Adobe Business Catalyst Migration If you’re a customer of Adobe Business Catalyst, you may be surprised and concerned at their recent announcement that the all-in-one CMS will be disco...
The Truth about WordPress Security   One of the services I provide is managed WordPress websites, and a common negative comment I hear from people is about WordPress security, c...
Adult Website Blackmail Scam This week I have started receiving a new blackmail/scam email which seems to be doing the rounds This scam works on the premise that the recipient of...
SiteGround vs Flywheel WordPress Hosting Flywheel I have had several websites hosted with  flywheel for over 1 year now, and I literally have no complaints about this provider. I have not ha...

You don't have credit card details available. You will be redirected to update payment method page. Click OK to continue.

Share This
%d bloggers like this: