The worst time to find out who owns your domain is the week your website goes down.

The second worst time is when you’re trying to fire an agency, change hosting, rebuild the site, recover analytics, fix email delivery, or prove ownership in Google Search Console.

Most small business website problems are not caused by one giant mistake. They’re caused by a messy trail of accounts nobody documented. The old marketing person used a personal Gmail. The developer set up hosting under their card. The domain renewal goes to an inbox no one checks. The Facebook pixel belongs to a freelancer from three years ago.

This is the website access inventory I wish every business owner had before there was a problem.

Use it as a working template. Copy it into a spreadsheet, password manager note, or internal wiki. The goal is simple: know what exists, who controls it, how access is granted, and what happens if that person leaves.

Why a Website Access Inventory Matters

Access is not admin busywork. Access is business continuity.

Verizon’s 2025 DBIR research found compromised credentials were an initial access vector in 22% of breaches. The same research found that, in the median case, only 49% of a user’s saved passwords across services were distinct after an infostealer infection. That is a polite way of saying reused passwords turn one account problem into several.

Domain ownership has its own risk. ICANN says domain registrants must keep accurate and reliable contact information with their registrar, and failure to verify or update that information can lead to suspension or cancellation. If your domain contact email belongs to an ex-employee, you may not see the warning until the site is already offline.

Search access matters too. Google says a verified Search Console owner has the highest degree of permissions, including access to sensitive search information and actions that can affect a site’s presence in Google Search. If the only verified owner leaves, Google says you should verify ownership to maintain or regain access.

And when you move hosting, Google recommends testing the new infrastructure, checking Googlebot access, lowering DNS TTL in advance, and making sure Search Console verification continues to work. You cannot do that cleanly if nobody knows where DNS lives.

The Rule: Own the Account, Delegate the Access

Your business should own the root accounts. Vendors should get delegated access.

That means the domain registrar, hosting account, Google Business Profile, Search Console, Analytics, ad accounts, CRM, email platform, and payment tools should be tied to business-controlled identities, not a vendor’s private account.

This does not mean every owner should personally manage DNS records or plugin updates. It means the business can recover, revoke, transfer, and audit access without begging a third party.

Use these fields for each item in your inventory: account or asset name, URL or login location, owner email, admin users, vendor users, MFA status, backup recovery method, renewal date, billing card owner, last reviewed date, and notes about risks or dependencies.

Keep passwords in a real password manager, not in the spreadsheet. The inventory tells you what exists and who owns it. The password manager stores the secret.

1. Domain and DNS Access

Your domain is the front door. If you lose it, everything else gets harder.

Document these items:

#Access itemWhat to record
1Domain registrar loginProvider, login URL, account owner, and backup admin
2Domain registrant contact emailThe mailbox that receives official domain notices
3Domain renewal dateRenewal date, term length, and auto-renew status
4Payment method ownerCard or billing owner, without storing card numbers
5Domain lock statusWhether transfer lock is enabled
6DNS hosting providerWhere nameservers and records are managed
7Nameserver recordsCurrent nameservers and why they point there
8Core DNS recordsA, AAAA, CNAME, MX, TXT, SPF, DKIM, DMARC, and verification records
9Recovery routeWho can regain registrar access if the primary admin is unavailable
10Last review dateDate, reviewer, and open risks

The key detail is not just where the domain is registered. It is who receives registrar warnings. ICANN’s RDRP FAQ says registrars send annual reminders to review and update domain contact information. If those reminders go to a dead inbox, your protection system is broken.

For DNS, write down what each important record does. A TXT record might verify Google Search Console, Microsoft 365, HubSpot, Mailchimp, Stripe, or a security tool. Delete the wrong one and something breaks quietly.

2. Hosting, CDN, and Deployment Access

Hosting access controls the live site. It also controls backups, logs, SSL certificates, redirects, staging environments, and sometimes email.

