14 Tips for Making the WordPress Admin Client-Proof (So They Don’t Break Their Site!)
Being a developer means creating sites for many different clients, including ones who don’t know WordPress from Word and, in all likelihood, will break their website the moment you hand it over.
Now, this could translate into something as mundane as a poorly formatted blog post. Or, their tampering could result in a site that breaks – completely.
Even when it’s totally the client’s fault, a broken site makes the developer look bad. I know, it’s not fair. But as the developer (and the one with all the WordPress guru-level credibility), you should know better than to provide unfettered dashboard access to a newbie.
This can be difficult terrain to traverse.
How do you ensure the site you spent all that time on stays looking and functioning great without bruising your client’s ego—and potentially losing them? There’s a fine balance to be made, but it can be done.
Let’s explore some ways to make the dashboard client-proof so you can remain proud of any site you build, long after it’s published.
Firstly: A Word on Maintenance
There are broadly two types of clients: Clients that want you to build a site and have you continue to maintain it for the long-term and clients that want you to build a site then walk away. The latter group believes that once the site is built, they can handle the maintenance. They have an “I’ve got this,” mentality.
And you know what? In some cases, they do. Some of your clients might be pretty WordPress literate already and are perfectly capable of maintaining a site with just a little guidance. But others might not have a clue and need their hands held through every step. That can be problematic if the client expects you to launch the site and pretty much hand over the keys.
It might be a budgetary thing or the client might legitimately think they can handle maintenance. Nothing a quick Google can’t solve, they might think.
Understanding Your Clients
Before we go any further, It’s important to take a moment to see this from the client’s perspective. They’re coming at this from a dollars and cents point of view. Web development is something they’ve decided to invest in. And as an investment, it’s something they’ve likely weighed the pros and cons of sinking money into.
But the extent of that investment varies from client to client. As I already mentioned, some might view web development as a one-time expense.
And no matter how much you try to convince them otherwise, they insist that once the site is launched, your relationship is over. Basically, the client views the cost of web hosting and a domain name and possibly a backup solution as their only recurring web development expenses and will handle the process of adding new content on their own thankyouverymuch.
When web development can cost several thousand dollars, it’s understandable that your clients will want to save a buck somewhere. A good way to pitch a maintenance plan is to offer reduced hourly rates and really sell the idea that site maintenance will be hands off for them. This might fly if your client anticipates needing to make many updates per month.
However, if only occasional updates to the content will be needed, you’re going to be hard-pressed to hard-sell a maintenance package.
Before you feel completely dejected at the prospect of your sites getting ruined by uninformed clients, take a deep breath and recognize there is something you can do. Many somethings, actually, that act as an ultimate defense against mistakes, missteps, snafus, and even arrogance.
With these safeguards in place, your client’s site will remain as you intended and he or she will remain pleased, no matter what level of control that’s preferred.
1. Create Your Clients’ Login Info
Before you ever hand over the site to your client, you can help alleviate some damage by creating their login credentials for them. This means you don’t have to send instructions about how to create a good username or password. Instead, you can just create them on your own and provide the details to the client during the training phase (which we’ll get to a bit later).
This way, you’ll avoid any admin usernames set to “admin” and any passwords set to “password,” and you’ll make a solid effort toward preventing brute force attacks. You can also modify the user’s settings to whatever works best. If you will be doing some maintenance for this client, you can restrict their access to the Editor level and then they won’t even be able to tamper with the site’s backend! Of course, this won’t work in every situation. If you must allow Administrator access to the client, then the rest of the tips outlined here will help you maintain control even while they’re in control.
2. Use the Admin Menu Editor Plugin
A quick way to prevent clients from messing with things on the dashboard they shouldn’t be is to use a plugin designed to limit access by user roles. You can certainly assign control to specific dashboard features by user role in the core installation, but it’s not always possible to limit what’s visible. A user without the appropriate permissions just wouldn’t be able to manipulate a certain aspect of the site.
But to avoid questions like, “Hey, why doesn’t X work?” you can hide these off-limits features altogether. The plugin I prefer to accomplish this is Admin Menu Editor.
This plugin allows you to define menu items by user role, change permissions, and reorder menu items by drag and drop for a more intuitive user experience. You can even create custom menus that point to specific parts of the dashboard or to external links.
