How can I safely setup my website so a contractor can work on it without copying it?

I have a valuable high traffic website I have spent years of work on and need contractor's help to fix things. I can't allow the contractor to download my site contents, or mysql database, as it would be a huge risk of it being used against me, sold to a competitor, etc.

The 2 things I want to protect is:
1. FTP - that they access only the folder. I already know how to do this, but don't know how to restrict them from downloading everything.
2. MySQL - that they can be restricted from exporting, but can still use phpmyadmin to edit, optimize, etc.

The other thing I'll do is have them sign a Non disclosure / non-compete agreement.

What measures do you take to protect your website assets when being worked on by hired help?

 

That's a bit of a dilema and there's no easy way to do that. You can restrict FTP Access to certain folders and you can limit what tables they have access to by providing them the tables they need, but the very nature of doing some development work on a site usually means they need to have access to most of it.

Then it comes downs to your own skill levels. Do you know enough to integrate any changes/code into your web site yourself? Can you strip-out most of your data and given them a copy of the database that only contains a bare minimum amount of data that allows them to make the changes needed and to test it - can you then apply these changes to your live databases yourself? As with most sites, the real value is within the data owned, not the actual site code itself (whose functionality can be easily copied), so the database contents are usually what you need to protect the most.

Given how difficult it will be (impossible?) to prevent access to sensitive information, your only protection may be the legal route. That means having a water-tight non disclosure agreement in place, a non-negotiable copyright in place about who owns what, and the work done by a company/person who can be pursued in the first instance (no point employing a foreign developer as your chances of pursuing them will be nil). Then you'll need to choose a reputable company that isn't going to disappear and who has an excellent reputation..so no lone-developers, someone you met on the internet, or any corner cutting. That might end up costing you more because well-established competent companies don't work as cheaply lone developers.

I don't envy your position but at least you have the sense to recognize the potential problem and look for a solution BEFORE getting involved. Being aware of the danger is the first step in making sure you aren't ripped off. I hope someone else can come along and provide some additional practical advice for you.

 

Surely this is a common problem. I'm surprised there aren't more articles and people's comments on this. Anyone else?

 

There's no way to do it technically, like RonBrown said.

Make the contractor sign an NDA. Make sure he's vetted. Only use a contractor from a well-known, reputable firm.

 

As others have pointed out, there is no safe way to do it. An experienced admin/coder will always find a way to gain access if he wants to. Once you can upload and execute a PHP file to a system, you already have a level of access that is difficult to stop with even aggressive and fine-grained access control.

In my opinion, it is not worth your time. Do avoid cheap labor, and hire only from contractors or firms that have among their clients some big websites and companies, and that have been working with the same clients for the long term.

The NDA route recommended by RonBrown could be an idea, but if you hire people from obscure areas of the globe, your possibility of enforcing it in a cost-effective way are close to zero. Also, professionals with a good reputation might have higher fees when asked to sign a NDA.

 

What would prevent developers from making a nice lucrative business out of getting thousands of websites then? They just get hired by a company for a small job, they copy all their code and mysql data, then either put up their own competing website, or sell the code/data to someone else. Once they do this a few years, they'd have thousands of websites and priceless data, just from doing small developer jobs here and there. Is this what people do?

 

Never heard of anybody doing this; it would have come out, sooner or later. Anyhow, if your website has very sensitive data or very valuable data - like real-life information about your users - you absolutely must avoid hiring firms without a well-established reputation.

I have worked for 12 years with websites big and small and not once I have seen this happening or I have even thought about doing something like this. The fact is that the relationship with a client is one based on trust; why would you want to risk losing a client and go against the law?

I have difficulty thinking about website types that one would be able to clone without being found. Forum communities: that content is obviously unique to each forum, you cannot just copy it elsewhere; the user e-mails are useless, unless you consider spamming a legitimate way of doing business: these days, you can get very easily in jail if you spam the wrong people. Stealing an e-mail list is useless unless you are a criminal. Blogs: the content is copyright protected, once it has been published - posting it again on the web will give you a website with little or no value. And so on.

Anyhow, the core of the problem is always the same: if you have a valuable website, you cannot go around hiring the cheapest guy in town, because their motives might be not so clear.

 

I think the most valuable part of most websites is the data, not the html or code. I have mysql databases of entire books, huge list of contacts with emails/addresses, and other data which I consider valuable. When I have hired developers in the past, they said they exported everything onto their own computer for local work. I ask them to delete their local copy each time, but what are the odds they do?

There are mysql databases for sale on the web and there are many clone websites of health info, lyrics, this and that. I think some people do this. I'm just trying to figure out how to protect myself. I'm surprised MySQL permissions doesn't allow disabling the export button at minimum. So weird something so basic as that can't be blocked through priviledges. If I simply add 'Select' option to mysql user, then I think they can instantly export. Select is the bare minimum statement to do anything though. I wish they didn't program it that way. I'm surprised security of our mysql data from hired developers this is not a more common discussion.