When you hire a WordPress professional to work on your site it’s pretty common for them to ask for

• An administrator account for your WordPress website
• Login access to your web server or hosting-company control panel

It makes sense that they’d need to log into your website as an administrator. If they couldn’t they couldn’t add or remove plugins, make changes to the theme (colors, fonts, menus, widgets, footers), or run fairly important configuration and optimization routines. They also can’t make in-site backups, or, more importantly, restore them. So that makes sense.

But server access too? That can feel a lot like you’re giving them the keys to the kingdom. What’s up with that?

• Is it safe?
• Do they really need it?
• What will they do if you give them access?

Ok, speaking for myself, I don’t need access to the server to if my changes are going to be very minor. But otherwise, yes, if I’m doing serious work on your website I’m going to need to be able to access the server so I can

• create and/or restore a backup if something goes wrong. (Bonus: Murphy’s Reverse Law says you’re less likely to need to restore a backup if a backup is available and installable.)
• edit code files like functions.php without risk of “white screening” with a bug or typo. (They can edit existing files through the WordPress theme editor but if they introduce a PHP error the whole site can crash… and then they don’t have access to the editor to undo it.)
• add files or folders to your (child) theme to override or enhance current site functionality. Example: custom WooCommerce templates, almost any customizations to The Events Calendar, page-builder module overrides
• Backup, restore, or perform cleanup on the database

You may be able to just give your developer FTP access, though that can be a pain if they also need to access the database.

It’s always best if you can “delegate” access to your account (e.g. what GoDaddy calls it) or make someone a “Collaborator” (e.g. what SiteGround calls it) or otherwise give them tech-only access. Most hosting plans let you do this, especially since most credible hosting companies require 2-factor authentication.

But, yeah, it’s pretty normal to give developers some sort of access to your server.

And yes, once they’re done it’s also perfectly fine for you to revoke their access by deleting their WordPress admin account and removing their collaborator access. If for some reason you needed to give them your own credentials it’s a very good idea to go back in once they’re done and change your passwords.