Developers, don’t be burglars


When I was a kid I walked into my house, went upstairs and saw a mess. I mean, the whole house was turned upside down. Initially I thought maybe my mom was cleaning. But she wasn't homed.

Turned out, we'd been robbed.

I remember how it rocked our entire family – from losing valuable possessions to making it hard from my brother to go upstairs until the lights were on.

For years all I wanted was to find the burglars and put them in jail!

Developers, don't be burglars

Now, you may think I'm going to write about how much developers charge customers with a caution not to rob them. But I'm not going to do that, because most of the time I find that developers don't charge enough.

No, I want to talk to developers about something that I think doesn't get talked about much.

I'm talking about when developers are actually committing crimes. Even without knowing it.

Digital Trespassing

My friend Jon brought this up in a recent Facebook dialogue where people were talking about logging into a site and fixing things.

Let me walk you thru a very common scenario.

  • You help a client work on their website.
  • To do that, you get credentials to log in and make changes.
  • Then you finish the work, get paid (or not), and move on.

Here's where it gets tricky. If you keep that login/password and ever log in – even just to help them – without their explicit permission, you are digitally trespassing.

Jon says it best:

It's really no different than if you hired to fix the bathtub and given keys to someone's house accomplish that. Then you go in and noticing their kitchen sink is dripping you decide to be replace it. 

Well you just vandalized their kitchen. 

Turn's out that sink was deliberately left dripping to water some very expensive plants and now you need to replace the plants too. 

Most of us have credentials for sites we worked on a while ago. I know I use an FTP client that saves those credentials – long after I've finished the job.

But recently I've started deleting the accounts immediately after I help someone – forcing them to actively create me a new account when they want me back in.

This ensures that I'm not even a potential candidate to blame if later something happens to their site – because my account is gone. I'm not on the list of suspects even.

Practical Tips

It may feel like extra time that you don't want to waste, but I recommend the following tips when working on other people's sites and servers.

  1. Ask them to create WordPress user accounts for you.
  2. If you are an admin, and finish your work, change your user level to subscriber.
  3. Then ask them to delete your account, if the work is all done.
  4. Explain to them that if you need to go back in later, you'll work out a quote, and they can then add you back in (upon approval).
  5. Do the same for SFTP user accounts.

They never did find the burglars who hit houses on our block four or five times. But because I know the feeling of having my world turned inside out without my approval, I know I never want to do that to anyone else.

Be proactive. Always have permission for everything you do. And remove yourself from the list of potential suspects by not having an active (but unused) account on someone else's site.

Be a developer. Not a burglar.