I work at a web agency and this is something that rarely happens, but when it does it always ends the same way.
We have a policy where we don’t normally share server credentials with our clients, many of whom lack the technical know-how to even understand what a server is, let alone how to ssh into it.
Occasionally we have some clients that have on-staff developers that mostly know what they are doing and need that sort of information. Before we grant access, we make it very clear of the dangers of misusing this information and that it could completely bork their website. This is especially the case when a client works with multiple agencies. We know from experience that having too many hands in the cookie jar is never a good thing when it comes to development. 90% of the time the client completely understands and is competent enough to not cause issues.
Cut to the remaining 10% of the time…and a sort of choose-your-own disaster story.
Client: We’re working with X agency, and they said they need full privileges to the server to do Y.
Me: Sorry, but it’s our policy to not share that information to 3rd parties. This is outlined in the agreement you signed.
Client: But they said they need it and if they don’t get it they can’t do Y for us and it’s critical that they complete Y.
Me: Totally understand. If they want to commit any of their code to the website repository either your dev team or us can deploy those changes to the server.
Client: I don’t think you understand. GIVE THEM ACCESS TO EVERYTHING.
Me: That’s really not a good idea…
Client: DO IT OR ELSE
[Do you give in to the client’s demands? Or do you stand your ground? (scroll to your choice)]
Me: Ok, we can do that, but once again, here are the risks: [breaking deploys, website outages, etc.]
Client: FINE FINE, JUST DO IT ASAP.
Me: Alright. We’ll give them access.
One week later:
Client: OUR WEBSITE IS DOWN WHAT HAPPENED?
Me: Looking at the logs it appears that the 3rd party modified critical server configurations and took down the website.
Client: HOW COME YOU DIDN’T WARN US THIS COULD HAPPEN?!
Me: Sorry, but because we’re responsible for the integrity of your website, we can’t do that.
Client: Fine, then we’re leaving you and going to go with X Agency. Please transfer everything to them IMMEDIATELY.
Me: Ok…if that’s what you’d prefer we can do that, but we just want to reiterate the risks…*we list the risks*
One month later…
Client: OUR WEBSITE IS DOWN AND X AGENCY ISN’T ABLE TO GET IT BACK UP!
Me: We’re sorry to hear that. Unfortunately we no longer manage or maintain your website. If you’d like we can work with the other agency to help them fix the issue…
Client: (in a panic) YES YES, PLEASE JUST HELP US FIX IT!
We work with the other agency who we learn has much less experience than they let on:
Client: THANK YOU THANK YOU! Can we move back to you guys?