Ask HN: Do you charge to fix a clients site when it gets hacked
Hi everyone
I'm a web developer. Two of my clients, that I made sites for, got hacked this week. I spent two days fixing the intrusion and doing support to the clients.
If this has happened to you in the past do you charge clients for this service?
The clients know this isn't my fault and are grateful to me fixing the problem but I could have been doing other work during this time but don't know whether to bill.
8 comments
[ 3.1 ms ] story [ 35.1 ms ] threadWe offer, as part of the handover when we deliver a site, a "support contract" which includes a few hours of phone support per month as well as software security updates. It's made clear in this offer that if your not on our support contract, any time doing that is chargeable at our regular rates.
What you need to do is make sure you and your clients are both aware of all the different responsibilities in keeping a website up (from the network connectivity and hosting hardware, through the OS, OS applications, web app dependancies to the web application software), in many cases the "web developer" has no control over some of those responsibilities (particularly if the customer is organizing the web hosting), and everybody needs to be aware of who to call, and who's responsible for fixing problems at each layer, and how the cost of that responsibility is going to be borne. In my experience, everything between the OS install and the web app software (Wordpress/Drupal/custom written app) is often overlooked - who's responsible for keeping apache/MySQL/nginx/memcached/sendmail/named up to date? Customers in general don't even know they're using those things. Race-to-the-bottom-price hosting companies aren't going to be proactive about protecting your $4.95/month hosting account. Unless you've raised these issues with your clients beforehand, your relying purely on their goodwill towards you to get paid for any time you spend fixing problems you never knew you signed up to accept responsibility for…
tyvm - great comments
My $0.02 is that if you charge your clients as part of an overall hosting solution, then you either have a rate card or a monthly rate that covers issues such as this.
Else, it's outside of your usual work, then it would be reasonable to bill for your time.
I think you're right - I not sure how to broach the subject with the client though. tyvm for your $0.02 :)
However, you might want to use this as a opening point for discussion with your client should something similar happen in the future. It is your responsibility to set expectations but if the client merely expects you to work for free, I would say then you know what you need to do...
For example it could be that a simple form was the entry point because you did not put in place any SQL injection prevention steps.
Any developer worth their salt would point to this being a developer's error. Any host with experience might also point to the developer, and they'd be right.
My question to you is "can you figure out what was hacked, and how?" and if you can, then plug the leak quick and pray they don't take you to court over it.
I'm guessing you are from the US?
MySQL vs MySQLi vs PDO MySQL
Also I grabbed this checklist online. Does anyone have anything to add?
1. Use dynamic SQL if and only if there is no other alternative
2. Escape user input always
3. Always assume magic quotes is off
4. Install security updates and patches regularly
5. Remove all the dead SQL's or other codes that you don't use
6. Never display the system defined error message for SQL errors
7. Store database credentials in a separate file
8. Use the principle of least privilege
9. Disable shells
10. Use SQL injection Hack tools to check vulnerabilities