While You Weren’t Looking: 3 Holy Crap WTF Scenarios That Will Wreck Your Website And Ruin Your Day

By October 19, 2012 February 1st, 2018 Website Design & Marketing
While You Weren't Looking: 3 Holy Crap WTF Scenarios That Will Wreck Your Website And Ruin Your Day

Once in a while little things go awry that make me go, “Well that was avoidable.” Some of those things are duh-moments, the kinds of mistakes and oversights that we know we shouldn’t have made. Others are things we learn the hard way because we were either uninformed or misinformed.

Some of those things cost us money, some time and some business. Here are a few real-life “Holy Crap WTF” moments that I’ve either experienced or my clients have experienced so you can avoid the same traps.

I’m sure there are more, so when you get to the bottom of this post be sure to share your lessons in the comments so we can help each other live and learn (not the hard way).

Holy Crap WTF Scenario #1: Expired Domain Names

This is one of the more common and unpleasant consequences of the set-it-and-forget-it approach. We register a domain name for our website, we build the website aaaand… life goes on.

Here’s how domain registration usually goes: someone grabs a credit card and logs onto a registrar like Godaddy or Network Solutions.  They register a domain name and click through a mind-boggling array of upsells. There are buttons and explanations and options everywhere. At some point, said person’s brain begins to melt and the checkout button looks more like a Dali painting on crack. Said person is just glad to get that whole befuddling process over with.

The process is soon forgotten. Along with login credentials. Along with expiration dates.

One of a few possible things happens next.

The domain is up for renewal. An email notification is sent. But the person has since gotten a new email address and never updated his registrar, so notifications go into the internet ether. The domain expires. The website goes down. Panic ensues.


The domain is up for renewal. An email notification is sent. The person thinks his hosting company/web developer/some other person in the company is responsible for “website stuff” and ignores it. The domain expires. The website goes down. Panic ensues.


The domain is set up for auto renewal. The credit card expires. An email notification is sent. See scenario one or two above. The domain expires. The website goes down. Panic ensues.

One way or another, an expired domain name is a bad thing. Best case scenario, your website goes down and you repent and renew, losing hours of business and revenue.

Worst case scenario you lose the domain.

I’ve seen it happen.

A client once missed a renewal and about point-two seconds after the domain went back into the eligible pool, it was snatched up by someone else. It was a great domain name. For a competitor.

My client had to search for and purchase a completely different domain name which cost not only down time but the expense of updating every bit of marketing material with the new address, losing search ranking, links, bookmarks, and basically, ten years into the game, starting over.

Holy crap, WTF…

If you’re thinking for one single second that this isn’t likely to happen to you, you’re wrong. Even I’ve gotten busy and missed updating my credit card expiration date. It’s a tiny detail and you can prevent it from turning into a huge magilla by taking this simple precaution: pay attention to your domain name.

In this age of digital password managers and calendar popup reminders, there are 3 simple steps you can take to avoid this ever being you:

1. When you register your domain (or right now, if you’re repenting late), store your login credentials (that’s your username, password and registrar… you’d be surprised how many people don’t even know where their domain is registered) in a safe place.

2. Set a calendar reminder for yourself at two intervals: when your domain name is set for renewal, and when the credit card you used expires. Then in the event of either, you won’t be caught a day late.

3. Make sure the email address you have on file with the registrar is one that you use frequently. I know we’re all worried about privacy and spam but trust me, you don’t want to use some obscure Hotmail account that you check every two years for something this important. I promise you won’t see a single extra Viagra ad because you did this.

You can make this easier on yourself by setting your domain to auto-renew. As an extra precaution, it doesn’t hurt to check in with your registrar every so often – even if it’s only once or twice a year – just to be sure your contact info is up to date. Unless you’re a serial email changer, this should be sufficient.

Remember: no domain, no website, no business. Wouldn’t you rather take a few minutes to protect yours?

Holy Crap WTF Scenario #2: Hacked Websites

Maybe the second most common WTF. Sometimes this happens because of a low-end hosting provider with insufficient security. Mostly it happens because of human error.

When it comes to hosting providers, you can’t control what they do or don’t do to protect your site. What you can do is choose a reputable hosting provider even if it means paying a bit more. If you’re running a legitimate money-making business there’s no excuse for using free hosting. Potato chip-eating bloggers in their mothers’ basements, ten year old kids and Nigerian spammers use free hosting.

Don’t cheap out on hosting when the only thing standing between you and a wrecked website is a few bucks a month.

One of the most common hacks I’ve seen is not really a hack in the technical sense. It’s just malicious guessing and it happens when Bored Teenager A meets Lazy Business Owner B’s website.

I’m talking about you, person with password 12345. I’m talking to you, person who uses the same password for every online account you own.

Did you know that if you have a WordPress site, access to your administrative portal (and hence to the entire guts of your site) is as far away as tacking /wp-admin onto the end of your domain name?

That’s right, you – you reading this right now – can access any WordPress admin on the planet simply by going to someone’s website that’s built on WordPress and adding that suffix.

Now, that’s not entirely accurate because there are some technical things you can do to hide your admin, but guess how many small biz’s have a clue that the option even exists, let alone how to do it?

That means that the only thing standing between a malicious and/or bored “hacker” and the total destruction of your website is a good guess.

12345? Baseball? Password? Some combination of your kids’ and/or dog’s name and/or birthday… you know, all that information you display publicly and frequently on Facebook and Foursquare and Twitter?

I don’t need to tell you what someone can do to your site with access to your admin. And the single thing you can do to protect your site is in your hands: use a strong, unguessable password.

I stress this with my clients constantly. I set them up with random passwords and a long, scary speech about the perils of changing it, they nod soberly and five minutes later they change it to “mydog”.

