an abusive volunteer is holding our website hostage, boss says it’s unprofessional not to start an email with a greeting, and more

It’s five answers to five questions. Here we go…

1. An abusive volunteer is holding our website hostage

I am the first vice president of a nonprofit. We’re all volunteers, including our webmaster, Fergus. Fergus built our website some number of years back, in a computer language he invented and hasn’t finished developing. Because of this, he’s the only person that understands fully how the website functions, which includes the database for our treasurer. The security and continuity of this database is, obviously, critical, and there are many other parts to our website that would make our members very unhappy to not have access to.

Fergus is also an abusive bully. Straight up. From the way he’s treated the various people who have volunteered to help with the website over the years, to the way he interacts with people needing the website updated, the only thing we can figure is that he views the website as his personal fiefdom and anyone who wants to understand how it works is treated as a personal threat to his cherished status as webmaster. We have lost members due to his behavior. We have had conversations with him that, admittedly, might have been too gentle, but honestly, I don’t think he’s genuinely listening, nor does he care to listen. It’s like he’s already made up his mind – from his viewpoint, everyone else is lying about his behavior and he’s not the one that’s the problem. He’s basically untouchable and he knows it.

Fergus is a known problem, but we feel stuck between a rock and a hard place. No one will work with him and he keeps running off any volunteers. We can’t get anyone to volunteer to help us create a new website on a sustainable platform. (Even if Fergus was the most sainted saint to ever saint, he’s a single point of failure due to the language the website is in and his gatekeeping knowledge of certain parts of the website.) We could “fire” him from the position with no website or web team to replace him, but then our ability to function will revert back to pre-Internet days, which means our treasurer won’t be able to do her job. How do you manage a volunteer who is crucial but unmanageable?

You need to transition the website to a more accessible, out-of-the box platform ASAP (out-of-the-box so that anyone can learn to use it, rather than being dependent on the knowledge and whims of a single person).

If you’re thinking “but we can’t”: What would you do if Fergus was hit by a car/dropped off the grid/disappeared in a fit of pique tomorrow? You’ve convinced yourself the org is held hostage to him, but if he was suddenly no longer working with you for whatever reason, you’d presumably rally and find a solution. Whatever you’d do then, do it now. It might be an enormous pain, but you’re going to have to do it one day anyway … and since you’ll have to put up with unhappy members during that transition at that point, just get it done now and put an end to your Fergus nightmare.

You’ll be better off moving to a simpler platform that you can actually use, even one with fewer features, than being subject to his tyrannical whims; have someone replicate your content on WordPress or another simple platform any of you can learn and be done with him (truly, WordPress and similar platforms require almost no technical skills whatsoever if you just need basic features). If it means you lose some features you really need, you can almost certainly hire someone to replicate those if they’re essential; the price of doing that is a necessary cost of doing business in a situation like this. The price of letting all this live with Fergus as the sole gatekeeper is way too high.

And if Fergus stands in the way of this transition, you simply inform him you’re doing it and do it without him (just as you’d have to do if he disappeared tomorrow). If he’s willing to offer some assistance in the transition, great — but if he doesn’t, then you do it without him (again, just as you’d have to do if he disappeared tomorrow). And make sure whoever creates the new site knows the situation so they don’t inadvertently end up repeating it with the new one (like by letting Fergus “help” in a way that permits him to again hoard knowledge).

Read an update to this letter.

2. My boss said it’s unprofessional not to start an email with a greeting

I work from home. I opened my work email a few weeks ago to a note from my boss, who told me that the tone of “some” of my emails is not professional. She gave me an example of an email I had recently sent to a colleague and cc’d my boss for visibility. The body of the email started with “One more thing!” and then went into the details of what I needed. I had been conversing with the colleague on our internal messenger system and had taken the tone to my email with them. My boss said all emails need a proper intro greeting.

I was taken aback. While my communication style is friendly and open, in my 25 years of work, I have never been accused of being unprofessional in my emails, especially over the lack of a “proper” intro. In general, I always start my emails with “hello” or “good morning” and that person’s name.

While I will ensure I always include a greeting from now on, I am now paranoid about every email I send, for fear of becoming “unprofessional” in my boss’s eyes. If not saying “hi” in an email once is unprofessional, what else is not acceptable? A single emoji? An exclamation point? (You know women are often judged in emails to be “cold” or “terse” in emails, more so than men, which is a whole other problem in itself.) I could use your advice, and please tell me if I’m in the wrong here.

You’re not in the wrong. Your boss is being ridiculous. There are many, many cases where professional emails don’t need to open with a specific greeting. Sometimes that’s based on the relationship you have with the person, and sometimes it’s based on context (and in this case, it was based on both).

