Access is where trust quietly breaks down between a business and whoever does its SEO. The request usually arrives bundled and casual: send over your website login, your hosting, your Google accounts, and we will take it from here. Most owners hand it over because they do not know which parts are actually needed and which are just convenient for the agency.
What an audit actually needs
An audit is a diagnosis, not surgery. To find the problems holding a site back, the only things genuinely required are your URL and the ability to read your own search data. That is it.
- Your website URL. The domain you want ranked, plus the handful of pages you care about most. Public information, no access needed.
- Read access to Google Search Console. This is the one that matters. Search Console shows what Google actually does with your site: what is indexed, what is blocked, which queries bring impressions, and where clicks leak away. Read access is enough to see all of it.
- Optional: read access to Google Analytics (GA4). Useful for seeing what visitors do after they land, but not required to audit the SEO itself.
- Optional: context. The search terms you want to win, competitors ranking above you, and the country or area you serve. Helpful background, not access.
Notice what is not on that list: no website admin login, no hosting panel, no domain registrar, no passwords. A diagnosis is built from reading data, not from holding the keys to the building.
This holds even for the deeper technical part of an audit. Crawling the whole site to surface broken internal links, redirect chains, duplicate or missing titles, and a bloated sitemap is done with a crawler that visits your pages exactly like any other visitor, over the public web. It reads what is already published, so it needs no login at all.
How to grant read-only access safely
Both Google tools have a dedicated read-only role. You add a specific email, choose the lowest role that still lets the person see the data, and you can remove it with one click when the work is done. Nothing about your site can be changed through these roles.
Search Console: the Restricted role
In Search Console, open Settings > Users and permissions, click Add user, enter the email you were given, and choose Restricted. Search Console offers Owner, Full, and Restricted. Owner has full control, including adding and removing other users. Restricted has simple view rights on most data, which is all an auditor needs.
Restricted users cannot change settings, cannot submit or remove sitemaps, cannot request removals, and cannot touch other users. They can look, and that is the point. When the audit is finished, open the same screen and remove the user.
GA4: the Viewer role
If you want to share Analytics, go to Admin > Property Access Management, add the email, and choose Viewer. GA4 has Administrator, Editor, Marketer, Analyst, and Viewer. Viewer is the read-only floor: it can see report data and settings and build explorations, but it cannot change configuration or manage users.
Prefer not to share access at all? A good audit can still run on exports and screenshots: your Search Console performance, coverage, and a few key reports. It is slightly less thorough than live access, but it keeps you fully in control of what is shared.
What you should never hand over for an audit
If someone needs any of the following just to tell you what is wrong with your site, the request does not match the job. None of these are required to read your data and write a fix list.
- Your website admin or CMS password. A login to WordPress, Shopify, or your CMS lets someone change the site, not just read it. An audit changes nothing.
- Hosting or cPanel access. Server-level access controls files, databases, and email. There is no audit reason to hold it.
- Domain registrar login. Whoever controls the registrar can move or lose the domain itself. Never share it for analysis.
- Search Console Owner. Owner can add and remove users and change verification. Restricted is the correct level for an outside reviewer.
- Anything financial. Ad accounts with payment methods, billing portals, or card details have nothing to do with an SEO diagnosis.
The pattern is simple. Reading your data needs a read-only role on the data. Anything that can change, move, charge, or delete is not part of finding out what is wrong.
The "no access, no service" red flag
Some providers will not start until they have full back-end access to your site. It is often written into the terms: without admin access, the service cannot be delivered. For an ongoing engagement that implements changes every month, that is at least understandable. For an audit, it is the wrong shape entirely.
Demanding full control before anyone has even told you what is broken inverts the order. You are handing over the keys to buy a diagnosis. A diagnosis comes first, from reading the data, and only then does the question of who changes what, with how much access, even arise. If the only access on offer is all of it, that tells you the product is a retainer, not an audit. (For more on how those retainers are structured, see what a typical SEO retainer actually does.)
When backend access is legitimate
There is a real case for deeper access, and it is worth stating clearly so this does not read as if access is always suspect. Once you have the audit and decide to have the fixes implemented, editing the site obviously requires the ability to edit the site.
The difference is that implementation is a separate step, under a separate agreement, with a separate and scoped level of access, granted only for the work being done and removed afterward. That is the opposite of handing over admin up front as a condition of starting. Implementation may require write access; the audit never does. Keeping those two things apart is what keeps you in control.
The bottom line
An audit reads, it does not write. The honest version needs your URL, a Restricted user in Search Console, and optionally a Viewer in GA4. Everything beyond that is either convenience for the provider or a sign you are being sold something larger than a diagnosis. Grant the read-only roles, keep the keys, and remove access when the work is done.
The fixed-price SEO audit works exactly this way: read-only Search Console access (or your exports), a technical and on-page review of your site and search data, and a prioritized fix list you own. One report at a flat PHP 2,500, no retainer, no admin login, no ranking promises. Get in touch to start.