Onboarding a new staff member across all your systems
A complete checklist for giving a new team member the right access to WordPress, Google Workspace, Microsoft 365, hosting, passwords, and more.
Bringing on a new team member means setting them up with the right access to the right systems — and nothing more. Getting this right from day one saves time, prevents security headaches, and means your new colleague can actually do their job.
This guide is a complete, system-by-system checklist. Work through the sections that apply to your business.
Quick summary
Grant access only to the systems and permission levels the new person actually needs. Use your password manager to share credentials securely — never over email or chat. Enable two-factor authentication on every account. Document everything so you can undo it cleanly when they leave.
Before you start
Answer these questions before creating any accounts:
- What is this person's role, and what do they actually need access to?
- Are there systems they should be able to view but not edit?
- Are there systems they should never have access to (e.g., billing, hosting)?
- Who will be their manager, and should that person be notified of each access grant?
Write down the systems you're granting access to. You'll need this list when the person leaves. The offboarding checklist is the reverse of this one — keep them together.
Email & productivity suite
Google Workspace
Create their user account. Sign in to the Google Admin console at admin.google.com. Go to Users, then Add new user. Enter their name and choose their email address. See adding a user in Google Workspace.
Assign the right role. For most staff, the default User role is correct. Only assign Admin if the person manages the Google Workspace account. See the Admin console for role options.
Share the temporary password securely. Use your password manager's secure sharing feature — not email, not Slack, not a text message. See how to share a password safely.
Add them to the relevant Groups. Groups control access to shared mailboxes and distribution lists. Go to Directory > Groups in the Admin console and add them where appropriate. See groups & email aliases.
Share relevant Shared Drives. Go to Google Drive, find any Shared Drives they need, right-click, choose Manage members, and add their email. See shared drives explained.
Ask them to enable 2-step verification on their first day. See turning on 2-step verification.
Microsoft 365
Create their user account. Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to Users > Active users, then Add a user. See adding a user in Microsoft 365.
Assign the right license. Choose the Microsoft 365 plan that includes the apps they need (Outlook, Teams, OneDrive, etc.).
Set their role. Most staff should be standard users. Only assign Global Administrator to people who manage the Microsoft 365 account.
Share the temporary password securely. Use your password manager's secure sharing feature. See how to share a password safely.
Add them to distribution groups or shared mailboxes as needed. See distribution groups & lists and shared mailboxes.
Ask them to enable multi-factor authentication on their first day. See turning on multi-factor authentication.
WordPress
Decide on the right role before creating the account. Most content editors should have the Editor role. People who manage the site should have Administrator. Avoid giving Administrator access to anyone who doesn't need it. See WordPress user roles explained.
Add them as a user. In WordPress, go to Users > Add New User. Enter their email, set their role, and click Add New User. They'll receive an email invitation. See how to add a new user.
Send them the login URL. Your WordPress login URL may not be the obvious one. See how to find your WordPress login URL.
Ask them to set a strong password the first time they log in. See how to reset your WordPress password.
Enable two-factor authentication if your site uses it. See turning on two-factor login for WordPress.
Hosting
Most staff do not need hosting access. Only grant it if the person is directly managing or deploying the site.
Add them as a collaborator in your hosting dashboard. The steps vary by host:
- Flywheel: see give us Flywheel access for the steps (the same flow works for adding any user)
- WP Engine: see give us WP Engine access
- Kinsta: see give us Kinsta access
Assign the minimum role needed. Most hosting dashboards have read-only, developer, and full access tiers. Use the most restrictive option that lets them do their job.
Password manager
Create them an account or invite them to your organization's shared password manager vault (1Password, Bitwarden, LastPass, etc.).
Share only the vaults or collections they need. Don't give them access to billing credentials, hosting root passwords, or other sensitive vaults unless their role requires it.
Never share individual passwords over email or chat. All sharing should go through the password manager's built-in sharing feature. See using a password manager with us.
Two-factor authentication (2FA)
Two-factor authentication (2FA) adds a second step to login — usually a code from a phone app — so that a stolen password alone can't unlock an account.
Require 2FA on every account the new person accesses. This is the single most effective security measure you can take. See two-factor authentication explained.
Ask them to set up an authenticator app on their phone, such as Google Authenticator, Authy, or Microsoft Authenticator. See using an authenticator app.
Make sure they save their backup codes in the password manager. Losing backup codes is how people get permanently locked out.
Domain registrar
Only grant domain registrar access if the person manages your domain or DNS.
Use delegate access if your registrar supports it (GoDaddy and Namecheap both do). This is safer than sharing your main account password. See give us access to your domain registrar.
Assign the minimum permission level — most registrars let you grant access to manage DNS without giving billing access.
Other systems
Consider any other tools your team uses. Common examples:
| System | Notes |
|---|---|
| ClickUp | Invite them as a member. See getting your ClickUp invite. |
| Google Analytics | Add as a Viewer or Editor in the GA4 property settings. See give us access to Google Analytics. |
| Google Search Console | Add as a Full User or Restricted User in property settings. |
| Meta Business Manager | Add with the appropriate role for Pages or Ads. See give us access to Facebook & Instagram. |
| Mailchimp / Klaviyo | Invite via their built-in team settings. |
| Stripe | Add as a team member with the appropriate role. |
| Shopify | Invite as staff. See give us Shopify collaborator access. |
On their first day
Day one checklist
Confirm these are done before the new person starts:
- Email account created and working
- Invited to relevant Shared Drives / SharePoint / OneDrive folders
- WordPress account created (if applicable)
- Password manager invitation sent and accepted
- 2FA enabled on all accounts
- ClickUp invitation sent
- They know the login URL for each system they'll use
Document what you've given them
Write down — in your password manager or a shared document — exactly what accounts and permissions this person has. You'll need this list when they leave. The offboarding checklist depends on it.
Common questions
Related guides
- Offboarding a staff member
- Security steps when someone leaves
- WordPress user roles explained
- Two-factor authentication explained
- How to share a password safely
- Using a password manager
Need a hand?
Recovering from a hacked website
A calm, thorough playbook for getting your hacked website cleaned, secured, and fully restored — with timelines and prevention steps.
Offboarding a staff member across all your systems
A complete checklist for safely removing a departing team member's access to WordPress, Google Workspace, Microsoft 365, hosting, passwords, and more.