A few years ago, one of my clients called me up right around Halloween because their website had been replaced with a vampire graphic. In the grand scheme of things, not the most offensive thing that could’ve happened (I’ve seen people’s sites replaced with total porn) but the end result was the same: no website.

We restored the site with a long, scary speech about the perils of bad passwords, audited and changed all the account logins and a week later they called me up because their website had been replaced with a vampire graphic.

This doesn’t have to be you. Right now, I want you to change your admin password to something strong (that’s generally at least 8 characters and includes letters, numbers and symbols) and keep it in a safe place. And no, a safe place does not mean the notebook on your desk.

I know it can be a pain to log into an account when you can never remember the password, so use a trick like replacing key letters in a word with numbers (instead of “password”, try “pa22w0rd” – no, I don’t mean that literally! It’s just an example.)

Try an acronym – pick a sentence, song lyric, line of a poem or something memorable to you and use the first letter of each word. Combine that with some number replacements and you’re doing better than most.

Change your password at intervals – say every 3-6 months – and please, don’t use the same password for every single online account you own!

And if you’re sitting there smug thinking you don’t have a WordPress site so you don’t need to worry about this… if you have any sort of admin, you do.

Most admins are a click away from your website home page because some lazy company thought its lazy employees would never find a stand-alone URL. I bet you could access a whole lot of admins on any platform without trying very hard. Just append /admin or /private to the end of a domain name and see what happens.

There are a lot of bored people in the world doing just that.

Holy Crap WTF Scenario #3: No Backups

Backups are like insurance. We never think we’ll need it… until the day something goes wrong.

Car insurance isn’t for the other 5,982 days that you drive and arrive safely. It’s for the one when you end up in a ditch.

And website data backups aren’t for all those days of smooth sailing (when you probably don’t even think of your website at all) but for the split second that a hard drive on a server fries or a bored teenager deletes your data and replaces it with a vampire graphic.

It’s also for when you log into your admin to fix a typo and your cat jumps on the keyboard and deletes the paragraph instead.

A lot of things can go wrong when it comes to websites. Hackers and bored teenagers not the least among them. Every day servers malfunction and administrators misfire on the keyboard. Sometimes security patches conflict with applications and plugins conflict with other plugins and things break. You can repent. Or you can prevent.

Do you know what I did once? I logged into a client’s site to make a change and accidentally deleted the entire home page.

Do you know what I didn’t have? I didn’t have a Holy Crap WTF moment because I had a backup and I restored it immediately. Oh yeah, my heart skipped a beat and a single gray hair popped out but within 60 seconds it was over. And that’s not even the worst thing I’ve done. Hey, I have a cat.

If you don’t have data backups for your website then you’re just taunting fate to throw a bad plugin your way.

If you’ve wisely chosen a good hosting provider then backups will be (or can be) part of your package. If you’ve cheaped out and someone guesses your admin password then have fun rebuilding your site. I seriously want you to imagine right now how you’d feel if you found out that year’s worth of blog posts, stacks of photos, all your content pages that you worked on so diligently until they were perfect – were just gone. Gone, completely, for good. No do-overs. That would probably suck. And the single thing you can do to protect your business and your site is in your hands: make sure you have backups.

Before you settle on a hosting provider, ask about their data backup policies. Find out how often your website is backed up. Once a month? Every day? On the hour? If it’s infrequent but you change your site often, it could be considerably out of date if you ever need to restore to a backup.

And find out what the retention schedule is. Do they keep backups for a week? A month? A year? If necessary, how far back could you go? When someone slaps a vampire onto your site and you don’t notice for a week, are your “good” backups already purged or can you go back far enough to a date when your site was ok?

A client once had a major HCWTF moment when they discovered that their admins had been uploading corrupted files. Some of their web data had been corrupted going back several months. If we’d purged their backups every month, the only thing we would have had as a “backup” would have been a corrupted site. Instead, we were able to go back nearly six months and restore to the last “good” point. I bet they have cats, too.

Unfortunately, if your hosting provider doesn’t have this service then the onus falls on you. If you’ve got a WordPress site then check out one of the myriad backup plugins and be sure that you can back up and restore your files and your database.

If you’ve got an HTML site then you may have the harder job of using FTP or a control panel to download, back up and store your site files. How you do this can depend on your hosting company so if they don’t provide backups then nag someone until they tell you how to do it yourself. And then do it. Often. Obsessively.

If you have a custom database or application then I strongly urge you to find a hosting provider that deals with backups so you don’t have to. Why give yourself the headache of being a tech expert on top of doing everything else you do to run your business? Sometimes it pays to leave these types of crucial and specialized details to people whose job it is to deal with these types of crucial and specialized details.

Just remember that it doesn’t take a major catastrophe to result in a major catastrophe. Sometimes all it takes it tapping the wrong key on your keyboard to lose valuable data.

I’ll repeat myself one last time for good measure: it doesn’t have to happen to you.

Sometimes all it takes is knowing what can go wrong so you can prevent it. Other times it takes acting on what you know. Now you know, so get busy preventing any of these things from happening to you!

Pop Quiz: The “Never Have A Holy Crap WTF Moment Again” Checklist

Answer these questions. For real. And if you can’t, then stop what you’re doing and find the answers. Fix them if they’re wrong! It’s that important.

Where is your domain registered?

What are your login credentials?

When does your domain expire?

What email address is the renewal notification going to?

Have you set up auto renewal and/or auto reminders?

Is your site admin password strong?

When was the last time you changed your password?

Has anyone besides you and your cat ever heard of your hosting provider?

Is your website being backed up?

How often?

For how long?

What would you do right now if you found out that your site was hacked or otherwise corrupted by an accidental tap of the delete key?

Got any other WTF moments to share? A cautionary tale for those of us who either don’t know any better – or do, but think we’re invincible? Please share!