I’ve parted with my developer on bad terms. What now?

An all too common story that stirs up fears in the worst way. The relationship between you and your developer has soured, and you want to preserve the health of your digital assets.

The question becomes, how do you as a novice protect yourself from an expert? Although most developers simply move on, it is best practice to assume ill will and act accordingly.

Your best bet is to immediately find a new and trusted resource, so you have firepower on your side. Secondly, you want to have a basic understanding of how hacking works, and basic website security protocol.  An understanding of how websites are created and therefore venerable helps tremendously. Lastly, a fall back copy of all digital assets is always a good resource.

Get a big mean bodyguard or two

Let’s face it; the average citizen does not stand a chance against a professional developer intending harm.  Although you can go it alone, you will be best served by finding a new and trusted resource to guide you through the process of re-securing your digital assets.

Ask for references and make sure they have experience with security breaches. Many developers practice poor security protocol and you really want the best of the best in these uncomfortable situations.  When in doubt, go overboard.

I’d take the “walk softly and carry a big stick” approach. Don’t threaten or taunt the pervious developer. Part ways as amicably as possible, knowing you have your “A  Team” waiting in the wings.  Here is when shelling out for a true security expert will likely make you feel better and cost you less in the long run.

A good steward will not simply reset the passwords himself or herself. This would be in many ways a false pretense. Instead, ask that they guide you through the steps so that you can reset the passwords. Be sure to choose Complicated, Long and Unique passwords (CLU), and store them securely.

If you do not have a lawyer on staff, I would recruit one. It never hurts to bring a legal force into the mix. Understanding the proper way to legally march forward may well save you heartache and money. A strongly worded notice from a lawyer will likely cause the average developer to think twice about acting rashly to harm your digital assets.

Think like a hacker

A topic of its own, web security really comes down to good protocol. You want strong passwords, and multiple layers of defense. Consider that the most common way a hacker gains access to anything is that they were given the credentials.

Discuss with your new resource all the digital assets you have and how they might become compromised. Remember that securing your website means you will need to secure everything digital. Email, social media accounts, servers and so on; anything with a password is a potential entry point for harm.

Understand the machine so that you can protect it

Most modern websites are comprised of two main parts, the code and the database.

  • The code makes up the many files that most consumers think of developers creating.  The code communicates with the database in order to render a website.
  • The database typically contains all of the “content” of your website. The database is generally most valuable and vast, and can be the most venerable.

We need to protect all the parts. I would work quickly, moving down the list with practiced precision.

  • Highest level protection
    • Reset the passwords to your hosting accounts. If you domain is hosted separately from the content, reset both account passwords.
    • Reset your Cpanel password. The Cpanel is the master hub and must be protected with great care.
    • Reset passwords to email
  • Protect the code / files
    • Delete old FTP accounts and reset active FTP account passwords.
    • Go above and beyond – change the IP address of your website.
  • Protect your database
    • Delete old users and reset current user passwords for any admin panels / areas
      • I would also move the location of the login page. One cannot hack what one cannot find.
    • Reset the database user password
      • Go above and beyond, delete your old database user and add a new one.
      • Any changes to database users will need to be updated for your CMS (content management system) to continue working
    • Change your database prefixes
      • The prefix for a database goes before the names of the table. Here again, one cannot harm what one cannot find. By changing the prefix you effectively move the target on a hacker.
  • Protect other assets
    • Reset passwords to any auxiliary resources such as social media accounts – Facebook, Twitter, Google Plus, Yelp, LinkedIn etc.
  • Check for back doors
    • A truly nefarious developer will build in a back door. Few developers do this on purpose, but occasionally and accidentally do so through poor development standards. Have that new security expert sweep your sever for malware and other back doors.
    • Buy an insurance plan in the form of Sitelock. Sitelock is a fantastic anti-malware service that will give you tremendous piece of mind.

Always have a plan B

You should keep 3 copies of all digital assets, and store them in separate secure places. If you are using WordPress, Backup Buddy is my preferred method of creating a complete and reliable backup of your entire website. There are other options as well.

Regardless of what you use to back up and secure copies of your digital assets, you need to know how they work. What good is a backup copy if you do not know how to use it?

It may sound silly, but I often am delivered a “backup” that is all but useless. There are countless backup options and they may or may not be useful. Many people take it on faith that “X” service will provide a good working backup.  Unless we test the backup, we are rolling the dice on if the backup does what we think it will.

Prior to a security breach, practice the process of re-creating your digital assets. Run security breach fire drills.  At least every 90 days run the process of cycling out new passwords and completely restoring your digital assets.  Just like any other kind of emergency, a well-rehearsed plan will pay enormous dividends when, not if, we need to use them.

Stay calm, stay safe

No matter how poorly a relationship ended, it is most often the case that a disgruntled developer will do little but sulk and complain to their friends. Despite what we all may like to think, most developers do not have the skills to truly harm a digital asset if the simplest protocols are followed to ensure good security.

Contributed by Scott Starkweather, VP of Technology, Colorado AMA Board of Directors. Questions? Contact Scott at somecodeiwrote.com.