Dodgy web designers

[w1z4rd]

I dont know many times we have lost hosting, because a web designer has lied to their client and said their website solution "only runs on their servers".. and then you find out its a wordpress or joomla website on a server managed by an amateur.

I dont mind losing the business, but I do mind when the designers seem to lie through their teeth to get the business. Generally its business that returns once the client finds out his being hoodwinked. Have any of you involved in hosting come across this?

 

[ozziej]

Yeah, a few of these, also had these dudes that when you try and transfer a domain, the either:

1. Ignore you. (for 3 months - yes, had this happen)
2. Tell you they can't do it.
3. Send you running around from pillar to post telling you that they don't control the domain someone else does, (like godaddy) then godaddy tell you , no we dont controll it, the other dudes do... Annnnd you end up back at the beginning.

 

[ITCynic]

@ ghoti

Although I agree with your comments, I presume you also take into account that some web designers insist on hosting their clients websites until the client pays in full for the website design.

I have read and heard of many instances where the client has taken possession of the website and failed to pay the designer for the work done.

The hosting provider does not care whether the website design is paid for or not, they get the hosting income and are able to disable the site if they are not paid.
It is the website designer who has all the risk and usually ends up getting shafted.

While not defending unscrupulous web designers, I can understand that some designers will diplomatically say that their sites only run on their servers as it could be an attempt to retain ownership of their intellectual property until they are properly reimbursed.

I allow my clients the opportunity to pay off their website development in installments and there is no way I am going to let my intellectual property and hard work slip through my fingers without being paid.
Once my clients have paid for their sites in full they are free to choose where to host their sites.

Just my perspective to your post.

 

[w1z4rd]

@ ghoti

Although I agree with your comments, I presume you also take into account that some web designers insist on hosting their clients websites until the client pays in full for the website design.

I have read and heard of many instances where the client has taken possession of the website and failed to pay the designer for the work done.

The hosting provider does not care whether the website design is paid for or not, they get the hosting income and are able to disable the site if they are not paid.
It is the website designer who has all the risk and usually ends up getting shafted.

While not defending unscrupulous web designers, I can understand that some designers will diplomatically say that their sites only run on their servers as it could be an attempt to retain ownership of their intellectual property until they are properly reimbursed.

I allow my clients the opportunity to pay off their website development in installments and there is no way I am going to let my intellectual property and hard work slip through my fingers without being paid.
Once my clients have paid for their sites in full they are free to choose where to host their sites.

Just my perspective to your post.

If payment is the reason why you are telling your client that you have to host on your server I dont have a problem with that. I do have a problem with all the lying. Ive never had a site moved away because the client was told they still need to pay for the website. The reason has almost always being because the client is told the web application will only run on the designers server, and almost every time bar none, the software would have run on our servers without anything added.

 

[ITCynic]

If payment is the reason why you are telling your client that you have to host on your server I don't have a problem with that. I do have a problem with all the lying. Ive never had a site moved away because the client was told they still need to pay for the website. The reason has almost always being because the client is told the web application will only run on the designers server, and almost every time bar none, the software would have run on our servers without anything added.

I agree with you 100%. I also have a problem with dishonesty to clients by others, I see it often in my business sphere, same as you.

Unfortunately how does one stop people from being dishonest and disreputable ?

 

[jpd]

You pay for what you get.

 

[GreGorGy]

I wanna know why local hosting providers lie to their clients too. They sell hosting at up to 5x overseas rates and then when I challenge them, they tell me that they don't want the phone ringing off the hook every time Seacomm goes down. They say local is faster. Blah blah blah.

I have hosted both here and there and I can tell you, Hostgator has been FAR more reliable than the two local operations I have previously used. And the speed difference? Negligible.

 

[bekdik]

Hmm, maybe the 'web designers' just don't know any better? Or maybe they have been taught using a particular interface and don't have the knowledge or understanding to extrapolate to another interface?

 

[noxibox]

I've never told someone it had to run on a particular hosting service, but I do arrange the hosting and domain registrations myself as a protective measure. In the case of a delinquent client that allows me to shut off their site and withhold their domain name if they don't pay.

