Enterprise Admins! Secure Your Facebook Pages

Hey, Companies! (and individual Page admins as well…) Secure Your Facebook Pages.


Zoe Hoeltzel PhotosThere is an important detail about Facebook Pages Admin Settings that many Page admins are not aware of, and it represents an important security flaw that needs to be remedied. The creator of a Facebook Fan Page is permanently set as an admin for a Page, and there is no way to remove that profile’s admin settings. This post will provide best practices for Page Creation to avoid this problem in the future and recommendations for rectifying existing problems.


Permanent Admins:
When a new Facebook Fan Page is created, it must be created by a user who is currently signed in to their own Facebook account. That creator’s profile then becomes the first default Admin of the newly created page. This Creator Admin can add other users as admins, but there is one major difference between creators and other admins. Other admins can revoke admin privileges for any adminexcept the creator. Creator admins can revoke admin privileges for any admin except themselves.

Here’s the problem – most Pages that have been created up to this point were made before the existence of corporate social media strategies. This means that individuals from within business units or corporate teams created the Pages from their own personal Facebook profiles. If you are 100% certain that each of these Page creators will be with your organization forever, then there’s no problem. However, if there’s a chance that any of them may seek other opportunities elsewhere before either their brand or Facebook.com become obsolete, then you are creating a significant security flaw.

If these creators are permanent admins, and they leave your organization, they will still have irrevocable admin privileges to the Page – something no other admins will have. Worst-case scenario is that the creator revokes admin privileges for every admin except themselves.

Quick Caveat:
Yes, you can reclaim hijacked Facebook Pages like you can reclaim Pages infringing your trademarks, but how long has that taken you in the past? The point of this POV is to help you prevent the need to take that kind of action.

Essentially, this is the equivalent to giving creator admins the password to your brand’s Facebook Page for life, regardless of whether they continue to be your employee or not, and this is definitely not a security best practice.

Best Practices, Not Accusations:
We are not suggesting that your employees would actually do anything malicious, and indeed these creator admins should be congratulated and thanked more than anything because they were the thought leaders who pioneered your presence on these social platforms, in some cases well before the organization as a whole was prepared to move into the social media arena that is now considered so important to digital strategies.

However, it is your responsibility – legally in some cases – to protect your brand in an organized and secure fashion. By following these best practices you will not be removing these creators as admins – they will remain admins and retain all privileges that they currently have. All you are changing is which Facebook account will serve as the anchor account for your Pages, and unifying that responsibility under a single account that is owned by the organization rather than an individual. By communicating effectively and implementing this best practice across the organization so that all creators experience the change at the same time you can minimize the emotional response that some creators might have if they have invested lots of time and energy into their pages and feel as though this is a loss of control. The key is that it isn’t a loss of control – they retain full control, but your organization is implementing a security measure that has been mandated and cannot be ignored.

Using A Corporate Anchor Profile:
Your organization needs to create an individual profile – just like the personal profiles that people maintain on Facebook – under your brand name. This profile will not be used for engagement or interaction on Facebook. You will not need to build “friends” for this account. Its sole purpose is to serve as a central anchor for all of your organization’s Facebook Fan Pages. This account will not be used to post to any pages, and in fact it should be used as little as possible and reserved as a “master key” account that can be used to gain access to any page in case of emergency. By using this account as little as possible, and by providing its login information only to select team members, it can be kept as secure as possible.

In Case of Emergency:
If one of your admin’s account is hacked, providing access to one of your Pages, or if one of your Pages is accessed inappropriately by an admin in another way, the anchor account can be used to revoke the admin privileges of the offending admin profile. If the profile was hacked, it can be re-approved as an admin once its password has been reset and you are satisfied that it is secure.

If this organizational anchor profile is used to create new pages, it will be the creator admin for those pages. This means that even if another admin account on those pages is abused or hacked, it will not be able to revoke the permanent admin status of this anchor profile, and therefore will be unable to completely take over the Page.

What About Current Facebook Pages With the Wrong Anchor Profile:
For the Pages that have already been created, and that are currently anchored on employees’ personal profiles, you should reach out to your Facebook contacts and request back end help. Your Facebook contact might say that what you are asking for – to migrate “creator” status for each of your pages to a single new official corporate-owned individual profile (that you should already have created by this point so that you can provide its URL) – is not possible. This is the official party line, as viewable in their own help/support page:


We fully expect this policy to change at some point, but there is no sign as to when that might be. You should assume that it will take quite some time, and this is why we recommend moving forward with this request process.

If your Facebook contact says it is not possible, you should reply that in that case you would like to replicate the reclamation process that occurs when another party has created a page that infringes on your trademark. You would like to preserve all content, settings, URL structures, etc. for the existing page – no loss of anything is crucial – and reassign it to a new admin. If they say that you will lose all current admins, that’s OK. You can always request a list of all current admins for each Page and re-add each of those profiles after the change takes place.

This type of reclamation is definitely possible. It has been done numerous times, and you may have even requested it for some of your own pages.

Approaching your Facebook contact with all of your information gathered and organized, and asking for this to be done in bulk to all of your Pages at the same time is helpful – as opposed to asking them to make the changes one by one for your Pages over the course of weeks. The easier you make it for them, the harder it will be for them to say no, and the faster it will happen.


Creating a corporate-owned anchor profile that has permanent creator admin access to each of your Facebook pages is a proactive step toward securing your Facebook presence and protecting against compromised Pages. If you have any questions, please contact us at GSI and we will be happy to help you understand the importance of this change and the steps necessary for implementing it.

There are many other issues regarding safe and proper Facebook use, and new ones are cropping up all the time. Here are some other salient issues with Facebook to have on your radar.

Photo Credits: Zoe Hoeltzel Photo Blog

This post was originally published at The Faster Times

Leave a Reply

Your email address will not be published. Required fields are marked *