You’re right that now that your boss has decreed this, you should adhere to her preferences … but she’s not right about it, and it would be interesting to find out if she’s given similar feedback to your coworkers (especially the male ones).

3. How can I get out of rides from my boss?

I’d like your advice on how to get out being carpooled by my manager. We live in the same city and the office is almost an hour and a half away, in another city. The work contract is 100% remote with monthly team meetings. I have been carpooling with her since 2022 but now I am changing departments, and she is still offering me carpooling with her for these monthly meetings. I have always gotten the feeling that in a way she doesn’t like me and I have never felt totally comfortable with her, awkward feeling there, always. So I would really like to stop doing these rides. What should I do? What should I say when she offers me a ride?

“I’m going to drive myself from now on since I sometimes have stops to make on the way back. I’ll see you there!”

Alternately: “I’ve found I really enjoy using long drives to catch up on audiobooks so I’m going to drive myself from now on, but thank you for driving me in the past and I’ll look forward to seeing you there!”

Or: “I’ve found I can really use car time for thinking and planning, so I’ll drive myself going forward — but I really appreciate all the times you drove me.”

4. Could I be fired for giving my boss a nickname?

If I were to give my boss a nickname, nothing derogatory or hurtful, like calling someone named Bill “Billy the kid” or just “Billy,” can that get me fired?

Sure, if your manager tells you to stop and you don’t, they could fire you over that. Whether they actually would or not is a different question — but calling someone by a nickname they’ve asked you not to use is disrespectful and rude and you shouldn’t do it whether they have any power over you or not … and when it’s your boss, it’s insubordinate as well.

5. Am I legally entitled to severance pay?

I work for a small business that was purchased by a much larger company. We were just informed that the larger corporation will be dissolving our small company by the end of the month; they are encouraging us to apply for other jobs within the larger company, but if we’re not eligible or interested, we will be unemployed within three weeks. All of these job openings would require relocation, which is not feasible for many of us. We are required to work on-site through the end of the month, and they are considering this our severance period; that is, we will not receive additional payment beyond our required working period.

Is this legal? I’ve been laid off previously, and I at least received two weeks of severance pay after my last day at work. It just feels like we’re being screwed over, and I’m wondering if you have any advice on handling this situation.

If you’re in the U.S., your employer has 100 or more employees, and the layoff affects 50 employees or more, the WARN Act requires that you be given 60 days of notice or, in lieu of that, 60 days of pay. If the layoff affects fewer people than that, then no law requires them to offer severance — although companies usually do it during layoffs, partly because if they don’t, they’re far more likely to see additional employees jump ship while they can still do it on their own timeline and partly because it’s typical to have laid-off employees sign a general release of legal claims in order to receive the severance.

severance pay: who gets it and how it works

{ 583 comments… read them below }

  1. Happy meal with extra happy*

    Question four makes me think of the reverse situation at an old job where a manager thought he was being chummy and what not where he called everyone by nicknames (with or without their agreement) but he hated whenever anyone shortened his name to its very common nickname (think like Thomas to Tom).

    1. Chilipepper Attitude*

      I’m really curious what is behind question 4. Was it more, I want to be rude to boss by calling him a nickname that appears normal but I know he will hate and I don’t want to be fired? Or was it, I want to be more informal/social with my boss but I feel weird not using Mr last name? Or some situation where someone got fired and OP4 was checking on the legality?

      1. Seeking Second Childhood*

        With that specific example I could imagine an old-timer who resents having been passed over for promotion in favor of a “kid”.

      2. Armchair Analyst*

        I enjoy picturing a villainous boss, deep in the shadows, holding up a weapon of choice (a pen, a white board marker, reams of paperwork) and scowling one of either 2 choice lines that will be featured in the trailer: “I TOLD YOU NEVER TO CALL ME THAT AGAIN, JONESEY” or possibly “YOU’RE CALLING ME THAT FOR THE LAST TIME, JONESEY” with “YOU’RE FIRED!” said very dramatically after either of these.

        if it’s a different kind of movie, substitute “TODAY IS *YOUR* LAST DAY. PREPARE FOR TERMINATION.” instead of “you’re fired”

      3. The Cosmic Avenger*

        The situation that makes the most sense to me is that the LW and their boss have a good relationship and the nickname is fine with both of them, but a grandboss or other higher up manager heard it and tried to butt in and threaten the LW.

        Of course, as a regular reader I can also imagine someone just insisting on it after being told to stop, and claiming they shouldn’t be fired for being a jerk. The question really didn’t have enough information to judge.

        1. Someone Else's Boss*

          The second one was my thought. My name has a not uncommon nickname (think Meg for Margaret, people use it, but not the vast majority). Anytime someone uses it, I say, “I prefer Margaret.” At least half the time, the person digs in their heels and insists the nickname is normal for my name. I do the classing baffling look and say, “Yes, but I prefer Margaret.” It’s shocking how many people think they get to re-name me if they want.