 

[ITCynic]

Hostgator has been FAR more reliable than the two local operations I have previously used. And the speed difference? Negligible.

Thumbs up on Hostgator, their live support is also great.

In the case of a delinquent client that allows me to shut off their site and withhold their domain name if they don't pay.

Exactly what I do.

 

[SilverNodashi]

Isn't it the client's choice where he hosts his website?

In our case we recommend to clients (for whom we do development) that we host their websites on our servers cause then we have full control over everything. Look at is from the designer's point of view. He / she needs a DB setup for the client, but the other host doesn't have, or doesn't allow the client access to, a control panel like cPanel / Plesk / etc and do everything by hand. Now the whole project is on hold til the DB is setup. Then there's some arbitrary permissions problem and the host needs to be contacted again to fix the problem.

3 days later, and a lot of hair pulling due to some weird error on the website, the designer figures out the server is missing a particular PHP plugin, or permissions is messed up on the /tmp folder, or something like that. Another 4 days go by while the host blames the developer (Joomla, as in your example) of not sticking to standards and the client is upset / furious cause the developer doesn't deliver on-time.


So, why do hosting companies lie so much then and make life for developers and their clients so difficult?




The bottom line is: there's always a crook out there trying to steal from someone who doesn't know how it all works.


P.S. We're a hosting company, by thy way, but do development as well and I don't really care where the client hosts his website but if his hosting company shunts us around then we insist on moving the hosting to our servers.

 

[murraybiscuit]

wiz, i understand your position, but from a web dev pov, i often have to deal with clients where their IT departments have draconian policies.

invariably it goes like this:

1. you have to use their servers because these are somehow more secure (this really means that some guys in global head office don't trust the guys in the third world with their brand. "yes, i know you built my website, but how do i know you didn't sabotage it?" )
2. their IT department isn't familiar with running a web server and certainly knows very little about anything which doesn't come from microsoft
3. you can't access their server because it's behind some dmz, and making an update to core files requires a non-web guy to fish around in the webroot.
4. their IT department is a bit cagey about firewalls and has never set up ftp or remote sql access before.
5. when their server goes down, they come running to you asking for the last version on your dev box because their backup didn't work
6. they have some complicated setup with patent attorneys, domain registration, overseas dns management
7. a bunch of directors on a golf course just spent a whole whack of money on some costly overkill hardware and software so you better darn well use it
8. because of the above point, they assume that shared hosting is really expensive and that they are saving lots of money by hosting in-house.
9. who knows what setup the internal IT department has in-house, how old their software is and how often they patch their software or upgrade the os.

in reality, dedicated hosting companies are cheap, have automated backups, very little downtime, redundancy strategies in place and full time support staff who have experience in web software and services.
instead of going through all the issues listed above, it's much easier to just say "it can only run on my server".
at least then as a developer you don't have to go back and forth asking for this and that to be debugged, installed and reconfigured.

 

[vangend]

wiz, i understand your position, but from a web dev pov, i often have to deal with clients where their IT departments have draconian policies.

invariably it goes like this:

1. you have to use their servers because these are somehow more secure (this really means that some guys in global head office don't trust the guys in the third world with their brand. "yes, i know you built my website, but how do i know you didn't sabotage it?" )
2. their IT department isn't familiar with running a web server and certainly knows very little about anything which doesn't come from microsoft
3. you can't access their server because it's behind some dmz, and making an update to core files requires a non-web guy to fish around in the webroot.
4. their IT department is a bit cagey about firewalls and has never set up ftp or remote sql access before.
5. when their server goes down, they come running to you asking for the last version on your dev box because their backup didn't work
6. they have some complicated setup with patent attorneys, domain registration, overseas dns management
7. a bunch of directors on a golf course just spent a whole whack of money on some costly overkill hardware and software so you better darn well use it
8. because of the above point, they assume that shared hosting is really expensive and that they are saving lots of money by hosting in-house.
9. who knows what setup the internal IT department has in-house, how old their software is and how often they patch their software or upgrade the os.

in reality, dedicated hosting companies are cheap, have automated backups, very little downtime, redundancy strategies in place and full time support staff who have experience in web software and services.
instead of going through all the issues listed above, it's much easier to just say "it can only run on my server".
at least then as a developer you don't have to go back and forth asking for this and that to be debugged, installed and reconfigured.

