When choosing a web designer / developer, make sure that the contract you sign clearly states that they must release the master administrator username and password to you immediately upon request. These master accounts are notably utilized by CMS software such as WordPress and Drupal. It is normal for a professional developer to not release the “admin” account until the project is completed. This is to protect the developer from having to repair damage that the use of such privileges can create. It is NOT normal for a developer to refuse to give you the admin credentials after project completion. It is unethical and can possibly lead to your site being held for ransom.
One ransom strategy is to not allow anyone to make changes to the site, so that you will (or will continue to) pay for an expensive support contract. Another hijack strategy is to demand a one time payment in order to release the administrator access. If that’s not enough, your developer may disappear on you, leaving you without the necessary information to pass along to a new developer.
When you pay a developer to create a site for you, it is still YOUR site. It is valuable to you and/or your business. YOU should control the value of your site. It can be very expensive and time consuming to recover from a developer hijack. Now that you are aware of what can (an does) happen, let your developer know your expectations, and cut your risk of being hijacked dramatically.