via wordfence.com => original post link
In the cybersecurity field, we talk a lot about threat actors and vulnerable code, but what doesn’t get discussed enough is intentional vulnerabilities and becoming your own threat actor. Even when making decisions with the best of intentions, it is possible to work against your own best interests. One area we see this in comes from website developers trying to safeguard their work. It can be tempting to incorporate code that gives the developer access to the site files, also known as a backdoor, in the event that the client chooses not to pay, so that the developer can remove their code or otherwise damage the site.
While implementing a backdoor may seem like a viable solution to protect your resource investment, it comes with potential ethical and legal problems, in addition to the added security risks of a backdoor hardcoded into the website. There are always better options available, even if they are less convenient for the client and developer. When developing a website, the developer should keep in mind that their needs are just as important as the client’s. Keeping this in mind will help to prevent the situations that may lead to the implementation of a backdoor on the website.
One of the biggest reasons a web developer may be tempted to include a hardcoded backdoor is to ensure their work is not used without payment. A common practice among website developers is to require 50% of the development fee up front, with the remaining sum paid upon delivery of the completed project. Especially among freelance developers, it is not uncommon to begin development even before the initial fees are paid, and even provide the final code before the final payment is received. The fear of a client not making a payment may cause a developer to believe that it is a good idea to hard code a backdoor into the project, so that the developer can remove their code or take down the site entirely as a form of retaliation.