You may have heard about cases where unscrupulous developers build, maintain, and control a website for a business, and then threaten their client for more and more money or else the website will be taken down. Unfortunately, this happens and makes the rest of us look bad. Some developers will build a website on their own server, deny the client access, and then demand more and more outrageous fees after the client has become fully dependent on the website.
If this has happened to you, the best course of action will be to have your site quickly rebuilt on a server (hosting provider) you control.
To prevent a web developer from having the ability to hijack your website, I’ve compiled the steps you should take to make sure you can lock down your site to prevent developer hacking, if needed.
To begin building your company’s new website in a safe and secure manner where a contract or in-house developer can build your site, you’ll need to take steps to ensure this developer can’t wreak havoc in the future.
1. Open a hosting account in your name or the company’s name.
In order for you to have full control over your website, you must have full control over the server. Building a website must be done on a server that you manage. You can purchase a hosting account from several places. You’ll want to make sure your server has cPanel access – this will give you, as a website/server layman, an easy interface to work with in case you need to shut out a bad developer. I’ll explain that later on.
I always suggest having a website built with WordPress, and many hosting providers offer one-click WP installations through cPanel on the server package you choose. You can also purchase Managed WordPress Hosting through many companies. In the latter case, I suggest InMotion Hosting or WPEngine for web host packages. You can purchase shared hosting or a dedicated server. This is up to you.
As a side note, InMotion Hosting offers free SSL certificates which is a very necessary item for all websites. And WPEngine offers a free CDN to make your site blazing fast. Both hosting providers have their perks! You can also talk to your developer about which hosting solutions they prefer. But make sure the hosting is in your name and that you have cPanel access.
2. The domain name should also be in your name
Your domain and website are business assets and should be in your name. To make sure no one can hijack your site, you/your company should be the only ones to register your domain. You can usually purchase a domain through the hosting provider at the time of set up.
3. Only provide delegate access
Never, under ANY circumstances, should you provide a developer with your sensitive login information (user name and password) to your hosting account or domain registration company. Ever. Instead, you will register your developer as an administrative user or delegate under your account. The developer will still have full control to build and manage your website, but now you have the ability to remove that user at will.
4. Have your site built using the WordPress codex
When you have your website built with WordPress, you will have another layer of control. Tell your developer to create a separate admin account for you with full administrative privileges within the WP backend of your new site. If they refuse: RED FLAG. Cut them off and find a new developer quickly. A new developer, with delegate access into your server, will be able to create a new administrative account in the backend of your new WP website.
You and your developer should have separate admin accounts within the backend of your website. And if you need to let your developer go, you can simply remove the developer as a user. You can also manage and review all administrative accounts and remove any that seem fishy. And with backend access, you have more control over your own website maintenance.
What you should do if you need to lock out a threatening developer.
As long as you have full control over your website and domain as described above, you should be able to eliminate any threat made by an ex-employee or contract developer.
1. Remove this person’s admin account in the back-end of your website. Review all administrative accounts within the list of users, and also remove any that you do not recognize.
2. Remove the user in your hosting account and where you registered your domain if separate.
3. Change all admin user passwords in the backend of your website, your hosting provider, and where you registered your domain – just in case.
4. In your hosting account, navigate to your cPanel and look for the module called FTP connections. A developer often uses a separate FTP connection to upload large files.
Within this new page, scroll down until you find the section called FTP Accounts. There is usually only one FTP account, but you may have many.
Most likely, your website is not using an FTP account for posting and no account is needed. If you see an account with your developer’s name or alias, delete it. If you see multiple accounts, delete them as well. For any main FTP account, change the password and record your change somewhere. You may need to use it later. If your website does use FTP access and any functionality breaks, it will be a simple matter of setting the new password.
5. Change your database password. This will involve a few steps.
First, you want to make sure you are changing the password of the correct user. In your server cPanel, navigate to the File Manager.
Next, open the file called public_html by clicking on it. This is where your website files are located. In some cases, your files may be under another folder within this one called wordpress or wp.
In this folder, you’ll find a file called wp-config.php. Click on the file to highlight it, and then click VIEW. This file will open and you’ll be able to see the code. What you’re looking for are the names of your database and user name.
In this example, I have blacked out sensitive information. Next to DB_NAME is the name of your database. Write it down. Also note the DB_USER name. Close out of the view, and navigate back to the main page of your cPanel.
Back in cPanel, find the module called MySQL Databases. Not all cPanels look alike. You may have a separate module for MySQL Users.
Within the MySQL Databases module, scroll down to “Current Users”. If you have more than one website, you will likely have more than one user. Your website is a user. But if your developer knows the user name and database, your website is susceptible. Click on the user name written down from above, make sure it’s connected to the right database as noted from above, and change the password.
**Note: Your website will go down. Don’t Worry! I’ll have it back up in a jiff!
Change the password for the user and write the password down.
Finally, go back to the file manager as directed above, back to the public_html folder, and click on the wp-config file, now clicking on “EDIT” instead of view.
Enter your new password within the single quotes and click save.
Voila! Your site is back up again.
You may also want to check for any other database users in the MySQL section that are connected to the same database. Change those passwords as well, making sure it’s the same database connection.
6. Call your hosting provider and ask them to notate your account. This happens often and they understand when you need to make sure a certain person has absolutely no access to your website at all. Explain to your hosting provider that there is a person you are concerned about, and to make sure this person (give them the name) may be trying to gain access. They will notate your account and extra precaution will be given if anyone tries to call in and feign your identity for access.
This should do it! But contact me if you need any help whatsoever.