3. Use a Child Theme
When building a site, you know how important it is to backup your work regularly. You also know why it can be beneficial to develop a site on a local server. All of those details aside, you should also consider using a child theme.
A child theme is basically a second level version of the primary or parent theme that keeps your custom design and features safe from accidental breakage. While you might be thinking about the potential damage done by a hacker, I’m more so referring to the potential damage done by core, plugin, or theme updates. All of these things are designed to patch security flaws and to add new features but updates can sometimes cause any customizations you’ve made to break.
This is especially important if you’re not going to be handling site maintenance for your client. A child theme means they will be able to restore their site as it should be prior to the update without your help. Now, they might need your help to ensure your design works with the new version of WordPress but it would then be up to them to seek you out for help.
If you’re not sure about how to go about creating a child theme, then you should check out our own excellent post on how to create one.
4. Skip Code and Embrace Shortcodes
While some developers will advise against the use of shortcodes, I think it’s actually a pretty good idea. So long as you explain what they do and how they work in simple terms, your clients can use them to insert some rather complex features into their posts and pages, with no help from you, and without messing up the site’s structure.
The list of things you can accomplish with shortcodes is just about endless but it’s particularly helpful for inserting highly structured or complex formatting like columns, graphs, multi-tiered lists, and so forth. They can also be really helpful in adding information to a site’s sidebar. For instance, if your client will need to regularly insert new testimonials into the sidebar, you can set up a shortcode that would give them this ability.
Shortcodes are still technically code and you might want to shy away from requiring complete newbie clients from learning them. But for those who have at least a cursory knowledge of how things work on the web, you can introduce the concept during a brief training session. Then just include a reference list of all the enabled shortcodes and what they do.
5. Simplify the Visual Editor
The visual editor is what your clients will be dealing with the most, so doing your best to eliminate confusion and make the process of writing and editing posts as simple as possible is a good idea. While you can manipulate what appears in the editor by making changes within a theme’s code, a simpler solution is to just use a plugin. Something like TinyMCE Advanced will let you change up all of the buttons that appear on the visual editor with just a few clicks.
With this plugin, you can make the editor as complex or as simple as you need. If a client is really familiar with the layout of a word processing program, they might prefer to have more buttons.
This has the added benefit of reducing a client’s likelihood of digging around in the text editor to accomplish what they want layout-wise and reducing the chances of something getting messed up. TinyMCE Advanced adds support for things like font family, font size, table editing, and list options.
Another plugin to consider is Client-proof Visual Editor. While the previous plugin focuses on adding numerous features to the visual editor, this one keeps it streamlined. This plugin lets you remove features so as to not confuse your clients. It keeps the options pared down to the bare minimum and automatically enables the “paste from Word” feature so your clients won’t accidentally wind up with sloppily formatted posts.
6. Remove Unnecessary Items from the Dashboard
Another thing you can do to make your site more user friendly for your clients is to hide items on the dashboard that they don’t need. For instance, your client isn’t likely to be interested in the dashboard widget devoted to the latest WordPress news, so it really doesn’t need to be there. Also, the quick post widget might just be confusing to your clients, especially if you’ve gone into some detail to train them to click on Posts > Add new.
You can accomplish this quickly by adding a small bit of code to functions.php (after you’ve created a child theme, of course). We covered this recently and in a few older posts about dashboard security and customization. To save you a click, here the area of code you’re looking for in functions.php:
Then you just need to use the remove_meta_box( ) function to eliminate those widgets or meta boxes that are crowding your client’s dash.
You might also wish to hide the theme and plugin editor to prevent clients from messing around with it. Typically, those with administrator level access can modify any aspect of the dashboard, including the code that makes up your plugins and themes. However, if you don’t need to make regular changes to the code, no one else does either! Hiding the editor from view is your best bet for preventing a client from tinkering with it on accident or from going on a “I can Google this and change it myself” adventure.
The code for this is simple, too. Like, I’m talking one line simple! Just insert it into wp-config.php:
7. Add Instructions to the Dashboard
If your client isn’t at all interested in purchasing a maintenance package from you, then you need to take advantage of the ability to add guidance throughout the dashboard wherever you can. The best way to do this is to add widgets with custom information. You’d use functions.php for this task as well.