Document these items:

#Access itemWhat to record
11Hosting provider loginProvider, project name, admin owner, and billing owner
12Server or project nameProduction environment and any staging environment
13CDN accountCloudflare, Fastly, host-managed CDN, or other edge provider
14SSL certificate sourceWhere certificates renew and who gets expiration alerts
15Backup locationBackup schedule, storage location, and restore instructions
16Deployment platformGitHub Actions, Netlify, Vercel, WP Engine, cPanel, or similar
17Code repositoryRepo URL, owner organization, deploy branch, and admin users
18Secret storageWhere environment variables and API keys live
19Rollback processWho can roll back and how long it takes
20Last restore testDate of the most recent backup restore test

This is where many website handoffs fail. The business has WordPress access, but not hosting access. Or the agency has GitHub, but the owner has Cloudflare. Or backups exist, but no one has tested a restore.

Google’s hosting migration guidance recommends copying and testing the site before a move, reviewing pages, images, forms, and downloads, and monitoring traffic on old and new servers. That checklist assumes you can get into both environments.

3. CMS and Website Admin Access

The CMS is where day-to-day website damage usually happens.

Document these items:

#Access itemWhat to record
21CMS admin URLLogin URL and platform name
22Primary admin accountBusiness-controlled admin account
23Backup admin accountSecond owner-level account for recovery
24Editor and author accountsNamed users and current role assignments
25Plugin or extension licensesLicense owner, renewal date, and vendor support access
26Theme or builder accountTheme license, page builder account, and renewal owner
27Form plugin accountWhere forms are built, stored, and routed
28Security plugin accountAlerts, firewall rules, scans, and lockout controls
29Ecommerce, membership, or booking accessStore, calendar, subscription, or member-management admins
30User role policyWhich roles each team or vendor should receive

Do not let everyone be an administrator. Give people the lowest role that lets them do their job.

For WordPress, that usually means owners and trusted technical staff are admins, content people are editors, writers are authors, and outside specialists get temporary access. For Shopify, Webflow, Squarespace, Wix, or another hosted platform, use their role system instead of sharing one login.

Also record which plugins or apps are business-critical. A form plugin, redirect plugin, ecommerce integration, or booking calendar can be just as important as the CMS itself.

4. Analytics, Search, and Tagging Access

Analytics access is easy to ignore until a campaign fails and no one can explain what happened.

Document these items:

#Access itemWhat to record
31Google Analytics propertyProperty ID, account owner, admins, and key events
32Google Tag Manager containerContainer ID, publish rights, and connected tags
33Google Search Console propertiesDomain and URL-prefix properties with verified owners
34Bing Webmaster ToolsVerified site, admins, and sitemap submissions
35Looker Studio dashboardsReport owners, data sources, and sharing rules
36Call tracking accountNumbers, tracking sources, and routing rules
37Heatmap or session recording toolTool owner, privacy settings, and retention period
38Consent management platformCookie banner owner and consent mode settings
39UTM naming documentSource of truth for campaign naming
40Conversion event definitionsWhat counts as a lead, sale, signup, or qualified action

Google recommends adding more than one Search Console verification method in case one method fails. That is practical advice for business owners, not just SEOs. If your only verification method is a tag in a theme file and the theme changes, access can break.

Search Console should have at least two verified owners tied to business-controlled accounts. Google Analytics and Tag Manager should be owned by the business too. Agencies and contractors can be admins or editors, but they should not be the only owners.

5. Marketing, Sales, and Reputation Access

Your website is connected to the tools that turn traffic into revenue.

Document these items:

#Access itemWhat to record
41Google Business ProfilePrimary owner, managers, locations, and recovery email
42Google AdsAccount ID, billing owner, conversions, and linked properties
43Meta Business ManagerBusiness ID, page admins, pixel owner, and ad account access
44LinkedIn Campaign ManagerAd account, page admins, and billing owner
45Email marketing platformList owner, templates, signup forms, automations, and sending domain
46CRM or pipeline toolLead routing, form integrations, pipeline owner, and admin users
47Review platforms and directory listingsClaimed profiles, owners, and notification email addresses

This category gets messy because marketing tools are often created in a hurry. A freelancer sets up a pixel. A salesperson starts a CRM trial. Someone connects Zapier to a form. Six months later, the tool is important, but ownership is unclear.

