Chykalophia Docs
Security

Security steps when someone leaves

The security checklist to run every time a team member, contractor, or employee moves on — to protect your business and remove unnecessary access.

securityteamaccessintermediate

When someone leaves your team — whether it's an employee, a contractor, a freelancer, or a long-term collaborator — there are security steps that need to happen promptly. Skipping them can leave doors open that you've forgotten about, sometimes for years.

This guide gives you a checklist you can work through every time someone leaves.

Quick summary

When someone leaves your team, revoke their access to every system they used — starting with email and your most sensitive platforms. Do this on their last day, not weeks later. The risk of a departing person having ongoing access is real, even if the relationship ended on good terms.

Why this matters even for good departures

It's easy to think "they're leaving on good terms — there's no risk." But ongoing access creates risk even without any malicious intent:

  • Their credentials could be compromised by someone else
  • They might inadvertently make changes while wrapping things up
  • If they later have a dispute with your business, access to accounts is a liability
  • Many compliance frameworks and insurance policies require prompt access revocation

The goal is not to suspect people — it is to maintain control of your business's digital assets.

The offboarding security checklist

Work through this list on or before their last day:

Email and communication

  • Disable or delete their business email account (or convert to an alias forwarding to you)
  • Set an out-of-office or bounce reply directing contacts to an active email address
  • Export any important emails or content before deleting the account
  • Remove them from any shared inboxes (e.g., support@, info@)
  • Remove from any team chat channels (Slack, Teams, etc.)
  • Remove from ClickUp or your project management tool

Website and hosting

  • Remove their WordPress user account, or downgrade their role to Subscriber
  • Remove their access to your hosting control panel (Flywheel, WP Engine, Kinsta, cPanel)
  • Remove their FTP/SFTP access if applicable
  • Remove their access to your staging environment

Domain and DNS

  • Remove their access to your domain registrar account
  • Remove their access to your DNS provider (e.g., Cloudflare)

Google and Microsoft accounts

  • Suspend or delete their Google Workspace or Microsoft 365 user account
  • Transfer their files to another team member before deleting the account
  • Remove them from shared Google Drives, Calendars, and Docs with sensitive information
  • Revoke their access to Google Analytics, Search Console, and Tag Manager
  • Check for any third-party apps they authorized with their company account

Social media

  • Remove their admin access from Facebook Business Manager / Meta Business Suite
  • Remove them as an admin or editor from your Instagram, LinkedIn, X/Twitter, or other accounts
  • If they were the sole admin on any platform, add yourself before removing them

Marketing tools and advertising

  • Remove from Mailchimp, Klaviyo, or other email marketing platforms
  • Remove from Google Ads, Meta Ads Manager, or other advertising platforms

Financial and payment tools

  • Remove their access from Stripe, PayPal, or your payment processor
  • Remove from QuickBooks, Xero, or accounting software
  • If they had a company card or payment credentials, deactivate or change them

Passwords they may have known

  • Change any passwords to shared accounts they had access to
  • If they used a shared password vault entry, rotate that password
  • If they knew your domain registrar password, change it

Physical and device access

  • Collect any company devices (laptops, phones)
  • If they used a personal device for work, ensure any company data is wiped or inaccessible
  • Revoke any VPN access
  • Change door codes, alarm codes, or physical security credentials if applicable

Timing: when to do this

Don't delay

Access revocation should happen on the last day of work — not "sometime soon" or "when you get around to it." The longer access remains active, the greater the risk.

For planned departures: prepare the list in advance. For sudden departures: prioritize email and the most sensitive systems first and work through the rest within 24 hours.

Don't forget contractors and freelancers

Contractors and freelancers often have more access than you realize — they may have been added to tools during a project and never removed. Include them in this process when the engagement ends.

Granting access to the replacement

When someone new joins:

  • Create new accounts; do not reuse the departed person's credentials
  • Grant only the access they need for their role — you can always add more later
  • Document what access was granted and when

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Securing your domain name

How to protect your domain name from hijacking, unauthorized transfers, and DNS tampering — and what to do if something goes wrong.

Securing your social media accounts

How to protect your Facebook, Instagram, LinkedIn, and other social media accounts from hackers and unauthorized access.

On this page

Why this matters even for good departuresThe offboarding security checklistEmail and communicationWebsite and hostingDomain and DNSGoogle and Microsoft accountsSocial mediaMarketing tools and advertisingFinancial and payment toolsPasswords they may have knownPhysical and device accessTiming: when to do thisDon't forget contractors and freelancersGranting access to the replacementCommon questionsRelated guides
Security steps when someone leaves | Chykalophia Docs