

Ask HN: Do you charge to fix a clients site when it gets hacked - joubee

Hi everyone<p>I'm a web developer. Two of my clients, that I made sites for, got hacked this week. I spent two days fixing the intrusion and doing support to the clients.<p>If this has happened to you in the past do you charge clients for this service?<p>The clients know this isn't my fault and are grateful to me fixing the problem but I could have been doing other work during this time but don't know whether to bill.
======
bigiain
If you haven't discussed it up front with them, you're going to have to tread
carefully.

We offer, as part of the handover when we deliver a site, a "support contract"
which includes a few hours of phone support per month as well as software
security updates. It's made clear in this offer that if your not on our
support contract, any time doing that is chargeable at our regular rates.

What you need to do is make sure you and your clients are both aware of all
the different responsibilities in keeping a website up (from the network
connectivity and hosting hardware, through the OS, OS applications, web app
dependancies to the web application software), in many cases the "web
developer" has no control over some of those responsibilities (particularly if
the customer is organizing the web hosting), and everybody needs to be aware
of who to call, and who's responsible for fixing problems at each layer, and
how the cost of that responsibility is going to be borne. In my experience,
everything between the OS install and the web app software
(Wordpress/Drupal/custom written app) is often overlooked - who's responsible
for keeping apache/MySQL/nginx/memcached/sendmail/named up to date? Customers
in general don't even know they're using those things. Race-to-the-bottom-
price hosting companies aren't going to be proactive about protecting your
$4.95/month hosting account. Unless you've raised these issues with your
clients beforehand, your relying purely on their goodwill towards you to get
paid for any time you spend fixing problems you never knew you signed up to
accept responsibility for…

~~~
joubee
Yes I should have included what happens when a site is compromised in the
terms. As the developer, not host this just didn't occur to me. I provide a 90
warranty but generally this only requires a small amount of hours as major
problems are usually picked up in testing.

tyvm - great comments

------
chris_dcosta
You need to define this in your terms of service. The problem from a client's
perspective could be that there is a weakness in the security of the site,
which you the developer are responsible for creating, and therefore are
responsible for securing. The technicalities of what happened or who is
responsible (host or developer) may not be an argument you can win.

For example it could be that a simple form was the entry point because you did
not put in place any SQL injection prevention steps.

Any developer worth their salt would point to this being a developer's error.
Any host with experience might also point to the developer, and they'd be
right.

My question to you is "can you figure out what was hacked, and how?" and if
you can, then plug the leak quick and pray they don't take you to court over
it.

~~~
joubee
tyvm for feedback. What country are you writing from? Is court action common
place when a site is compromised in your country?

I'm guessing you are from the US?

------
joubee
As the topic of SQL injection has come up... what are your thoughts on:

MySQL vs MySQLi vs PDO MySQL

Also I grabbed this checklist online. Does anyone have anything to add?

1\. Use dynamic SQL if and only if there is no other alternative

2\. Escape user input always

3\. Always assume magic quotes is off

4\. Install security updates and patches regularly

5\. Remove all the dead SQL's or other codes that you don't use

6\. Never display the system defined error message for SQL errors

7\. Store database credentials in a separate file

8\. Use the principle of least privilege

9\. Disable shells

10\. Use SQL injection Hack tools to check vulnerabilities

------
newman314
You should change the title to be of "Ask HN:" format.

My $0.02 is that if you charge your clients as part of an overall hosting
solution, then you either have a rate card or a monthly rate that covers
issues such as this.

Else, it's outside of your usual work, then it would be reasonable to bill for
your time.

~~~
joubee
I'm not the host. Just the developer. The host is shrugging it off as 'just
one of those things', which it may well be and have billed for restoring dbs
etc..

I think you're right - I not sure how to broach the subject with the client
though. tyvm for your $0.02 :)

~~~
newman314
Well, in that case, you might want to chalk it up to lesson learnt this time.

However, you might want to use this as a opening point for discussion with
your client should something similar happen in the future. It is your
responsibility to set expectations but if the client merely expects you to
work for free, I would say then you know what you need to do...

