Showing results for 
Search instead for 
Did you mean: 

Wordpress developer stole my website files

Active Member
Janet A Member Since: Nov 7, 2016
21 of 34

Finally Claudia, you wrote that is related to me issue. Yes, I SPECIFICALLY told him I had made a backup of my website before he started working on the site. And I also told him that I would be responsible for any syntax issues.

Therefore, I know his intent was malicious. He was upset because I did not give him ftp access. So, he decided to upload the plugin and steal my files anyway.

Active Member
Andrei G Member Since: Nov 26, 2016
22 of 34

Janet, from what you are describing, my guess is he found your distrust offensive. He probably thought it's not worth it and brought your site down just for petty revenge (probably thinking you brought it on yourself). In this sense, his intent was clearly malicious.


Of course, there is a chance he left a backdoor on your website, giving him easy future access to it (so he could bring it down again). That's why you should have a security specialist take a look at your website ASAP.


However, my personal experience and gut tells me his "petty revenge" ended with bringing your website down. After all, what he did is a fellony and he would be responsible for his actions, should you decide to take any legal action against him.


On another note, I personally believe everyone has good and bad in them. Over the years, I have tried to teach myself to bring up the good in others, not the worst. I really believe there were chances, should the communication between you had been better, that he would have finished the job and you would have been satisfied with the result.


If nothing else, take this out of it: there is almost no point or use in distrusting a web developer once you give him some sort of access to your website. Unless you are an expert in web security and know how to block every channel and possible exploit, chances are he will outsmart you and find ways at taking control of it all. And when I say chances, I mean 99%. So why not give him the keys to the castle with a smile? I bet he will smile back and do a better job than you would have expected. He might even tighten your overall security where he finds flaws. I would definitely do it for a smile.

Active Member
Janet A Member Since: Nov 7, 2016
23 of 34



Your post is inspirational. However, I disagree with you on just trusting any new developers. I have had very bad experiences. This is not the first. The first developer I hired for my first site on odesk when upwork was odesk I gave him my cpanel access since I was naive. What he did was he removed my website files from my server because the review I gave him was not good enough for him. I posted that he didn't do quality work and that I had to tell him to do a ton of corrections. So, he said that UNLESS I gave him 5 star reviews, I would not get my website files back. Odesk was great and I was able to get my files back. So, since then I don't give cpanel or ftp access. I just need to add additional security. Giving admin access, I have learned that basically I give access to my files with the file manager plugin. I will specifically put this in the NDA I have freelancers sign that they agree not to upload this file manager plugin. Anyway, I will talk to security developers and maybe I can just give "user" access to my site instead of admin access.

Active Member
Andrei G Member Since: Nov 26, 2016
24 of 34


I see your point and I understand your position.


Here are some technical details you might find interesting: 


In effect, if a web-developer wants to take control of your website, they do. In 90% of cases, if not more, methods and backdoors already exist. Particularly when your websites' security relies on a username and a password. Believe me, you have no security whatsoever. The actual level of online security comes from a simple equation: the cost of getting in is higher than what would be gained. That's the golden rule of online security and of security in general.


The most common method of back-door-ing is placing a tiny amount of code, usually scattered in different parts of a website that, when called, would create (or download) a script that would provide access to the target and than delete itself. Needless to say, it is almost untraceable. The only way of doing it is by comparing corrupted files with clean ones. And this is roughly what most WP security pluigins do.


From where I see it, your only chance of getting along with developers would be for you to change something in the way you make the selection. Pick the ones most likely to deliver work that would make you rate it 5 stars. That would clearly solve your problem. 


I assure you I am not trying to point fingers here. I'm trying to find solutions and means of control given the available resources.


I hope I have been helpful.

Active Member
Janet A Member Since: Nov 7, 2016
25 of 34

Yes, I will install WP security plugin to do a scan. I already have Wordfence and after this, I will need to get wordfence premium and activate two factor authentication. I need to clean my website files and clean any back door like you said. But I think his main motivation to steal my website files is so that he can use my site to sell what I sell since my site is an e-commerce site. So, basically, he stole my website files and my idea. I guess that is the risk a client takes when you hire on upwork. But I thought he was honest because he had helped me with another project but with that project we had done skype screenshare so he didn't have a chance to steal any files from me.

Active Member
Lola M Member Since: Mar 18, 2019
26 of 34


I know its been a while since you posted but I am very interested on what happened at last, I have the same problem here, hired a developer, after I gave him acces he didnt even answer my messages and found out he had copied entired site, even the database.


Goran V Moderator Member Since: Mar 24, 2017
27 of 34

Hi Lola,


I`m sorry to hear about the bad experience you`ve had with your freelancer. I can see that you have an open ticket for this and our team will assist you directly on your ticket as soon as possible. If you have any additional questions let me know, thank you.

Active Member
Olga P Member Since: Apr 13, 2015
28 of 34

Hello Janet. Sorry to hear that. It's always a risk working with freelncers. I can suggest you for future to work with agencies (they're more reliable often) and sign an NDA with the contractor in which you can mention that he/she cannot use anything he/she gets from the project and not to share any information about it.

Active Member
Janet A Member Since: Nov 7, 2016
29 of 34

Hi Olga,


I actually had him sign an NDA. But since he cancelled the contract even if he cancelled it for NO, the NDA may not be binding or maybe it is. However, he is in the Phillipines and I am in the US. I am having Upwork review my fraud claim and I am requesting that at least his upwork account be permanently deleted.


Actually, I learned how not to allow any other freelancer upload any plugin when he works on my site thanks to a security Wordpress developer that I spoke with. I wish I had known this before but of course nobody tells you this important information especially contractors who want to have access to plugins to upload and steal files.


I don't like agencies because it is more time consuming to get things done and I like to deal directly with the contractor.

Community Guru
Jennifer D Member Since: Feb 15, 2016
30 of 34

1) Did the freelancer *actually communicate* to you that they were cancelling the contract so they wouldn't get a bad review? Or are you assuming?


2) Has the freelancer *actually done* anything with your website files? Do you *actually know* that their intent was to "steal" your site and your idea, and not just to make a backup before they started, which is normal practice? Or are you assuming?