Get pro WordPress tips or your money back!

Four Lessons to Learn from Snopes.com Being Taken Hostage

Last week Snopes.com launched a GoFundMe titled “SaveSnopes!”. They used the #SaveSnopes hashtag and everything so we know it’s official. The GoFundMe asks for $500,000 to “meet our basic operating expenses, the overwhelming bulk of which is the salaries of our staff.”

According to Snopes founder David Mikkelson, Proper Media (the company providing technical services and infrastructure for Snopes), began withholding advertising revenue from the Snopes staff earlier this year.

Even worse, they’ve locked down all of the hosting for Snopes. According to Mikkelson their hands are completely tied.  In his own words:

Our ability to modify the site is very limited. We can inject small snippets of code like buttons and banners via a WordPress plugin, but we do not have access to servers, our source code, or our database.

Don’t get caught in the Snopes trap

Barbed wire fence

Since we started WP Site Care five years ago we’ve touted the importance of being a responsible website owner.

Content ownership and control are some of the the main benefits of having a self-hosted WordPress site in the first place. You maintain ownership of all of your content, and you’re in control of the entire experience beginning to end.

Snopes.com is a top 2500 website in the world according to Alexa.com, and if their website can be taken hostage, it can certainly happen to little guys like us if we aren’t careful.

In this blog post I’m going to tell you exactly which technical things you should be worrying about, and the questions you should be asking of any service provider who you want to work with. Let’s get to it!

Own your domain name

Hover, Namecheap, and GoDaddy logos

Please brace yourselves for a moment. I’m going to be using ALL CAPS briefly:

NEVER USE A DOMAIN NAME THAT’S OWNED BY SOMEONE ELSE UNDER ANY CIRCUMSTANCES. IF YOUR WEBSITE MATTERS TO YOU, BUY YOUR OWN DOMAIN NAME, WITH YOUR CONTACT INFORMATION, AND YOUR OWN CREDIT CARD. DON’T LET YOUR ‘WEB GUY’ BUY YOUR DOMAIN NAME FOR YOU. DO NOT PROCEED UNTIL YOU’VE MADE THIS PURCHASE ON YOUR OWN. THEN STORE THE LOGIN INFORMATION IN A SECURE PLACE.

WIPES BROW

Your domain name is your online identity. Protect it with the same vigor you would your social security number or your bank account login.

This is one thing that the Snopes founder has done right. No matter how the rest of this ends, the worst case scenario is he’ll be able to start over with snopes.com as he still maintains full control according to this quote from a Proper Media exec:

“Mr. Mikkelson has absolute control of this domain name,’’ Mr. Kronenberger said. “He can move it within minutes.”

Never sign up for any service that doesn’t allow for you to transfer your domain somewhere else. We recommend purchasing your domain separate from any hosted service, and even separate from your web host. Go directly with a trusted domain name registrar like Namecheap, Hover, or GoDaddy to purchase your domain name.

Maintain control of your hosting account

Kid skateboarding

Second, you need to keep your hosting account in your name. Three or more times per month we have conversations with prospective customers about how they need to own their hosting account. It’s tempting to piggyback on a friend’s or your developer’s account when starting out and funds are tight, but please don’t do it. It will almost always come back to bite you.

Even when there isn’t any malicious intent, things go wrong:

  • Your hands are tied without full account access – People sharing their hosting account almost never give access to their server. They want to protect themselves and you could “mess things up”. Don’t allow yourself to be used to subsidize their hosting fees. Without any kind of server access, you end up like Snopes, unable to make changes beyond content.
  • You can’t submit support requests to the web host – If you don’t own your hosting account you won’t be an authorized user. When things go wrong, you’ll have to go to the person you’re sharing the account with for support. This person will inevitably be on vacation when things are at their worst. Direct access to a team of trained support professionals is not something you want to forfeit.
  • You don’t know what else is on the server  – Sites get hacked on shared servers all the time because sites end up neglected and aren’t maintained. You may have saved a few bucks on hosting, but now you’re paying several hundred dollars for disaster cleanup. Not to mention the cost of all your mental anguish.

Especially important to remember in all of this is hosting on someone else’s account means you forfeit your freedom. Maintain control of your web hosting account and you can move wherever you want whenever you want to.