          1. Name nonsense*

            I’m an Elizabeth. Most Elizabeths in my generation shorten it to Liz, but I use Eliza, which is more common among older generations. The number of times people have tried to make me be Liz instead is pretty baffling. Like, I am aware that Elizabeth has approximately 6000 derivations and any of them could be a valid nickname for an Elizabeth, but I am one specific person and I have one specific name, and it’s so weird to me when people insist my name is wrong.

            1. Captain Vegetable ( Crunch Crunch Crunch)*

              My friend’s name is Bethany and she goes by Beth. She had one person insist on calling her Elizabeth, which caused no end of confusion, because wtf?!?

              1. Calpurrnia*

                The “incorrect reverse-nickname”! Or the “Nicholas-name”, perhaps.

                This reminds me of someone I used to know named “Bobby” – that’s his 100% legal name on his birth certificate – and yet my uncle continually insisted on calling him “Robert”. We joked about how he should start calling my uncle (whose name is Carl) “Carlos” in return. Not sure if he ever did, but it was satisfying to imagine my uncle’s bafflement.

                1. whingedrinking*

                  I’ve had teachers like that. Drove me straight up the wall. One classmate protested that his name was genuinely Nick, not Nicholas, it was on his birth certificate and everything – and got nowhere. (Mercifully, although my legal name is technically a diminutive, it’s very regional and not a lot of people know that, so I dodged that bullet myself.)

                2. Maggie Perhaps*

                  My brother’s name is John, when we were kids adults who didn’t really know him (like church members when we went) would try to be formal with him and call him Jonathan. My brother wasn’t a fan, he’s always just been John (or Johnny to some close friends) and Jonathan isn’t his name! He or my mum would always correct it.

                3. Indigo a la mode*

                  I have a little hobby of affectionately giving people oulandish reverse-nicknames, like Nicktopher, Rickolas, and Jenjamin. :)

                4. John*

                  I worked with a guy who sometimes called me Jonathan. So I called him Alexanderathon.

                  It worked for us because we worked well together. I can see it getting tedious from people you don’t care for much.

            2. Yes, It's Elizabeth, All 9 Letters Please*

              I’m Elizabeth too, and I go by the full name! I was nicknamed “Liz” against my will in high school, and it took going to college to get out of it. If people shorten it I always say, “No, it’s Elizabeth”.
              I worked with a guy who kept call me Liz, so I started calling him a different version of his name and he quickly stopped.
              I will repeatedly correct people until they get it right – I don’t let anyone get away with changing it.
              Letter 4 irked me. Maybe it’s a mutual thing, but if not, NO!

              1. Hillia*

                And it’s always nice to share info with new people! I’ve had people give me a heads up…’Just so you know, Susan doesn’t like Sue, she prefers her full name’. I appreciate the info so I can avoid irritating Susan and keep things moving smoothly.

                1. metadata minion*

                  But why not just refer to Susan by the name she gives when you meet? If she prefers Sue but was just being formal in an interview or whatever, presumably she’ll tell you.

                  This might be me never really having learned the “rules” for nicknaming, but I profoundly don’t get why you’d call someone a nickname they haven’t asked you to call them, unless you’re *very* close friends.

                2. Zebra Trainer*

                  Yes, love it when people give you a heads up. And while I think most people act in good faith, there are some names that are almost always shortened, in my country, at least. For example, every Jessica I’ve ever met has gone by Jess. I would hopefully remember to ask but, yeah, there are some names I would automatically default to a short version.

                3. Llama Identity Thief*

                  @metadata minion, it’s 95% of the time not a conscious process. “Oh hey, every Susan I’ve ever met in my life also is fine responding to Sue, so this Susan is Sue” is the reasoning, but it isn’t even reasoned like that, it’s on an instinctual level.

                  And there are a lot of people out there who get HIGH-KEY offended when you critique something they did without thinking, of any kind. I wouldn’t be surprised if that was at least some percentage of the “digging-in-heels” we get over this

            3. TheseOldWings*

              Another Elizabeth here! I do go by Liz, but have had quite a few people just assume I went by Beth. It’s so strange that people just randomly pick a nickname and go with it!

              1. DD26*

                My cousin is an Elizabeth, who also goes by Liz. A teacher started calling her Beth, and my normally mild-mannered Aunt got MAD. Told the teacher ‘This child is a Liz, not a Beth’ and no truer words have ever been spoken :)

              2. The Formatting Queen*

                This is funny, because I’m an Elizabeth who goes by Beth, and so many people assume that my nickname is Liz. We can’t win!

