Hacker News new | ask | show | jobs
Ask HN: Do you charge to fix a clients site when it gets hacked
9 points by joubee 5188 days ago
Hi everyone

I'm a web developer. Two of my clients, that I made sites for, got hacked this week. I spent two days fixing the intrusion and doing support to the clients.

If this has happened to you in the past do you charge clients for this service?

The clients know this isn't my fault and are grateful to me fixing the problem but I could have been doing other work during this time but don't know whether to bill.
4 comments
bigiain 5188 days ago
If you haven't discussed it up front with them, you're going to have to tread carefully.

We offer, as part of the handover when we deliver a site, a "support contract" which includes a few hours of phone support per month as well as software security updates. It's made clear in this offer that if your not on our support contract, any time doing that is chargeable at our regular rates.

What you need to do is make sure you and your clients are both aware of all the different responsibilities in keeping a website up (from the network connectivity and hosting hardware, through the OS, OS applications, web app dependancies to the web application software), in many cases the "web developer" has no control over some of those responsibilities (particularly if the customer is organizing the web hosting), and everybody needs to be aware of who to call, and who's responsible for fixing problems at each layer, and how the cost of that responsibility is going to be borne. In my experience, everything between the OS install and the web app software (Wordpress/Drupal/custom written app) is often overlooked - who's responsible for keeping apache/MySQL/nginx/memcached/sendmail/named up to date? Customers in general don't even know they're using those things. Race-to-the-bottom-price hosting companies aren't going to be proactive about protecting your $4.95/month hosting account. Unless you've raised these issues with your clients beforehand, your relying purely on their goodwill towards you to get paid for any time you spend fixing problems you never knew you signed up to accept responsibility for…

link
joubee 5188 days ago
Yes I should have included what happens when a site is compromised in the terms. As the developer, not host this just didn't occur to me. I provide a 90 warranty but generally this only requires a small amount of hours as major problems are usually picked up in testing.

tyvm - great comments

link
chris_dcosta 5187 days ago
You need to define this in your terms of service. The problem from a client's perspective could be that there is a weakness in the security of the site, which you the developer are responsible for creating, and therefore are responsible for securing. The technicalities of what happened or who is responsible (host or developer) may not be an argument you can win.

For example it could be that a simple form was the entry point because you did not put in place any SQL injection prevention steps.

Any developer worth their salt would point to this being a developer's error. Any host with experience might also point to the developer, and they'd be right.

My question to you is "can you figure out what was hacked, and how?" and if you can, then plug the leak quick and pray they don't take you to court over it.

link
joubee 5187 days ago
tyvm for feedback. What country are you writing from? Is court action common place when a site is compromised in your country?

I'm guessing you are from the US?

link
joubee 5187 days ago
As the topic of SQL injection has come up... what are your thoughts on:

MySQL vs MySQLi vs PDO MySQL

Also I grabbed this checklist online. Does anyone have anything to add?

1. Use dynamic SQL if and only if there is no other alternative

2. Escape user input always

3. Always assume magic quotes is off

4. Install security updates and patches regularly

5. Remove all the dead SQL's or other codes that you don't use

6. Never display the system defined error message for SQL errors

7. Store database credentials in a separate file

8. Use the principle of least privilege

9. Disable shells

10. Use SQL injection Hack tools to check vulnerabilities

link
newman314 5188 days ago
You should change the title to be of "Ask HN:" format.

My $0.02 is that if you charge your clients as part of an overall hosting solution, then you either have a rate card or a monthly rate that covers issues such as this.

Else, it's outside of your usual work, then it would be reasonable to bill for your time.

link
joubee 5188 days ago
I'm not the host. Just the developer. The host is shrugging it off as 'just one of those things', which it may well be and have billed for restoring dbs etc..

I think you're right - I not sure how to broach the subject with the client though. tyvm for your $0.02 :)

link
newman314 5187 days ago
Well, in that case, you might want to chalk it up to lesson learnt this time.

However, you might want to use this as a opening point for discussion with your client should something similar happen in the future. It is your responsibility to set expectations but if the client merely expects you to work for free, I would say then you know what you need to do...

link