Write down which website forms feed which systems. If the quote request form goes to HubSpot, Slack, a Google Sheet, and email, document every stop. That makes troubleshooting faster when leads suddenly stop showing up.

Security Rules for the Inventory

A website access inventory is only useful if it does not become a security problem itself.

Follow these rules:

  • Store passwords, recovery codes, API keys, and private keys in a password manager or secrets manager, not in the inventory document.
  • Require MFA on domain, hosting, CMS, email, analytics, ad, CRM, and payment accounts.
  • Use business email addresses for ownership, not personal inboxes.
  • Give vendors named user accounts instead of shared logins.
  • Remove access when a vendor, employee, or contractor leaves.
  • Review the inventory every quarter and before any redesign, migration, ownership change, or agency switch.

CISA recommends multifactor authentication for small and medium businesses and says businesses should aim to use phishing-resistant MFA. If a tool offers hardware keys, passkeys, authenticator apps, or admin-level MFA enforcement, use them for your highest-risk accounts first.

The highest-risk accounts are usually email, domain registrar, DNS, hosting, CMS admin, payment processing, Google Workspace or Microsoft 365, and any tool that can publish code or change tracking scripts.

Red Flags to Find During Your Audit

If you only have time for a 30-minute check, look for these problems first:

  • The domain registrar uses an old employee email.
  • The website host is billed to a vendor card.
  • The business has no admin access to DNS.
  • Search Console has one verified owner, and that owner is not the business.
  • Google Analytics or Tag Manager sits inside an agency-owned account.
  • WordPress has several old administrator accounts.
  • Forms send leads to personal inboxes.
  • Backups exist, but no one knows how to restore them.
  • Plugin licenses belong to a vendor with no transfer plan.
  • MFA is missing on domain, hosting, CMS, email, or ad accounts.

Any one of these is fixable. The danger is letting them stack up until a normal website change becomes an emergency.

The 60-Minute Access Inventory Process

You do not need a giant consulting project to start. Set a timer and do this:

First 15 minutes: find the domain registrar, DNS provider, hosting provider, CMS admin URL, and business email admin console. These are the spine of the website.

Next 15 minutes: list the connected measurement tools, including Analytics, Search Console, Tag Manager, call tracking, heatmaps, and dashboards.

Next 15 minutes: list the revenue tools, including forms, CRM, email marketing, ad accounts, review platforms, ecommerce, booking, payment, and automation tools.

Final 15 minutes: mark each item as green, yellow, or red. Green means business-owned with MFA and backup admin access. Yellow means usable but messy. Red means unknown, vendor-owned, personal-email-owned, or missing MFA.

Then fix the red items one by one.

What to Ask Your Web Vendor

A good web partner will not be offended by access questions. They will be relieved you care.

Ask these before starting a redesign, migration, or support agreement:

  1. Which accounts should our business own directly?
  2. Which accounts will you need access to?
  3. Will your team use named users or shared logins?
  4. How will access be removed when the project ends?
  5. Where are backups stored, and when was the last restore test?
  6. Who controls DNS and deployment?
  7. What happens if our primary contact is unavailable?
  8. Will we receive documentation at handoff?

If the answer is, “Don’t worry, we handle everything,” slow down. Convenience is nice until it turns into dependency.

FAQ: Website Access Inventory

What is a website access inventory?

A website access inventory is a list of the accounts, assets, owners, admins, vendors, renewal dates, and recovery methods connected to your website. It should cover domain, DNS, hosting, CMS, analytics, marketing, sales, security, and payment tools.

Should passwords go in the inventory?

No. Put passwords, recovery codes, API keys, and private keys in a password manager or secrets manager. The inventory should tell you what exists, who owns it, and where secure access is stored.

Who should own the domain account?

The business should own the domain account through a business-controlled email address. ICANN says registrants must provide accurate contact information and update it promptly when it changes.

How often should we review website access?

Review it quarterly, before major site changes, after employee departures, before switching vendors, and before domain or hosting renewals. Also review it after any security incident.

Can Your Web Team help with this?

Yes. If you want someone to map your website access, flag ownership risks, and turn the mess into a usable handoff document, get started here.