            4. Anon For This*

              I have a mate whose name is Katy. Not Katherine, but legally, on her birth certificate, all of her official paperwork is “Katy”. She has had to deal with not just the regular misnaming, but ending up having issues with HR for her SSN/background chat not being correct when the error in fact was they put her name down as Katherine because they assumed SHE was in error when she filled out her forms with Katy.

            5. Bookbug71*

              I’m a Lisa, which does come from Elisabeth but not in my case. I’ve had people call me Elisabeth, and Melissa, and are suprised when I don’t answer. People, the name on my birth certificate is L-I-S-A. Nothing more and nothing less!

          2. Rex Libris*

            Same. My name is one with a very common nickname (much like Thomas to Tom.) I have never gone by the nickname in my life, and have actually had sufficient negative experience with a couple of “Toms” that I’m really not fond of it. There is no faster way to annoy me than by attempting to create a “connection” by repeatedly calling me Tom.

          3. Lab Boss*

            I truly don’t understand how someone could dig their heels in on that- at one point I used a common, non-diminutive nickname (think “Dan”) for a new colleague and he mildly said “hey, I actually go by Daniel” and I wanted to crawl in a hole and die of embarrassment for calling someone by the wrong name.

            1. Ace in the Hole*

              We’ve had minor issues at some places I worked when people had overlapping names, because it makes radio communication difficult. Normally this can be solved by using last names. In rare cases that also breaks down… a few actual examples (names modified for anonymity):

              – Three guys named Daniel on the same crew, one with the surname Daniels (yes, “Daniel Daniels”).
              – John Mason and Jon Manson working the same shift
              – Gabriel Rodriguez, Mark Rodriguez, Gabriel Walker, and Marc Walker all work together.

              Fortunately, most people are understanding when there’s an actual reason for nicknames. Especially since they’re involved in picking what their “radio name” will be.

          4. Chirpy*

            I have a short, uncommon name, which has a foreign spelling but all sounds in the pronunciation are common to English. The number of people who think they get to rename me, shorten my (short!) name, or tell me my name is spelled or pronounced wrong is absolutely baffling.

            1. goddessoftransitory*

              My last name is like that–only one syllable, but mispronounced a LOT. It astounds me how many people keep doing it after I correct them (it is not difficult to pronounce at all once you hear the vowel sound said aloud.) Like, I have had this name since my literal birth, I know how it’s supposed to sound!

          5. DD26*

            My son is Bradley. We have always called him Bradley, as its a family surname. He will flat out ignore someone if they call him Brad. I’m fine with it, every piece of paperwork I’ve ever submitted for school, doctor, etc has said Bradley, not Brad.

            (Side note, since he was born we found out Bradley is actually *not* a family surname and we’ve joked we need to change it to the actual surname. He refuses. ;) )

          6. FD*

            This really really bothers me, especially since in my experience I tend to mostly get it from older men (as a female presenting person).

          7. NotAnotherManager!*

            This is one of my pet peeves. Call people the name they introduce themselves by, regardless of your opinion of it. This is not rocket science.

            I have a longer first name, and I have lost count of the number of people who told my first name was “too long” and they were going to call me something shorter. Think insisting on calling Marianne just Mary. If I wanted to be called Mary, I’d have introduced myself as Mary.

            One of my children also uses a less common nickname for their full name, and, despite it literally being the first syllable of their full name, it is mind-blowing for a lot of people and also very commonly mispronounced. Using the Elizabeth example, they go by Eliza but get called Eleeza or Elzuh an awful lot, on top of the admonitions that Liz or Beth are the “right” nicknames for Elizabeth. (Imagine the mental gymnastics required to comprehend that my great aunt Elizabeth was called Betty and great aunt Margaret didn’t answer to anything but Peggy. Heads would explode.)

          8. I'm a Margaret*

            I’m a Margaret and, I’m often asked if I go by Margaret because there is an unwieldy plethora of nicknames, one of which is Daisy. Insert cute joke about my personality here. “Does anyone call you Maggie?” “Not twice,” I said. Not to disparage that nick name of course, it just literally does not go with me, my appearance, my demeanor, I don’t know it’s just not the right tone for me. No shade toward it, trust me.

            As you evolve over time at work if you develop a close relationship, a polite nickname in private might be ok, but in a work meeting, “Anna Banana (pants),” is probably not a good look. Someone tried to start calling me Blondie the Monday I walked in with platinum blonde hair, but I changed their mind.

            1. Maggie Perhaps*

              I’m a Margaret as well, and while I don’t feel super strongly towards Maggie (hence the username) it also doesn’t feel like me and if anyone other than a few select friends called me it I’d be not thrilled. Anyone calling me Marg gets quickly corrected with “that’s not my name.” Personally I’ve always just felt like a Margaret and 9/10 times a nickname will throw me through a loop.

