5

An SEO consultant has asked (demanded) credentials to the web environment so he can do ... Whatever it is that they do.

I'm new to the company but an experienced Systems Engineer. I've just now been brought into this situation, but my reaction to giving him credentials is a pretty solid "No" unless he can provide a compelling reason, which is yet forthcoming. Before I was brought into this, he had been provided an archive of the relevant files, but he said that this was insufficient.

The (admittedly) little that I know about SEO tells me that he should be able to get everything that he wants should be able to be gathered from view source or a copy of the files, and we would implement his changes in a production deploy after review.

gWaldo
  • 11,887
  • 8
  • 41
  • 68
  • 10
    See also [Our security auditor is an idiot, how do I give him the information he wants?](http://serverfault.com/questions/293217) – Chris S Apr 25 '12 at 17:02
  • 1
    @ChrisS I love that question, you beat me to the link ;) – Tim Apr 25 '12 at 17:03
  • Yes, I love that question, too. I ask about SEO because I honestly don't know anything about the field. – gWaldo Apr 25 '12 at 17:13
  • Yeah, sounds like he wants the keys so he can fiddle around with no oversight. – Shane Madden Apr 25 '12 at 17:16
  • 1
    @gWaldo I added a little blurb about some stuff that he might want to do that's *easier* with direct server access (my last company had a small SEO team). I'm far from an expert, but from my understanding they don't *need* the access, it just makes it ***easier*** (we used to request full access from our clients for that reason, but if they couldn't/wouldn't give us that access we would work with them to complete the project without it.) – voretaq7 Apr 25 '12 at 17:20
  • 1
    I'd be a little worried about little black hat tweaks being slipped in - serving different content to Google, adding you into a link farm, etc. – ceejayoz Apr 25 '12 at 17:41

2 Answers2

12

Short answer: What Chris S said: See "Our security auditor is an idiot, how do I give him the information he wants?".


Long answer:

Some of what a "SEO Guy" needs to do might require server access -- for example, installing optimized mod_rewrite rules, adding custom 404 pages, creating friendly redirects (and/or optimizing existing 3xx redirects), etc.
None of this is something that you can't do for him, and none of it is black magic trade secrets (he's going to make these changes on your server, you could diff the config file later and see exactly what was done).

Because of that I personally don't see any need to give them access to make changes on the server (a read-only account sure, if you want, but no ability to affect changes without going through your company's approval process).
My advice:

  1. Say No.
    Be proud of your No, for you are on the side of good, and righteousness, and stability of your environment.
  2. Explain WHY you are saying no to your manager/supervisor/whoever is in charge.
    Pretty straightforward: "It's a giant security risk, he can just as easily give us his changes to push live so we can audit them first, yadda yadda yadda.".
    If you present solutions that still let the SEO guy get his job done while protecting your environment, and your higher-ups aren't insane, they will probably back you on this.
  3. Explain WHY you are saying no to the consultant and give him the alternate solutions.
    If it's a deal breaker for them let 'em walk. There are tons of SEO consultants out there...

If Management tells you to give him access anyway get that in writing. Issue a memo outlining the risks, and get someone above you to sign off on those risks (this is all about protecting you in the event this guy blows up your server).
You should also insist that the consultant sign something stating that they will be liable for any damages if they disrupt the stability of your environment (which is all about protecting the company).

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 1
    What about giving the consultant access to a testing environment running the same software stack as the production environment? Then you can see what changes he's made and are never in risk of any damage. – Tom Marthenal Apr 27 '12 at 05:16
  • @TomMarthenal an excellent option if you can set up a dedicated sandbox - sometimes you can't let consultants loose in your dev environment because your developers need it to do Real Paying Work (or, horrors, you don't *have* a dev environment!), but if you can easily spin up a clone of production for the consultant to work in by all means do so! – voretaq7 Apr 27 '12 at 05:23
0

He should only need credentials to make on-page related changes.

For an analysis, you're right he can just view source. He could run into an issue during the on page analysis and it could be helpful to login from the backend, but not necessary..