For instance, you might want to add a widget in place of “Quick Draft” that lists out the basic instructions for using WordPress. Sure, your clients could find this information via help files but this way, the information will be branded and targeted just for them.
This instruction widget could include a list of the steps to take to write a post, to conduct site maintenance, and can even include accompanying external links to instructional screencasts, videos, or written out more in depth directions. Don’t be afraid to be creative here.
To add your own instruction widget, you can do so by inserting this code snippet taken from our very own Daniel Pataki’s post on the subject into functions.php:
Assuming you don’t want to make any stylistic changes to this widget, you’d just simply input whatever text you want where it reads “Put your instructions here.”
8. Use Advanced Custom Fields
Another way to further customize WordPress to make it more palatable to your clients is to use Advanced Custom Fields. This plugin allows you to add more visual editing options to the dashboard so your clients can have greater control over the content they create without having to venture into code. And as you’ve learned by now, the less a client needs to poke at code, the better!
This plugin allows you to create a wide variety of fields with different input types to accommodate any kind of content. With it, you can assign fields to different edit pages, use custom post types, customize with different input types like text area, image, file, page link, checkbox, radio buttons, and more. It also includes support for more obscure field types like taxonomy, user, Google Maps, tab, and gallery.
This one’s well worth the install.
9. Offer an Instruction Manual
While adding widgets to the dashboard that feature instructions is a great way to guide your clients through the basic site order of operations, you might need to write out more detailed instructions to further clarify your points or to cover things that you simply can’t fit in the small space provided.
As a solution, you should consider writing an instruction manual. You can link to it from your dashboard and host it on a separate site or in a subdirectory on your main portfolio site. This step is a must if you won’t be providing a maintenance package to your clients (or if they refuse one). While you can’t guarantee your clients will actually read your support documentation, you will at least have the peace of mind in providing everything they need to maintain a site successfully.
A good instruction manual should:
- Be comprehensive. Hey, if you’re handing over the keys of a site to a client, you need to spell out everything for them. Go into detail about everything they need to know to operate the site at full capacity.
- Keep it simple. Yes, you need to add details about everything under the sun related to WordPress but try to steer clear of jargon as best you can. And if something can be left out, do so. You don’t want to overwhelm your client with unnecessary info. And steer clear of acronyms. Unless you’re a web developer, you’re not going to care about learning what WYSIWYG or CMS means.
- Include a schedule. While making site updates on a regular basis might be intuitive for you, it’s not going to be for your clients. Instead, you need to create a site maintenance schedule they can refer to and follow long after you’re out of the picture. In this schedule, break down every task that should be completed by the client, how frequently, and what steps are required to do it.
- Include screenshots and images. There’s absolutely no reason why you should write out detailed descriptions of how to use the WordPress dashboard without including at least some screenshots to guide your clients along their way. Can you imagine their confusion as they pore over the sea of text you provided that doesn’t include any visual cues? Don’t do this to your clients!
- Don’t make assumptions. Just because adding a new post is simple to you because you’ve done it a thousand times doesn’t mean it will be simple for your clients. You need to gauge your clients’ level of WordPress experience and custom-tailor the instructions you provide to fit. So if that means walking the client through every single little step required to write a new post, do it.
Once your instruction manual is complete, share it with your clients. You can do this by sending it along in an official email as a PDF or a Google Doc link. Or, you can build a small separate site for your documentation and share that. I recommend the weDocs theme for creating an easy-to-use and interactive manual. It’s built on Bootstrap and though it’s designed for plugin and theme support docs, it can work for an overall guide to WordPress sites as well.
10. Or Do a Screencast
Writing up documentation for your clients is great but there’s no guarantee they’ll actually read it and put it into practice. That can be dangerous for the wellbeing of the site you just built, my friends. Instead, you may opt to create a screencast. In addition to the support docs you provide, you can set up a session to walk your client through using the site you just built.
The benefit of doing a screencast is you get to be certain that your client at least heard everything related to managing his site. There’s no way to control whether or not a client uses that information, but a walk through like this at least guarantees the information was actually looked at.
Before starting your screencast, there are a few things you should keep in mind to make the process go a bit more smoothly:
- Be prepared. It should be a no-brainer, but it’s imperative that you come to the screencast prepared. You don’t need to memorize anything but it’s vital you have the support documentation you’ve written and any relevant notes within arm’s reach. This will ensure the cast stays on message and on schedule.