              The nickname I do usually go by isn’t even one of the actual ones for the name!

          9. goddessoftransitory*

            For me, I have a pretty common name (like Margaret) and am quite used to people shortening it to “Meg.” However, there’s another diminutive that’s much more personal to me (think “Peggy” or “Maggie”) that I reserve for family members only.

            I don’t object at all to Meg, find Margaret a bit formal but it doesn’t bother me, but I will stop anybody who calls me Maggie/Peggy and say I prefer the other, period.

          1. MigraineMonth*

            Quick rule-of-thumb: Whenever the question is of the form “can I be fired for X?”, the answer is yes.

            Is it legal? In the US, almost always. Unless it is discriminatory on a protected characteristic (gender, race, nationality, etc), violates an employment or union contract, or violates a specific law (e.g. WARN), pretty much anything is legal.

            However, legal or not, you’ve still been fired.

            1. Observer*

              However, legal or not, you’ve still been fired

              Sometimes you can be reinstated. And sometimes pointing out the legal issues will stop the firing.

              But, yes, by and large, in the US it’s legal.

        2. Smithy*

          This also reminds of the conversations around pranks at the office and whether or not they’re ever ok. The reality often rests around sometimes yes, sometimes no – so be cautious because if the answer is a hard no, you may not have a lot of back-up legally.

          My guess is that this is a situation that has already resulted in some kind of disciplinary action and that feels unfair. But then, I used to work at an office where a group of colleagues would “prank” each other in the group when they’d go on vacation by decorating their cubicles in a teasing fashion. It’s something I know I could personally never do, because I’d either cross the line into just mean – or child’s birthday decorations. And that’s fine! So I didn’t do it. But that group clearly got it, got one another, etc.

      4. Falling Diphthong*

        This particular version sounded like rules lawyering to me–“I put my toe right up to the line, but not over the line, so you cannot fire me because there is nothing in the employee handbook about giving your boss a nickname.” Also went with Second Childhood’s first guess as to the why of the nickname–“It’s not like it’s derogatory! It’s just joshing fun! You can’t fire me for the second one!”

        1. Sloanicota*

          Yeah, including the example of “Billy the kid” suggests to me that OP wasn’t just forgetting not to shorten Jonathan to John.

        2. Lily Potter*

          Actually #4 reminded me of Annie (I think that’s the name) from a few weeks ago, who argued that reading email wasn’t technically in her job description.

        3. NeedRain47*

          It’s also ignoring the fact that calling someone “Billy” is in fact a diminutive, usually used for children, and it’s not a stretch for someone to think it’s derogatory.

        4. Csethiro Ceredin*

          Generally I think just don’t do anything you plan to defend with “it was just a joke,” especially at work.

          And call people what to want to be called, too.

        5. goddessoftransitory*

          Ugh, that kind of personality is like working perpetually in the back seat of a car with them going “I’m not touching yoooooou!” as they continually stick their arms and legs into your space.

      5. GentleTree*

        It may be behind the boss’s back. I have a co-worker that calls our executive by an innocent-sounding nickname, but doesn’t say it to his face and generally has a condescending tone about it. Think Davey instead of Dave. “Here comes Davey with an email,” etc. That’s the vibe I get from the Billy the Kid example.

      6. Pay No Attention To The Man Behind The Curtain*

        I thought something along your last sentence. I wonder if a work bestie or family member of the LW got fired for doing it, and they want to know if they have recourse to…IDK…get the boss in trouble or get their bestie rehired.

    2. Anne Elliot*

      Former U.S. president George W. Bush famously nicknamed almost everyone he dealt with, and they all had to pretend they liked it.

  2. Lime lehmer*

    1. In regards to Fergus.
    Don’t say a word to him.

    Take a screen shot of all your web pages (alt/print screen on your keyboard. save as pdfs so you don’t lose all your content.

    Have someone build a new site for you. You can contact local colleges for help.

    One question, who owns the domain?

    Good luck.

    1. London Lass*

      Agree on not saying anything to Fergus and backing up the content, but go beyond screenshots.

      I would copy-paste all content, and download where necessary. Particularly ensure that the Treasurer’s information and any other data is backed up, immediately. Get the Treasurer working on another platform or backing up regularly, so changes after that don’t get lost.

      Get a parallel new website created as soon as possible, without Fergus’s knowledge. Then have the conversation about needing to switch to a more sustainable platform. If he throws a fit about it, you then have your new site ready to go.

      You will also need a plan to communicate the new web address to your members, and to pre-empt any complaints that Fergus might take to them or your other stakeholders. If the membership’s personal data and contact details are maintained on the site, ensure you have those backed up in full, and a message ready to go out explaining the change.

      It might sound scary, but you can’t afford to not do this. Good luck!

