Far too few business owners or managers have quick access to these important digital assets
Recently, we took on a client who is the widow of a well-known 1960’s TV star. For several decades, she managed the website (on a domain bearing her husband’s name) selling merchandise related to the character her husband played on TV. I’ll keep her name confidential but for the sake of this post, I’ll just refer to her as “Dee.”
Dee had a unique predicament. The website in question was generating a sizable amount of online sales but she was locked out of her domain registrar account where the website domain was registered. The credit card on file had expired and the domain registration was up for renewal in just a few weeks.
The email address the registrar had on file was for an account that had been shut down when the actor passed away. There was no back-up email address on file at the registrar. Under different circumstances, one option to regain access to the registrar account would have been to re-create the defunct email address long enough to trigger a password reset. The problem was that the email accounts for the domain were managed in the same admin panel as the registrar account. No access to the registrar account also meant no access to email management.
No one had admin-level access to the registrar account and when the password was lost, Dee was effectively locked out. To compound matters, the domain was registered to the actor himself, not to his spouse, his estate, or production company.
Appeals to the support team at the registrar were to no avail as registrars can’t violate protocols set forth by the International Corporation for Assigned Names and Numbers (ICANN) regarding granting access to anyone other than the registrant.
There was one option, our client’s attorney could compile documentation proving that our client was the rightful heir to her husband’s estate, including any domains he owned. That documentation had to be mailed to the registrar along with proof of our client’s identity, birth certificate, photo ID, etc. By the time the registrar was able to process the documents, the domain registration was set to expire in just hours.
Luckily, Dee was able to access the registrar account just in time to renew the registration and continue the delightful legacy her husband left. However, I can tell you that the resulting cost was several thousands of dollars in project management and legal fees and a LOT of unneeded stress for Dee.
Avoiding Password Predicaments
I wish Dee’s situation was an isolated case but over the years, we’ve had dozens of business owners come to us in crisis mode, needing urgent help to get their website back online, but not having ready access to the crucial login credentials needed. Some clients wrongly believed that if they could log in to their WordPress Admin panel they had full access to everything related to their domain.
So let’s jump into the The 7 Website Passwords That Are Mission-Critical To Your Business:
1. Registrar account
This is the account where your website’s domain is registered. This may be the most important credential of them all. If you get locked out of this account, you risk losing control over your entire domain. Be sure to protect your registrar account credentials as one of your most important business assets. Be extremely selective about who you share these credentials with, and if possible, share access via the use of a password management tool. If you don’t remember the company you registered your domain through, you can query the ICANN database for free and search “Registrar Information” for your domain.
If you haven’t logged into your registrar account in a while, log in to ensure your password still works and make sure two-factor authentication is turned on. Note that for extra security, your domain should remain (locked) unless you are actively in the process of transferring the domain to another registrar.
It’s also a good idea to make sure the primary email address that’s associated with your registrar account is not related to your domain. In other words, if your domain is xyzwidgets.com, make sure your primary email address associated with the registration is not @xyzwidgets.com. That way, if there ever is an issue with your domain your ability to receive password resets is not dependent on the domain itself. The primary address should be one which you check regularly (at least twice a week), it should have a strong password that you change at least once every 90 to 180 days, and it should be an email you will always have access to.
2. DNS host
This is the account where your Domain Name System (DNS) records are being hosted. DNS zone records essentially direct website traffic from people trying to reach your website to the server where your website is being hosted. The zone records host also routes emails being sent to your @yourdomain.com email addresses to the server where your email is being hosted, and stores special files to verify your domain for third-party services such as marketing automation tools.
So where do you DNS records live? Depending on your configuration, your DNS zone records may be hosted by your domain registrar, the company that hosts your website, a third party security or firewall service such as Sucuri, or a Content Delivery Network (CDN) such as Cloudflare. If you’re not sure precisely where your DNS records are hosted, the support team at your hosting company or registrar should be able to help you determine that. You can also use a tool such as MXToolbox.com to search.
3. Website hosting account
This one may seem obvious but a surprisingly large percentage of companies have difficulty tracking down these login credentials quickly. If your website goes down because of an issue with the server, this is a password that you or your website manager will need to have ready access to.