You have some valid points, but also keep a few things in mind. I have worked for some large corporations and undestand how they think.
1) Some of the big corporate companies have better connectivity and redundancy than some of the local hosting companies.
2) Some of the local developers/hosting companies only have one or two servers but try to sell it as a huge data centre that they own.
3) Lots of web developers do not know the first thing about server security etc.
4) Most IT departments in big companies do not use microsoft.
5) With the complicated setup of domains with patent attorneys, domain registration etc. is to protect the business.


Some of those golf course deals can also benifit the developers, I know of one where the companies marketing department was responsible for the web development and the web dev companie sold them hosting plus a joomla site for about 250K on shared hosting. Maybe you should start playing golf, I have plenty free time to go help you make joomla deals on the golf course

 

[w1z4rd]

So today I had another lying developer take a client. The liar told the client that the site (a drupal site) can only be run on their servers and that they have "hundreds of thousands of drupal sites" on their servers. So now we are making a page warning clients about lying developers.

Included in this page will be information about how hackable common CMS`s are and how and why developers lie.

These people claim to "develop", but at best they are bad graphic designers chopping templates onto common CMS`s (if they were proper developers they would have their own systems and wouldnt rely on easily hackable common systems).

Ill be sure to include that my warning does not cover developers trying to protect their profits until the site is paid up (as suggested here). We are also emailing our clients this information to protect them from fraud. Im over the lies. If you cant do honest business you shouldnt be running a business.

 

[noxibox]

Regardless of whether common CMS software is easily hackable programmers should be building on those unless they have a very good reason for creating a custom product. And how does the client know this custom product is not just as, or even more, easily compromised?

 

[w1z4rd]

Regardless of whether common CMS software is easily hackable programmers should be building on those unless they have a very good reason for creating a custom product. And how does the client know this custom product is not just as, or even more, easily compromised?

I cant speak for other CMS`s, but we run constant tests against our CMSs with multiple tools in backtrack. (Nikto, Wikto, Acunetix WVS, W3AF, Wapiti, Retina Web Security Scanner, etc).

Also, most script kiddies search for common files of an exploitable CMS, this makes googling for their targets infinitely easier, to the point that they can automate the hacking.

If the developer is unable to tell if his CMS is easily hackable, he sounds dodgy. Generally its people who dont know how to develop (graphic artists) that are unable to test their systems. If you have a good host and a good team you should easily be able to see how hackable something is.Unfortunately, these people that steal business are generally bad designers with absolutely no hosting experience putting clients on oversold low quality shared hosting and wouldnt know how to scan a web application to test its security or trouble shoot sh*t.

Joomla, Drupal, Wordpress, E107, Php-Nuke sites get hacked ALL the time. Across our servers theres generally one a week. Never had one of our custom CMS`s hacked, and based on our WAF, it gets attempted often.

 

[koffiejunkie]

3) Lots of web developers do not know the first thing about server security etc.

Make that most... Most have no clue about web application security either.

Working for a big hosting co as a sysadmin, I get to see the brain damage that goes on behind the scenes. You'll be surprised at the mistakes made in even the most sensitive sites (for example internet banking).

 

[Logo]

@ghoti I will hazard a guess as to why your custom CMS's are never hacked.

First you get very few real hackers now-days. Mostly script kiddies who use the exact same tool in backtrack you use to test, they will use to run exploits against these known vulnerabilities.

Secondly I will guess that your custom CMS's do not host anything that will peak the interest of real hackers, so there is no need to spend time on figuring out the possible exploits. True hackers fall in to a couple of areas. Firstly for the bragging rights, bragging that you hacked a complete unknown system is nothing. Then for profit, a hacker hacking for profit will target large sites. These are just two reasons.

Lastly this is not a threat just a warning, be very careful about making claims such as our CMS has never been hacked. That is enough to get a real hacker interested and will be enough for him to spend time on it. There are very very few un-hackable systems out there.