      1. Carrie*

        Totally agreeing on doing this without telling Fergus. That’s the one part of Alison’s answer I disagree with: if Fergus volunteers to help, accept it. Fergus has shown he can’t be trusted, so he should be worked around.

        1. Thurley*

          I agree with this. I think Ferguson would only offer to help so he could protect “his” property and his power over you. You don’t need that.

          Also there are screenshot tools that will digitalize the text so it’s can be worked with it may be a terrible mess, but maybe you can work with it and save a little data entry.

          1. Common Taters on the Ax*

            I would do Microsoft Print to PDF rather than a screenshot. Also for data, Excel will scan PDFs to find tables and convert them to a spreadsheet (Data-Get Data-From File-From PDF).

            1. STAT!*

              Great info! I didn’t know that about Excel.

              I would suggest the OP does both the screenshotting, & the print to pdf. (Plus all the other excellent suggestions here.) In this situation, too much electronic info is barely enough.

              Also wondering how true it is that all your info really is inaccessible behind a Fergus-only wall. I wouldn’t be surprised if he has used normal industry programs for some things, eg the Treasurer’s information is actually stored in a SQL database. In that case, it should be easy to access once you get around Fergus. (How to do that? Maybe install a keystroke logger on his work computer to access his passwords?) Which segues into my next point: I agree with everyone saying to not involve Fergus at all. He will find some way to sabotage the process, & waste your time/ money.

              Finally, think about how to deal with Fergus causing you legal hassle. Who owns the software in the language he created? Who owns the data/ material created from using the language? If this is all written down somewhere, then great. Otherwise, this lack of clarity might be a way he causes you future aggravation.

        2. AnonInCanada*

          Agree 100%. If Fergus is holding the current website hostage, what would stop him from writing something in his proprietary script to sabotage the new one? Keep it away from Fergus, period. Also find the domain name registrar to your domain and change all usernames and passwords to keep Fergus out of it, if you can. If you can’t, you may need to transfer it to a new registrar. But do this sooner than later.

          1. Quill*

            Yeah, you do not give technical access to someone vindictive. You do not give technical access to someone you’re planning to work around, either! (The mere fact of “invented his own computer language” does not scream plays well with others to me… assuming this claim is true, given that no one else in the org has much tech background and Fergus’ behavior overall makes me think that it’s very possible he’s exaggerating his necessity to keep his position of power.)

            1. Rex Libris*

              I’m also wondering if “his own computer language” is just HTML5 or something, and he says that because he doesn’t want anyone else messing with it.

              1. Quill*

                Yeah, that’s a definite question. The fact that the organization 1) relied on a volunteer to make a website that is apparently more complicated than throwing a bunch of text and images and an email contact form on the internet, and 2) allowed them to do it in a “language they invented” tells me that Fergus knows nobody else in the org is tech savvy. I think he likes being king of the web castle and if he says that there’s any possibility anyone else would ever learn it, he knows he will eventually not have exclusive control.

              2. MigraineMonth*

                Yeah, I’m not saying it’s impossible to invent one’s own computer language, but that’s a heck of an undertaking for a website. I’m betting he just wrote some JavaScript libraries or something.

                Not that it matters. You’re almost certainly better off retaining the data but starting the website over from scratch. I don’t care how many cool widgets or animations you site has, your org will be in a better position with a bare-bones website and no Fergus

              3. Writer Claire*

                I had that same reaction. (Former web developer here.)

                The key things I would do are:
                * Capture all the screen shots (as others suggested)
                * Try to document the functionality of each page
                * And most critical, get a backup and design of the underlying database

            2. Roland*

              As a web programmer, that jumped out at me as well… Like, no he didn’t invent a new language and build a functional website with it lol. Doesn’t change Alison’s advice, something set up for a wide audience like wordpress is definitely the correct move. Fergus is almost certainly just trying to impress non-technical folks.

              1. Ampersand*

                Yep. Person who can’t be reigned in because they’re a volunteer and they’ve gone rogue? Makes sense. He invented his own language??! That’s new. Like is he coding in Klingon or what? It makes more sense that he’s more likely holding his website hostage by making everyone think he invented his own language.

                1. Former_Employee*

                  Thank you for “coding in Klingon”.

                  What’s next – sending notes in hieroglyphics?

          2. Paulina*

            Yes. Especially because this isn’t just the organization’s website — they’re running everything else through it too. Putting the financial database on the website so that the treasurer needs to access it that way is not just a website. Fergus has been allowed to take the entire organization hostage.

            Downloading all the data they need is job 1, then build a replacement for the operations that immediately need to be online. Find some money to hire someone to help if they have to. And don’t let Fergus near any of it ever again.