- Login and get setup early. If you’re using a screencast app or some such, you need to login and get setup at least 15 minutes early. This will allow you to troubleshoot any tech problems and have a minute to relax and mentally prepare.
- Give your client time to follow along. There will be some amount of lag in a screencast. It’s just inevitable. So be aware of this when referencing certain things on the screen. Understand that your voice will be heard a few seconds before the action on screen registers. Pausing between each step of a set of instructions is a good way to ensure the audio and visual sync up.
- Provide opportunities for questions. Your client might need a question or two answered during the screencast, but to avoid interruptions, announce that there will be designated times for questions throughout the cast. Encourage your clients to jot down notes so they don’t forget their queries.
You can always pre-record a screencast, too, but like written documentation, you do run the risk of the client never watching the video. It’s frustrating, I know, but there is really only so much you can do to ensure clients read, listen, and follow your dashboard-preserving instructions.
11. Only Use Reliable Themes and Plugins
This might go without stating but you need to only use reliable themes and plugins on the sites you build, lest you open them up to security breeches. This is even more important when you won’t be handling site maintenance yourself.
What constitutes a reliable theme or plugin? Well, those that have been accepted by the WordPress theme and plugin directories, are typically good. Likewise, plugins and themes made by well-known developers work well, too. But even then, you need to do your due diligence. Sometimes plugins with stellar reputations are found to have security holes, which means you need to stay on top of the news, too.
A good rule of thumb is if you need to question where the plugin or theme came from, don’t use it.
12. Use a Security Plugin
Either use one that covers everything with a broad brush or break down your security coverage into smaller bits. Regardless, the more people you have working on the backend of your site, the more vulnerable the site will be to attacks. You can prepare for the worst by setting up backups (covered next) and installing security plugins that limit login attempts, allow you to block specific IP addresses, and make modifications to core theme files to bolster the site’s defenses.
13. Setup Automatic Backups
Any site you build needs to be backed up. And it’s important you emphasize the importance of this to your clients as well. But you should never leave your clients fending for themselves in terms of searching for a solution. Instead, you need to provide a backup solution with the site as you hand it over to the client.
Automated backups are best. It takes out the guesswork and ensures the site will be saved even if the site is broken by a hacker, an automatic update, or even the client himself. Configuring backups is fairly simple and can typically be accomplished with a plugin, as you likely know already. You just need to make sure it offers backups and site restoration. A backup plugin that doesn’t allow you to restore a site is effectively useless.
We wrote a post reviewing the top free and premium backup solutions not that long ago, so you might want to check that out to evaluate your options. A brief summary? WPMU DEV’s Snapshot and Automattic’s VaultPress faired the best.
14. Consider Some Whitelabeling
A lot of the dashboard customization features we’ve talked about here already could be considered whitelabeling but what I want to talk about is adding custom branding to the dash.
Doing so doesn’t necessarily protect the site from client harm but it does keep the site identifiable as theirs. Those who aren’t familiar with WordPress at all might become confused by seeing its name and logo all over the dashboard. Some can even become a tad angry and think you’ve provided a generic site template or something. Stranger things have happened, people, so it’s best to make the dashboard looks as customized as possible to keep your clients happy.
While there is a myriad of things you can do to customize the dashboard, one of the most important is to offer a custom login screen. Our Raelene Wilson recently wrote a tutorial for creating a login page from scratch. Or you can seek out a plugin-based solution like Custom Login or our Ultimate Branding to make these customizations without having to touch the code.
Client-proofing a site—more specifically the site’s dashboard—can feel tedious. After all, you know how to work all the bits and bobs on it, so why bother taking those extra steps? If you’re handling site maintenance for the client, you might not need to perform these added security and customization measures. But if you won’t be handling maintenance, your client will have access to everything, which means you need to take steps to protect your hard work.
Now that you’ve had a chance to review these tips, I hope you’ll find them helpful in creating a site you can be proud of, your client will love, and that he won’t be able to break.
Have you ever taken extra steps to secure a site from your clients? What did you do to keep it safe? Did I miss anything? Please offer up your best tips in the comments below.