There are additional hosting-related passwords that your web developer or website administrator may need access to, including logins for cPanel, Plesk, or WHM (if your web hosting company leverages these panels) However, with access to hosting company account and the proper role (E.g., account owner or technical contact), usually the web hosting company can help you gain access to these panels. These panels also may be used to manage access to SFTP or SSH access to the server where your website is hosted. In the cases of some hosting companies such as Kinsta.com, the hosting company provides a proprietary dashboard where SFTP access is managed (instead of cPanel, Plesk, or WHM).
4. Website login
This may be the login you already use most for content changes to your website. If your site is a WordPress site, the URL to log in will likely be something like yourdomainname.com/wp-login.php. If you’re not sure what CMS your site is using, you can check it by going to WhatCMS.org and entering your domain name. If your website is a WordPress site, you’ll want to make sure your account is a full Administrator account. One easy way to confirm this is to log in and go to Users in the left sidebar and see if your account gives you the ability to create new users.
5. Google Analytics
This is where all the historical data on user visits and activity on your website lives. Your chosen analytics tool provides statistics and basic analytical tools for search engine optimization (SEO) and marketing purposes. It can help you determine top sources of traffic to your site, gauge the success of your marketing campaigns, and track goal completions (such as leads, purchases, downloads). In the case of Google Analytics, it’s crucial that you maintain Owner or Admin access to your account because, if you lose access and you don’t know which email account is associated with your account, it’s virtually impossible to regain control of your G.A. account. That’s because there’s no way to reverse search which email is associated with a website’s Google Analytics tracking code.
6. Google Search Console
Few people outside of SEO managers or website administrators have the occasion to interact with this account. However, it’s an essential tool to help you measure your site’s search traffic, improve speed/performance, fix issues, and help get the best rankings. If your site isn’t getting indexed properly by Google, this is a “go-to” tool to determine why. It’s possible that Google Search Console hasn’t been configured yet for your website. However, if your website has ever been professionally optimized for search, there should be a Google Search Console account connected to your site.
7. Google My Business account
If your business has a physical location where customers can visit you, your Google My Business (GMB) listing is a crucial component of managing your online presence. Some believe it might be even more important than your website. That’s because when people search Google, it’s often the first thing customers see when they search for your business online. If someone leaves you a Google review, this is the account you’ll need to log in to in order to thank them for the great review — or properly address any negative reviews. Should you lose access to this account, it can’t be time-consuming and difficult to regain it. If you’re thinking you could just start a new GMB profile, think again. Duplicate or mismatched profiles can cause major problems and can ultimately cost you business. If the wrong person gets access to this account, it can be devastating to your online reputation and your business.
Not in the top 7, but still important
Depending on your domain and website configuration, there may be other crucial passwords that should be secured. These might include credentials for Google Tag Manager, third party security or firewall services, Content Delivery Networks (CDNs), third-party plugins, Software as a service (SaaS), Disaster Recovery as a Service (DRaaS), or a private key. If you’re not sure, it’s a good idea to have a qualified web developer or system administrator audit your domain, hosting, and website and help compile a comprehensive list and help determine how to limit access only to those who need it.
For all passwords, I highly recommend leveraging a password management tool such as LastPass or 1Password. Since you not only need to have access to these passwords yourself, but your website administrator or business manager might also need quick access, a password management tool gives you flexibility to grant and revoke access without ever sharing the actual passwords to the accounts in question. With many of these services, you can designate an Emergency Access contact, such that your trusted contact cam request access to your vault should become incapacitated. In the case of LastPass, their service acts as your digital will, and allows you to specify your digital heir, then automates the process of securely transferring that digital will with all of your passwords and important information to your trusted contact.
One final thought. If you’re the owner or marketing manager for a small or mid-sized business, and not a techie, you might consider hiring a digital marketing consultant or firm to help you secure your login credentials and set up your password manager. Make sure it’s someone you trust and be sure that your account has the absolute highest level of access. Make sure you are either the “verified owner” of the account (in the case of Google Analytics) and that you have Admin/Owner level permissions. It’s worth paying for a few hours of labor to ensure you have the correct access and that all your digital assets are secure.
Get a free checklist
Click here to request a free PDF of the exact checklist we use at Saltworks when helping clients secure their digital assets.
Need more help?
Saltworks Digital offers a Digital Assets Credentials Audit, which includes helping you navigate the process and securing your digital assets. Click here to reach out to us!