Run a Facebook page with other admins? You need to read this

Filed Under: Facebook, Featured, Malware, Social networks

Last year, we showed that it was easier than you might expect to hijack a Facebook page and lock out the original admin.

Here's a video I made at the time, where I showed just how page hijacking could occur.

(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

Facebook page hijacking is an important issue, because so many companies and celebrities treat their Facebook page as a critical part of their marketing activity, with some brands having millions of fans.

Don't forget - a Facebook page which has been hijacked could be used to spread malicious links, spam or scams.. all in your brand's name!

The good news is that Facebook has now improved protection for Facebook page administrators. Rather than hand over the keys to the entire Facebook page (and effectively give them as much power as you, the original administrator) you can assign your fellow admin lower rights - which can prevent them removing you as an admin.

Facebook admin iconUnder the newly introduced system, page admins can be assigned specific roles: The most powerful role remains "Manager", but there is also "Content Creator", "Moderator", "Advertiser" and - at the bottom rank - "Insight Analyst".

Facebook page managers have the power to send messages, view insights and create posts and adverts. Crucially, they are also the only role which can access admin roles, and remove other administrators.

In the past, staff who simply wanted to access a Facebook page's admin panel to view statistics on how users were engaging with it, or running advertising campaigns, needed full admin rights - something which could be a disaster waiting to happen.

Facebook's Help Center describes the different roles for page administrators.

Admin roles on Facebook

It's great to see Facebook maturing its system in this way. If you're in charge of a Facebook page, and sharing access to the page with other people, you would be wise to check the roles used by your co-admins now - and adjust them as required.

Here's how you check who is an admin on a Facebook page that you administrate:

  • Open your Page's admin panel
  • Click Edit Page
  • From the left column menu, click Admin Roles
  • Type the names of other people you'd like to add in the open field
  • Click Manager below the name to choose what kind of admin you want to add
  • Click Save Changes

Giving a co-admin too much power may bite you in the bottom later, if their account is compromised or if they become mutinous and try to hijack control of the page from you.

If you're a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 180,000 people regularly discuss the latest attacks.

, , , , ,

You might like

6 Responses to Run a Facebook page with other admins? You need to read this

  1. Sideshows Carnival · 1223 days ago

    I really like this idea. I've seen so many pages owners get the shaft from a rogue admin.

  2. Excellent post and thanks for the info GC!

  3. Mark · 1223 days ago

    I claim full credit for this new improvement over Page admins etc.

    I had a page with 19k followers, Ocean conservation theme. I was locked out in just this way by a jealous co-admin that I had brought on to the team to help. I was able to prove to facebook that I was the page creator and had the page closed down. My name was muck for a long time in the conservation World for that.

    Since that day, almost a year ago, I have sent untold number of communications to facebook requesting that implementation, I even sent a message to the big 'Z' so wondering if that landed.

    Maybe they were planning this all along but it's nice to dream! I welcome the change. I have since built my business page to almost 22k followers, Ocean sports, and as such welcome the option for designating specific admins with respective access to their role responsibilities.


  4. So what happens now when the sole superadmin dies or leaves?

  5. Mags · 1221 days ago

    What about Group pages? They can be hijacked too!

  6. John · 838 days ago


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley