Client hacked into site and took over without paying

jay kay
(@jkember)

11 years, 9 months ago

Hi

Please help, I recently developed a site for somebody and got into a dispute over fees and didnt hear from them for a few weeks.

They wanted admin rights to the site that i designed and built for them but had only paid me to design and develop a basic site. So I refused to hand over back entry to the site until they paid me what they owed me.

I thought the site i’d developed was secure and my admin password was strong, however tonight i received an email saying they had taken over the site, thanking me sarcastically and basically laughing in my face.

I’m pretty new to wordpress but have no idea how they managed to hack the site? Obviously they had access to there hosting account, is it possible their hosting providers helped them in some way?

Could they have exported the full website and database, re-installed wordpress and then imported it back in changing the admin account and deleting me as the admin user.

As you can imagine I’m pretty upset and angry but more intrigued as to how they did it and want to know how i can prevent this from ever happening again. Reluctantly I wont be taking on work from any more dodgy characters but you never know who you end up doing work for.

Any designers/developers ever been in a similar situation? Any information of guidance would be much appreciated.

Thanks

JK

Viewing 10 replies - 1 through 10 (of 10 total)

doc4
(@doc4)

11 years, 9 months ago

jay kay,

Can you turn them into a collection agency? This is typically what we would do, though it does help to have something signed from the client such as a contract.

Did they still retain access to the website on a low level or did they have FTP access to the site? This could potentially be a point of entry.

If they had access to the database they could simply have changed the password from there as well and locked you out. WordPress has a quick tutorial on changing the password this way.

Clayton James
(@claytonjames)

11 years, 9 months ago

Obviously they had access to there hosting account,

Access to the hosting account = access to the database = less than 2 minutes to change the default administrator account password. No hacking involved.

You need to seek qualified legal representation to advise you on the proper course of action.

Thread Starter jay kay
(@jkember)

11 years, 9 months ago

Hi Doc4

Thank you so much for getting back to me, nice to know there is help out their.

No I probably wont be able to turn them in, as this was all done over a hand shake. I freelance evening and weekends and they had heard about me through a friend, they wanted to pay CIH as they didnt have a big budget and wanted a nice professional site to get them started as they were a start up company.

Lesson learnt really, but never thought for a minute they would have the balls or the brains to be able to pull this off.

I didnt give them any access at all, i thought about giving them a low level access, but they hadn’t paid me for a CMS site so stuck to my guns and didnt give them anything. I set up all their FTP and database when they gave me access to there hosting provider who is LCN.com…i tried to login to this once i received there nasty email but they were clever enough to have change there password. I guess all they needed to do was speak to someone with a bit of developer knowledge who could easily of got ftp details and access to the database….i’m really kicking myself as thinking about it this would be really easy to do…

Thread Starter jay kay
(@jkember)

11 years, 9 months ago

Thanks Clayton James for your response…

How would i prevent this from happening again…? Hopefully i wont be in this situation again as i wont be doing anymore web work on the cheap and allowing myself to be cheated in this way. But whats to say any customer/client could not just get someone to help them out and login into their own hosting account get access to the database and change the default account password…It’s not like i can deny them access to there own hosting account…

One thing to add, I had a back up account which they left but changed to a lower level access, I managed to login and out of spite, permanently delete all the images i’d created and pages…I’m guessing this will only be a short term retaliation as they will just be able to restore the site again? Hey they did it once, i’m sure they can do it again…

I’ve not responded to their email, and am thinking i probably wont give them the satisfaction of replying…at the end of the day they have got one up on me and there is probably nothing I can do about it apart from make it a lesson learnt.

fonglh
(@fonglh)

11 years, 9 months ago

I’m curious about one thing. If you were asked to design and develop a basic site, why would you develop a CMS site and then expect them to pay extra for it?

Clayton James
(@claytonjames)

11 years, 9 months ago

as this was all done over a hand shake. I freelance evening and weekends and they had heard about me through a friend, they wanted to pay CIH as they didnt have a big budget and wanted a nice professional site to get them started as they were a start up company.

I like to refer to that as the “friends and family” clause.

I had a back up account which they left but changed to a lower level access, I managed to login and out of spite, permanently delete all the images i’d created and pages…

It’s probably best to resist that type of thinking. It sucks to be in that position, but don’t stoop to their level. If you do, the only reputation that will really be damaged in the long run is yours. Just get smarter about the way you approach the same situations in the future, and you should still probably seek some qualified legal advice. This one seems like it’s turning into a write-off, but it’s worth checking into.

doc4
(@doc4)

11 years, 9 months ago

I have to agree with ClaytonJames on this one. It can be tempting to retaliate but it’s best to step back and think about the damage to your reputation. I would continue to send payment reminders and hope for the best on this one.

michael.mariart
(@michaelmariart)

11 years, 9 months ago

The best way to make sure that you don’t get stung by this again is to do your devleopment on your own web space, and only hwen they have signed off on the site and payment has been recieved, then transfer it ot their hosting account. It’s a bit more hassle, but you know that you have everything under your control until it’s time to finalise the deal.

Thread Starter jay kay
(@jkember)

11 years, 9 months ago

Thanks everyone for your guidance and advice on this…definitely a lesson learnt on my behalf. For one I wont be doing any little 3 page sites anymore, I’m going to only do CMS sites and have a minimum price for them. Plus from now on i’m going to build all the sites on my server until there 100% happy and want to go live and i’ve been paid in full, to prevent this from ever happening again.

In answer to your question Fongih, when i first sat down with the client they said they only had a small budget and wanted a 3 page site with the intention of upgrading to a cms site in around 6 months time. I very rarely build basic html and css sites anymore and thought it would be silly and a time wasting excercice to build them a site like this only to have to rebuild the whole thing again in wordpress 6 months down the line, I know for a fact they wouldnt of wanted to pay me the full additional amount to rebuid into a cms, so thought i’d save time and do it in wordpress from the start. When i first me them, they didnt know anything about web development, and after all how i build there site is entirely up to me as long as it does what they want and looks how they want it. Quite quickly after i finished the site, they emailed and asked for passwords and access to it as they wanted to change and update it, when i went back and told them they wouldnt be able to as they had not bought a cms package from me, even if i had built it in html and css, they wouldnt of been able to update it as they told me they new nothing about web development, the html language plus wouldnt of had any software like dreamweaver etc to update it, any updates would of had to come through me anyway. They started getting really funny at this point and all of sudden were really clued up to wordpress and new i’d build the site in wordpress…(i can only think they were getting help from a developer or someone who knows a bit about web development)…at this stage communications started to break down. I also did some print work for them and they started asking me for original artwork files so there printer could edit them…which made me chuckle (they simply have no idea how the design world works and expected to pay me next to nothing and have everything).

Like i said above i’ll be taking the proper precautions from now on, its all a learning curve for me. This one is definitley a lost cause, but to be honest in a way i’m kind of glad as these are not the type of clients i want to be working with.

Myonecall
(@myonecall)

11 years, 9 months ago

Having run my own business for 25 years, I can tell you this is a lesson we all learn… everything has a contract or written agreement. It will save you a ton of time and help with communication if there are issues.

Sorry you had to go through that! Even a agreement YOU write (It doesn’t have to be written by an attorney) is fine. It may not stand up in Court, but most of these would be small claims, where they would take it into consideration.’

I am not an attorney, and you should check with one, I am just relating my experience over the years.