            1. Kyrielle*

              This. Also, having the financial database on the website/accessed via the website raises the question of whether hacking the website would also hack the financial database. Financial databases ideally belong on secured internal networks, accessible via the organization’s VPN if remote access is needed, rather than on the web. If it has to be on the web for some obscure reason, you want to be very very VERY sure that it’s got separate authentications and protections vs. what the website proper has, and ideally that the back-end files for it are encrypted.

              1. Observer*

                This. All of it.

                And it’s an additional reason to use standard tools.

                I’m also going to say that you guys need to find someone who can do a security assessment for you. If you can get someone to pay for it, fine. If not use organizational funds. This is not just “overhead”. It is core to your ability to continue functioning with the bare minimum of security.

              2. Seven hobbits are highly effective, people*

                If this is an all-volunteer org of the kind I’m familiar with, there probably isn’t an “internal network” to speak of or an organizational VPN.

                There are a *lot* of small non-profits that are nobody’s full time job, with a group of volunteers keeping everything from falling over. Treasurer may be an elected volunteer position, who is trying to deal with the org’s financials from their personal computer at home in a couple of hours here and there. Putting the financial info on a (hopefully secured) portion of the website would have been an accessible-to-others upgrade from the previous likely method, which (I’m guessing here, but I’m guessing from experience with this kind of org) was probably a spreadsheet on the treasurer’s PC, passed along from treasurer to treasurer each year after elections, and before that was probably a physical notebook of some kind.

                There is a real tension in this kind of org between keeping data secure and keeping data available if one person ghosts. There isn’t a perfect solution because orgs like this can’t afford the kind of infrastructure (and people to maintain it) to keep everything in a nicely-maintained (digital or physical) location with the kinds of tools, processes, and security features of a large corporation. Our org has a storage unit, a PO box, and a website, but no physical office space and no org-owned “internal network” beyond the website. We struggle to keep even that much maintained over the long haul, and people’s individual “rogue” backups have bailed us out several times over the many decades of the org’s existence. (These orgs are not the kind of “charity” non-profits you’re probably thinking of that solicit donations and spend them on providing services to non-members. These are more non-profit “clubs” of various kinds that put on some kind of events or performances and make enough money to hold their events by charging admission.)

                I’m also guessing that the “financial database” probably doesn’t contain anyone’s actual credit card info, because they probably use a third party payment processor (PayPal, Square, or similar) and don’t actually have that info themselves. They’re more likely to have a record of who paid for what when, linked to someone by name, email address and maybe mailing address. Not GREAT information to have hanging around on a badly-secured website, but nothing like what a larger org would be storing.

                (One of the strategies I’m trying to get my similarly volunteer-based org to embrace is to keep as little personal information about members as possible, because we can’t lose things in a data breach if we never had them in the first place. If you’re not trying to do complicated demographic marketing things (and we are not), you really don’t need to know a lot of personal information of the kind that would be a problem if stolen.)

                1. Observer*

                  They’re more likely to have a record of who paid for what when, linked to someone by name, email address and maybe mailing address.

                  That’s enough information to get the organization into major hot water.

                2. Ellie*

                  What’s the bet though that Fergus has no knowledge of security whatsoever and the whole thing is already ripe for a cyber attack? Take photos, copy the source code if you can, and take the whole thing to an independent professional to deal with, ASAP. Or one day it will blow up and take the whole company with it.

          3. Observer*

            Also find the domain name registrar to your domain and change all usernames and passwords to keep Fergus out of it, if you can.

            You generally can, although you may have to jump through some hoops.

          4. Ellie*

            Yep, the plan should be that Fergus doesn’t know what is happening until the new website goes up on Monday morning and he gets walked out of the building 10 minutes later.

            What psychopath invents their own language? And at work too! Fergus deserves no consideration. I bet the whole system is really simple anyway.

          1. DataSci*

            That claim is highly dubious. Someone who wrote their own language isn’t going to be working as a web developer. He may have done some customized CSS or something but more likely he’s straight up lying.

            1. Quill*

              He’s more a security risk because of the lying and exclusive access than because he has any technical know-how. If he lied about the language or his technical expertise years ago when he built the site, he’s likely already prepared to be belligerent in only moderately technical ways. For example, preemptively taking “his” site down by deleting page content, mass-emailing the donors an angry rant, that sort of thing. Maybe the org’s financial data is secure because he doesn’t have the technical know-how to do anything stereotypically movie-hacker, but LW is in for a fight to get rid of him regardless, and nobody’s very technical on their side. Cleaning up after him, even if there’s no security breach financially, is going to be a pain if it’s allowed to happen.

              1. MigraineMonth*

                I suspect @DataSci’s comment was referring Fergus’ claim he invented a language and wasn’t supposed to be a response to your comment.

