Should I change DB server username & password from what the person I hired made it?

[sendmenews]

I hired a someone to upgrade my website. In the includes/ configure.php files for the website and Admin he changed the username and password from what I used to have. Is this something that I should change now that he has finished the work or are they irrelevant. I did change the Admin password and folder name in my cpanel.

[DrByte]

To abuse it they'd need to have added their own IP address in your cPanel's MySQL access list, else they wouldn't be able to access it.
But it's still wise to change it.

Plus, if they have your cPanel username and password then they still have lots of other access.
It's best practice to create a cPanel FTP user for them, and then delete that user when done. That way they never need your main cPanel password.

[RodG]

I hired a someone to upgrade my website. In the includes/ configure.php files for the website and Admin he changed the username and password from what I used to have. Is this something that I should change now that he has finished the work or are they irrelevant. I did change the Admin password and folder name in my cpanel.

Like most security related matters, this comes down to a matter of trust and convenience.

Unless you have full trust in the persons you have given access to, then you should change it.

If you do have full trust, then it comes down to a matter of convenience. If you are unlikely to require their services again, change it. If you are likely to use them again, leave it. Both you and they will find it inconvenient to have to supply/use different login credentials all the time along with the subsequent changes.

As a general rule there is rarely ever a good reason to give a 3rd party your cPanel login credentials. If you have. Change it.

For Zencart specific support/updates all they need is an FTP login and a Zencart login with admin privileges. Neither of which should be the same as your own login details/account. - This still has the trust/convenience implications, but provides a separation of accounts - IOW, they would never have *your* account details and as such, they can never be in a position to lock you out of your own site. It also reduces the amount of 'trust' you need to place in them and at the same time, is less of an inconvenience because you'll not have to worry about changing your own login credentials when you no longer need there services.

Having said that, in my experience, most developers are actually quite trustworthy. They have a reputation to keep and have respect for those that hire them. In all my years, I think I've only heard of one 'rogue' developer - and that was because they didn't get paid.

Now having said that, it also astounds me at how many store owners take this 'trust' thing a little too far. On average I have at least two unsolicited emails a month from people I've had no prior dealings with, seeking support for my ozpost module, and they supply their login details (plain text emails) with this initial contact. I never (well, rarely ever) need this information to help solve their issues - I respond with a very emphatic reply stating I will *not* be logging into their sites and that they should change the given password *immediately*. This helps alleviate any finger pointing should their sites ever get hacked. (Plausible deniability)
If It turns out that I do need to log into their site to resolve an issue I ask for the details and provide a secure link for them to provide it, and I delete the info when I'm done (so that there is no record of the details on my computer - which could be a problem should my computer ever be compromised). I think I'm probably a little more paranoid than most when it comes to security though. Trust and paranoia make for a very strange mix. :)

Bottom line. If you have given them *your* details, change them. If they need access again, create an account specifically for them to use. Never give cPanel login details unless there is a *very good* reason - and offhand, I can't think of any.

Cheers
RodG

[mc12345678]

Rod,

I can and often come across one reason to be provided more login details than "needed". Creating a database to support upgrading/building a new site from an existing. Often trying to explain how to do it or requesting that they work with their host to generate the new database and obtain the necessary credentials is just "too much". Past that... I can't really disagree with the above "discussion" of paranoia, deniability, request to revise credentials upon completion or statement/action (lack of?) to not login, etc...

I too would just generally suggest changing credentials as well as the admin directory name, though I often also suggest that it be changed before providing access and then again after so as to provide yet another step in that plausible deniability as well as site owner security.

[RodG]

I can and often come across one reason to be provided more login details than "needed". Creating a database to support upgrading/building a new site from an existing. Often trying to explain how to do it or requesting that they work with their host to generate the new database and obtain the necessary credentials is just "too much".

Good point. I knew I was forgetting something along these lines, and you've pretty much nailed it. It's been a long time since I've done a zen upgrade on a site we don't host (years). Been too busy. Incidentally, I've actually given your contact details to a couple of our own hosted clients in the last few months that have been wanting/seeking zen upgrades. I've noted that they've not had the updates done. I don't know if that is because they've never contacted you, or whether they have, and you've also been too busy.

Cheers
Rod