How to hire a web developer without getting hacked

My business got hijacked after I hired a web developer from hell, and I didn’t even see it coming.  

       You hired a web developer that did it all. They registered the domain name, set up hosting, built the website, and set up email for you and your company. You worked together and picked the best domain. It was the exact name of your business. (i.e. your business dot com). This would usually be considered good news but don’t celebrate just yet. 

At some point, you learn that the web developer you hired registered the domain in his name, and not yours. 

You ask the web developer why they registered the domain name in their name. They tell you it was because it was easier to do, fast and affordable. After all, domain registration is “First come first served,” and if no one owns the domain, it is best to grab it up as quickly as possible. What the web developer does not tell you is that putting the domain name in his name also gave them leverage over the entire relationship. This power grab happened before you even hired the web developer, and the web project hadn’t even started.  

How did Hiring a Web Developer get this complicated? 

Here’s what happened next. You paid the developer several thousand dollars, and they started the job. Unfortunately, you didn’t have a detailed scope of work, and now you can’t agree on anything. The web developer is doing a terrible job. You just wanted to say goodbye and start over. But now you realize it’s not that easy to start over because the domain is not in your name. Your developer won’t give the domain name up until the job is done and you make the final payment. 

Now the web developer has full control over your domain and your website and you have not completed the project with them. 

Yes, the lousy web developer has total control over everything; the domain, email, hosting, and your website. You also learn that it is next to impossible to get ownership over a domain name registered in someone else’s name. You may have no proof that the web developer registered the domain for you. Since it was only a small amount of money, the web developer may or may not have even included it in his proposal and contract with you.  

You failed to create an escape hatch in your web developers contract that will go into effect when the relationship with your web developer turns sour. 

This situation is common for small business owners because they don’t have the resources to hire an attorney to review the web design contract. If a web developer hijacked your domain name, the only option you might have now is to get a new domain and start from scratch. What a mess!

Eight steps that can prevent a web developer from getting control over your domain name, email, and website. 

1) If you are working with a web developer to select a domain name, ask them to add your name, email, and contact information as the owner and registrar.  

Typically, a web developer will might register it in their name and then put the domain in your name after you have paid them for it. If this happens, you should immediately make the domain name a separate transaction. Pay the web developer for the domain name straight away. Then you should quickly make sure they list you as the owner. 

2) Verify that you are the owner of the domain and not the developer.

You can verify that you own the domain by looking at the domain’s ownership in the public record with almost any domain registrar. ( Except when someone uses private registration, then you can never find out)  

Use this WhoIs search tool to look up the ownership of a domain. Type the domain name you want to look up in the search bar and hit enter. The results will show you the public record of the person or company that owns the domain.    You can also visit GoDaddy.com or networksolutions.com or any domain registrar. Click on the Whois link at the bottom of the page. If you don’t see the results then the domain name might be registered with a private filter on the name of the owner.

3) Transfer the domain name to an account that only you control.

To put the domain name in an account that you control, you will need to open an account with a registrar like Go Daddy, Register.com, or Network Solutions. Once you have an account, you need to set up a domain name transfer.  

Furthermore, you won’t want to trust the web developer or anyone else with the responsibility of renewing your domain. If you do, you might end up waking up one day and seeing you no longer own your domain name. Losing your domain name will impact more than your website; you will no longer have your company email address. Yikes, that’s not good! 

4) Register the domain before you contact a web developer

You can avoid having to go through the trouble of having the domain name transferred if you get the domain name by yourself. After all, if the domain name is the name of your company, you won’t have someone else owning the domain if the relationship turns sour. Therefore be sure to get full ownership, regardless of how the project with your web developer turns out.  

5) If this article is over your head, get a person you can trust to help manage your Domain Name and Domain Name Server (DNS) 

DNS records are the keys to your online security. They control your email, website, and digital security. We recommend keeping your domain name servers (DNS) records with the domain registrar if possible. Don’t transfer your domain or management of your DNS records to your hosting company.  

6) Once you have ownership over your domain name, you will want to set up website hosting, not the web developer.  

After you set up hosting, you can give your web developer enough access to do the job and no more. Some website hosting companies provide the ability to assign web developer guest access. This feature lets website owners’ assign limited access to a web developer or IT company. This feature allows business owners the ability to maintain ownership and control. As a result, you can have your web developers help you without giving them ownership of your account and the domain name. 

7) Set up your domain name, email, and website hosting with separate companies. 

Sometimes the web developer will get full access to all the email accounts without needing a user name and password. With ownership access to your domain, a web developer can read your email and impersonate every employee in your company. Therefore hosting your email on the same server as your website, may give your web developer too much access.

8) Don’t email your user name and password to anyone, call them on the phone with the password. 

I wish I had a dollar for each time a new customer emailed me the login credentials to their Go Daddy account. The superuser credentials control everything at Go Daddy. Since Go Daddy provides one-stop shopping for domain registration, hosting, and security, they make it easy to do everything with one account. An unethical person with access can do anything they wanted.    

If website technology and security if outside of your comfort zone, get help from someone you can trust.   

It is common for a business owner to be unfamiliar with website security. However, you will need to provide credentials for a web developer to work on your website. Unfortunately, web developers typically get more access then they need, and this can be a problem if you hire the wrong web developer. 

If you are having problems with a web developer, our consultants are here to help. No job is too small for our team if you already hired a developer and want a company to manage the relationship we can do that also. Contact us to schedule a free consultation.

Here is a real story about business owners that got their domain hijacked.

If you liked this article you may want to read this story about Jenna and Robert Lazar, owners of Epoch Trading Company, an Asbury Park business. They hired an overseas web developer online to work on their website almost destroyed their business. The developer redirected domain traffic to a porn site. The couple claim he stole their domain name and faked ownership of the site so digital companies couldn’t give it back to them.