(647) 203-3189
PrimaryDM Logo

How to Stay Protected When Working with Freelancers

Practical rules for keeping ownership of your domain, hosting, and accounts — and revoking access cleanly when the project ends.

For Non-Developers6 min read

Trust the freelancer. Protect the business.

Hiring a freelance developer, designer, or agency is one of the smartest moves a small business can make. Most freelancers we know are excellent, honest people — we are freelancers. But "I trust them" isn't a protection strategy. People change careers, get hit by buses, raise their prices, or have falling-outs with clients. Your business shouldn't go down with them when they do.

This guide is the short, no-nonsense version of how to work with any freelancer — including us — without putting your business at risk. Three rules: own every account, give delegate access (never full credentials), and keep a master list of every login.

Rule 1

Part 1 — Own every account, in your name, from day one

If your business depends on it, your name has to be on it

What to do:

  • Domain registrar account — opened by you, billed to you, with your email as the recovery address. Namecheap, GoDaddy, Cloudflare, whatever you choose.
  • Hosting account — opened by you, billed to your card. SiteGround for WordPress, the Shopify subscription for a store, etc. Never let the freelancer "host it on their account" to save you a few dollars.
  • Email (Google Workspace, Microsoft 365) — the super-admin / primary account is yours. Add the freelancer as a user if they need access.
  • Google Analytics, Google Search Console, Google Business Profile — created under your Google account, with the freelancer added as a delegate.
  • Social media — accounts created by you, with passwords stored by you. Then grant the freelancer access via the platform's business tools (Meta Business Suite, etc.).
  • Payment processors (Stripe, PayPal, etc.) — under your business, your tax info, your bank account. No exceptions.

Why this is the single most important rule

Every horror story we've seen with freelancers traces back to the same root cause: a critical account was created in the freelancer's name, "to make setup easier." Years later, the freelancer disappears, raises prices, or has a falling out with the client — and suddenly the business owner discovers they don't legally own their domain, their hosting, or their Google Business Profile.

Recovering accounts that are in someone else's name is anywhere from painful to impossible. Most platforms will not transfer ownership without the original account holder's cooperation, and in some cases there's no recovery path at all. Setting things up correctly from the start takes an extra 20 minutes per account and saves you from a five-figure problem later.

Read: How to Get and Manage Your Own Domain

The honest catch

Good freelancers will respect this without being asked. If a freelancer pushes back hard on "I should just open these under my account" — that's a red flag, full stop. There's no upside for you in that arrangement and a lot of downside.

Rule 2

Part 2 — Give delegate access, never full credentials

They get a key to one room, not the master key to the building

What to do:

  • Domain registrar: most platforms let you grant DNS-only access or invite a sub-user. Use that — don't hand over the master login.
  • Hosting (SiteGround, etc.): create a separate user or SFTP/SSH account for the freelancer. Don't share your primary account password.
  • WordPress: create a brand-new admin user for the freelancer with their own email and password. Delete that user when the project ends. Don't share your own admin login.
  • Google Workspace / Microsoft 365: add them as a user, assign the specific roles they need, and remove the role the day the project finishes.
  • Google Analytics / Search Console / Business Profile: grant access through the platform's native sharing tools — don't share your Google account password.
  • Stripe / payments: use multi-user role-based access. Give "Developer" or "Read-only" roles, never the owner login.
  • Password manager (1Password, Bitwarden) — if you must share a credential, share it through a password manager's "shared vault" so you can revoke access in one click.

Why delegate access changes everything

When you share your master password, you lose all control. You can't see what was changed, you can't revoke access cleanly, and you can't prove who did what if something goes wrong. When you grant a named user or role-based access, you keep an audit trail, you keep the ability to revoke instantly, and you keep ownership of your accounts.

It also makes ending the engagement frictionless. When the project wraps up, you don't have to change every password in a panic — you just remove the freelancer's user, and everything else stays exactly as it was. No interruption to your business, no scrambling.

The honest catch

Setting up delegate access correctly takes a few extra minutes per platform at the start. Most freelancers prefer being given the master login because it's faster for them. Politely insist on proper access anyway — a 10-minute investment now saves an afternoon of password resets later.

Rule 3

Part 3 — Keep a master list of every account, login, and access

You should always know exactly what exists and who has the keys

What to do:

  • Use a password manager — 1Password, Bitwarden, or Apple/Google's built-in ones if budget is tight. Avoid spreadsheets, sticky notes, and "saved in Chrome."
  • List every platform your website depends on: domain, hosting, email, CDN, analytics, search console, business profile, social accounts, payments, plugins with paid licenses, etc.
  • For each one, record: who owns it, what email it's tied to, what the recovery email is, whether 2FA is on, and who currently has access.
  • Turn on two-factor authentication (2FA) on every critical account. Domain, email, and hosting are non-negotiable. Save the backup recovery codes somewhere safe and off the internet.
  • Set the recovery email for each account to an address you control — never the freelancer's email "as a backup." That's the opposite of a backup.
  • At the end of every project, run through the list and revoke the freelancer's access on every platform. Don't skip this — even with a freelancer you trust completely, lingering access is unnecessary risk.

Why the master list is the safety net

Most small businesses have no idea how many third-party accounts their website actually touches. By the time you've set up the domain, hosting, email, analytics, search tools, a Google Business Profile, a Stripe account, a Mailchimp list, social media accounts, and a few plugins with paid licenses, you're looking at 12–15 separate logins minimum. If you can't name them off the top of your head, neither can the person trying to take over.

A clean master list — kept in a password manager and updated whenever something changes — turns a "where do we even start?" disaster into a 30-minute handover when a freelancer leaves, when you switch providers, or when you sell the business.

The honest catch

The first time you build this list will take an hour or two. After that, it adds maybe 30 seconds whenever a new account gets created. The first time you need it — for an emergency, a handover, or a security incident — it pays for itself many times over.

The end-of-project checklist

The day the freelancer is done — or sooner, if things go sideways — walk through this short list:

  • Remove the freelancer's user from your domain registrar, hosting, WordPress, Google Workspace, Analytics, Search Console, and any other platform they touched.
  • Change any shared passwords you ever sent them (even if you used a password manager).
  • Get a copy of the website files / source code, exported and saved somewhere you control.
  • Confirm any paid plugin or theme licenses are registered to your account, not the freelancer's.
  • Confirm the deliverables you agreed on (designs, brand assets, content) have been handed over in usable, editable formats — not just flat images.
  • Update your master account list to reflect the changes. Done — your business is protected and ready for whatever comes next.

The mistake to avoid

"I trust them, so I don't need to worry about all this." Even with the most honest freelancer in the world, this is the wrong way to think about it. The risk isn't dishonesty — it's life. People move on, change careers, get sick, raise their rates, or simply stop answering email. The protections in this guide aren't about distrusting your freelancer; they're about making sure your business is fine no matter what happens to them.

Own the accounts. Grant access, don't give it away. Keep the list updated. Do these three things and you can work with any freelancer in the world without fear.

Not sure if your accounts are set up safely?

We can walk through your domain, hosting, and account setup with you in 15 minutes and flag anything that's risky. No upsell — just an honest read.

Book a free check-in
Back to all guides