Who controls your third-party website accounts?
Do you know who owns and controls the third-party accounts associated with your website? Don’t assume that they belong to you, unless you love throwing caution to the wind.
Third-party accounts are accounts created with outside providers other than your primary web development provider to establish or enhance your website or online presence.
Common types of third-party accounts include domain registration, web hosting, analytics, map integrations, sharing tools, payment processors, directory listings, search engine webmaster tools, and social media accounts. Beyond those, there are thousands of specialized third-party APIs (application programming interfaces) that can add various kinds of functionality to a website and/or feed data from a website to other entities.
It is easy to assume that any third-party accounts that your web provider creates or configures on your behalf will, of course, be set up using your organization’s name and contact information and that those accounts will be independent accounts that you will be able to control, but our experience with new clients proves that this is not a safe assumption.
Why does it matter?
We have seen far too many instances where disreputable or oblivious website design companies have created such accounts in their own name, integrated accounts that are shared among multiple clients instead of creating stand-alone accounts, and/or refused to provide account access to a client who has elected to switch providers. Whether intentional or not, these situations can result in massive headaches down the line.
For example, if a web developer registers your new website domain name within their own domain registration account and refuses to release control of it to you in the future or simply disappears, you may be forced to give up that domain name for good when you need to find a new provider; something you do not want to do.
Similarly, if a previous provider refuses to make you an administrator on the Google Analytics account tracking your site’s usage, you could lose all of the valuable historical data about your website’s visitors, pages, keywords, etc., or be unable to remove them from the account in the future if the relationship sours.
We’ve literally seen cases where providers have held third-party accounts hostage in return for payouts or favors from the client, and other times when the provider simply disappeared into the night, never to be heard from again.
Six Tips for Ensuring You Own Your Third-Party Accounts:
1. Ask every new provider about their policy regarding third-party accounts.
When you are choosing a provider to build a new website, work on your existing website, or provide SEO or web marketing services, ask them up front how they will handle the creation and/or maintenance of third-party accounts on your behalf. It is a very fair question. They should respond unequivocally that they will create accounts using your organization’s name and contact information and that they will also provide full account access to you without delay. Stay clear of any provider who does not give this answer.
2. Check provider references.
When evaluating potential new providers, it is also a good idea to ask for references and look up reviews online. Ask references if they have been given access to their third-party accounts, in particular their domain registration, hosting and site analytics accounts like Google Analytics. Watch for reviews that mention problems with control over domain names, analytics data or other types of third-party accounts.
3. Identify your existing accounts.
Make a list of the third-party accounts driving your web presence that includes information about who created the account and what the account access/login is.
At a minimum there is a domain registration and a hosting account, which may or may not be be bundled together (we recommend keeping them separated). There is probably an analytics account, usually Google Analytics. If you take payments on your site, there are one or more payment processing accounts. If your site has an interactive map, there is an account for that. If there are social media sharing buttons, there is another account. And, yes, there could be more.
Ask your web provider to provide you with the information about all the accounts they are aware of that are in any way associated with your web presence. Also, keep in mind that previous employees of your organization may have created related accounts. Track down all the login information to determine what information is missing.
4. Test account logins to make sure they work.
Once you have identified all relevant third-party accounts and have the account logins in hand, where possible, test them to make sure they work. Also, check to make sure that the account access you have been given has the highest level of administrative access. You should be able to kick your provider out of the account, if necessary, and make any changes you desire, without restriction.
5. Recover lost accounts asap.
Try to use the username and/or password recovery options available for accounts that you either can’t find any login information for or where the login(s) you have do not work.
The key to successful username and password recoveries is usually the primary email address associated with the account. If you know the address, make sure you have access to that email inbox somehow, even if it means that you need to contact a former employee or have one or more persons in another department or even another company watch their inbox for a password recovery email they can forward to you. If it is a company email address that no longer exists, set up a forwarder that will redirect incoming messages to another recipient.
In some cases, you may not know the associated email address. Do a little research. Ask your current web provider or IT department if there is a way to determine what the address is, such as a WHOIS lookup for domain name registrations. You can even try to make an educated guess and let possible recipients keep an eye open for the resulting recovery emails.
Keep in mind that the longer you wait to try to recover an account, they more distant the memories and proximity of all who are/were involved, so the chances for success go down over time. Don't delay.
6. Store account information in a secure place.
While reputable web developers and marketers will provide you with your access to your accounts on demand, you should still securely store all account information in a place where you know you have access to it. That way, no matter what happens with your current provider, you will always have access to control your accounts.
Hopefully you are now fully empowered to make sure you gain and protect access to those third-party accounts that are making your website possible. Doing so will almost certain avoid some nasty outcomes at some point in the future.