As a freelancer/consultant I use freelancer sites like PeoplePerHour or
Most IT or web related jobs done on PPH are going to involve the exchange of sensitive data, which is required in order to do the job. Clients will
This unconscious sharing of such details has massive security implications which I will address below and offer better and more secure alternatives.
Security Bad Practices
Your login details are for your own
You should not post any sensitive information in the job chat/discussion on the freelancer site (unless they are temporary logins which will be revoked). These conversations will most likely be stored in plain text and not encrypted in any way. Certainly, in the case of PeoplePerHour, I have asked them directly and they have confirmed this is the case.
Thousands of sites get hacked and data is
If any of the freelancer sites suffer a security breach, the hackers will have access to any data which is not encrypted, which includes all those login details that clients have entered in the chat with their freelancers. Not forgetting that the support staff can also read all your discussions as well, so any dishonest support agent could simply lift your login details and use them for illicit purposes.
Sadly there are also a lot of unscrupulous freelancers out there too, who will intentionally do damage to your systems in order to generate more work for themselves, or may seek revenge in the event of a dispute or disagreement.
I have had several jobs cleaning up after such situations and have found all kinds of back doors, insecure plugins, malware and extraneous logins which presumably had been created by other freelancers.
SECURITY GOOD PRACTICES
Ideally, you should find a single reliable freelancer/company who you are happy with and stick with them, rather than using a different freelancer each time. Not only is this better for security, but using multiple freelancers can also cause other problems as they are oblivious to what work their predecessor has done, and so will often break or undo each other’s work.
Sticking with the same person/company creates a relationship as well as a recurring income, which will, in turn, result in better quality of work, fewer issues and less expense as they will know your systems and the work they have done before and be more inclined to keep you happy.
Plus any decent freelancer/contractor will use a task/project manager and will keep notes on the work he does for ongoing clients which also improves communication and project management.
Do not post sensitive information in the workstream/chat. An exception would be if you are providing a temp login which will be revoked once the job is done.
If you do need to give a freelancer (or anyone) temporary access to your accounts or website, then ideally you should provide them with their own login, not give them yours, which you should revoke (delete) once the job is done.
If it is not possible to create a separate login for your freelancer, then you should always change your passwords after the job has been completed.
HOW TO SECURELY SHARE YOUR DATA
Create a Secret Link
There are a number of online tools which will allow you to share information with someone securely via a special secret link that is randomly generated just for you and only works once. As soon as the recipient clicks on the link to view the information, that link and all the information is destroyed.
This makes it safe to share that link via email or on freelancer sites, because the link only works once, so is useless to anyone else that finds it after it has been used.
OneTimeSecret is my favourite so far.
This tool allows gives to a large textarea, allowing you to share any amount of information in one go. It also allows you to put an optional time limit on the link (how long it will stay active for) and also an optional passphrase protect the link as well. So you could then provide the password via phone or SMS to make it extra secure in case the recipient won’t be checking the link immediately or there is any chance of it being intercepted.
Cloud document sharing
Everyone has access to cloud storage and the ability to share files and documents FOR FREE.
I come across a surprising number of people who are unaware of this, but every single Windows user has access to OneDrive by default. It is part of Windows operating system and allows you to sync up to 5GB of files to the cloud for free. You can then share these files with anyone simply by sending them a link.
Even if you do not use Windows, you can still get a free Microsoft /
So you could temporarily put all the info you need to share into a text file or word doc, and share that link with your freelancer. Once the job is done, unshare that file and delete it.
NOTE: This is also not an ideal method and still not very secure to have your login stored in plain text, but it is certainly better and putting them into your workstream where they be on display forever or sending them via email.
If you do not know how to share files with OneDrive, then please read this article “how to share files with others using OneDrive“.
You can also do the same with Google Drive, which you also already have access to if you have a free Gmail account.
Use a password manager
Using a password manager is something I recommend to everyone. It will remember all your passwords and other personal info for you, software licenses, bank details etc. It will automatically log you into websites, fill in forms, generate strong passwords for you and more.
Password managers are also the most secure way to share logins and other sensitive information with your freelancer and then revoke the share once the job is done. You simply choose to share a login, enter the
As a result the login details are never shared in plain text, as the freelancer will only use the password manager.
I am going to mention WordPress specifically because this is somehting I deal with a lot, since I build, support and manage WordPress websites.
In almost every WordPress job I do, clients will send me their own admin login, which they have sent to every freelancer before me, who still have access as the password has never been changed.
If you need to give someone permanent access, then create a new admin user just for them, if just need to provide temp access, then I suggest using the “temporary login without password”