Know the team you’re working with

If you own your domain name and your hosting account, you’ve taken care of the ultra-critical pieces in responsible site ownership. That said, there’s a bunch more that can and should be done to make sure you don’t end up in a hostage situation.

At some point you’re going to to hire outside help, and even with more hands on your website, there are still things you can do to protect yourself from a major fiasco.

Hiring a web team is like dating

Dating app screen

You don’t need to swipe right to land your web team, but knowing who is behind the service and how they work is crucial. Look past that glowing profile and shiny website. Ask these questions before you sign a contract:

  1. Who will be working on my website? Get specifics on individuals who will be working on your website. What are their names and how are they qualified. You can even get extra sneaky and look those employees up on LinkedIn if you feel inclined.
  2. Will outside contractors be working on my website? Some companies intentionally only use contractors to get work done. It helps keep margins high and can be easier to grow in the early stages. The dangers are it creates inconsistent experience for customers and damages the quality of service big time.
  3. How do you store my sensitive information? In certain scenarios sharing sensitive information has to happen. Any solid web team will be able to tell you their policy on sharing and storing sensitive information.
  4. Is the company insured? A roofer has to show they’re licensed and insured to work on your roof. Why should a web team be any different to work on your website? Web agencies should be able to show General Liability insurance at the very least, and ideally Error & Omissions to cover major crises.

Finally, take one more step and do some searches on Google, Glassdoor, and social media about the company. You’ve all done this kind of stalking before. Now put it to good use for professional purposes!

Know how to “cut the cord”

Scissors cutting rope

If your relationship goes south with a provider, or you need to move to a new team with more capabilities, understand how that process works from the beginning.

No one wants to start the first date by asking what happens if there’s a breakup, but it’s a question you need to ask. It should be quick, painless, and simple to move to a new provider. Just like dating?

Here are some quick ways to protect yourself to avoid a website hostage situation.

Add users instead of sharing passwords

We love hosts like Pagley, Flywheel and WP Engine because they have fantastic user management. Rather than sending my new web team my username and password, I can simply add them as a user to my account. At Flywheel, I’m clearly designated as the account owner so if WP Site Care upsets me at any point, I can quickly remove them from my account.

Flywheel hosting dashboard

The same is true of WordPress itself. You should always maintain a separate login from everyone else. That way, if you need to remove access for any reason, you can simply login to your WordPress dashboard and remove that user completely.

WordPress Dashboard

One problem with the screenshot above is that every user has Administrator access. There are very few scenarios where that would be considered a good practice. Never grant more access than what a user needs to perform their work. You, as the site owner, should always keep Administrator or Super Administrator (for WordPress multisite) access.

Investigate cancellation processes and policies

Beyond technical challenges, it sounds like Snopes is in a rough spot because of contractual confusion too. Either it wasn’t clear that Snopes could leave Proper Media at the end of their contract, or neither side really understood what termination of services should look like. So now they’re in what my grandma used to call “one mell of a hess.”

Again, talking about service cancellation early in a relationship isn’t fun, but it is smart. It protects everyone involved, and removing uncertainty early on frees up both sides to focus on the work to be done instead of everything on the periphery.

Talking about service termination is like writing a will. No one really wants to do it. But we understand that avoiding it completely leaves everyone in a much worse situation.

Like most things at WP Site Care we keep termination of services simple. We let customers cancel their service at any time and for any reason. We don’t see the logic in forcing someone to stay with us if they really don’t want to. It’s like breaking up with your significant other and then continuing to live together because both your names are on the apartment lease. It’s not a good setup for anyone.

You’re already smarter than Snopes

Snopes may be known around the globe for debunking fake news, but you’re already a step ahead of them when it comes to being a responsible website owner and protecting yourself.

Do you have any web hostage horror stories you want to share? We’ve heard dozens over the years and can definitely share if enough people are interested. Hit us up in the comments if you have a story to share, or want us to share some of ours.

Additional Reading

Enjoy this post? Never miss another one.

2 Comments

  1. Charles

    Great post! I appreciate you for the effort you take to share your knowledge with people. I can find many things that are still unaware. Thanks for you time and knowledge. Great!!!

  2. Collins Agbonghama

    Can’t agree more with all you’ve stated Ryan. Every now and then, I still see small business owners allow their contracted web agency handle everything.

    There need to be sensitizations like this to bring the awareness of how dangerous this could be.

Leave a Reply

You have to agree to the comment policy.