            2. Observer*

              e may have done some customized CSS or something but more likely he’s straight up lying.

              That makes him a BIGGER risk, not a smaller one. Today any yo-yo who can do the most basic web stuff can do an enormous amount of damage if they choose. Malware as a service is a thing (bots for hire, crypo-jacking, etc.) and the costs are often low enough that someone with a grudge and a little bit of knowledge has a frightening ability to be hugely destructive.

            3. The Shenanigans*

              I mean what Quill said. He’s the single point of failure, and he’s vindictive. The amount of damage someone like that can do to an org is unreal.

          2. MigraineMonth*

            Agreed. First task is to revoke Fergus’ security clearance and back up the database.

        3. Artemesia*

          This. If Fergus ‘helps’ he is in a position to sabotage or control the new site and to maintain his roll of driving off volunteers. HE needs to be gone.

      2. Emmy Noether*

        Definitely back up as much as possible in every possible format before breathing a word to Fergus, and before starting work on the new site. There’s a good chance Fergus will sabotage the site if he gets wind of this.

        1. Betty*

          After the content is copied elsewhere, you’ll probably want to think about how to make sure the data, especially financial info and members’ personal information, is deleted from Fergus’s site. You probably don’t want him to continue having access to it.

          1. Emma*

            Yes. If you live in a place with data protection laws, brush up on them so you know what you can legally require Fergus to do, and what to do if he refuses.

            Also: I’d prioritise liberating the database first, if it’s business critical. In the worst case scenario someone may have to spend some boring hours manually copying information into the new database; don’t do anything to tip Fergus off until that’s done.

            1. Hannah Lee*

              Totally agree with these points.

              Get that database out of Fergus’ clutches as soon as possible, both so that the organization does not lose the data and so that he cannot sabotage it or delete it.

              Also be ready for emergency measures if his misuses any of the info … ie if he uses it to contact current donors with misinformation.

          2. MCMonkeyBean*

            I am confused about why the financial data is stored on the website at all??? I know it’s not enormously useful to harp on how unreasonable it is that they ever ended up with this setup in the first place, but moving forward I would imagine the best thing to do would be to set up an extremely basic website on an easy-to-access system like WordPress or Wix and keep any complicated things that other people would need to access like databases somewhere else entirely! Is there any reason the treasurer can’t just use Microsoft Access or Excel?

            1. MigraineMonth*

              I assumed the website was the front-end to view/add/update financial information that is actually stored in a database.

            2. Really?!*

              I don’t know where else to put this, but based on your comment.

              I once worked with Financial Analysts who did not know how to use Excel (let alone Access). How did I find out? I sent them file a list of names unalphabetized and other data associated with the names (mainly, so they could manipulate the data as they needed it). They asked that in the future I alphabetize the information before sending because they didn’t know how.

            3. She of Many Hats*

              They may have staff portals linked to the website especially if they use them to have remote access to organization servers. If you’re not tech savvy enough, it “feels” like the data from the servers is part of the website.

      3. Kayem*

        If they can access the computer or server it’s hosted on, then they really need to make a copy of the entire website and its backend database onto a separate computer or server (specifically, one where Fergus can’t muck with it or sabotage it). No matter how unique his code may or may not be, a skilled person can extract the data needed so the website can be recreated, whether in full or with diminished functionality.

        Though I wonder why they can’t get people to volunteer to make a new website? Is it because they’re expecting the person to work with Fergus? Because he’s made it pretty clear he won’t work with anyone. Or is it because it’s not the kind of work they can get done by volunteers? They may just have to accept that they need to hire outside help for the transition, even if post-transition maintenance can fall to other volunteers. The non-Fergus type of volunteers, of course.

        1. EngineeringFun*

          Yep chatGPT would be perfect to decipher this code. It’s got to be fairly similar to another language. They are all similar but different.

          1. Tea*

            Please don’t use chatGPT, especially if you’re handling sensitive data like the treasurer database. You’ll be giving all that data for the ML to use, without any way to take anything back.
            Besides, chatGPT is likely to interpret the code wrong. It’s a predictive generator, so any custom language would be a problem. And if you don’t have anyone skilled enough to check it, you may end up with something entirely unusable.

            1. Quill*

              Yeah, it works for “how do I code introductory function in Language?” because the answers are very predictable, scraped from across the web (and because usually you’re testing the code as you build it) but for data analysis? It is absolutely the wrong tool.

            2. coffee*

              Yeah, there’s that recent case with the lawyer who used ChatGP to write a legal brief and ChatGP just made up cases.

              1. STAT!*

                Thank you for that! Another thing I have not heard before! This is a VERY informative thread. Thanks everyone!

                While I’m here, I second everyone’s observations about the security of the Treasurer’s database being the most important thing (which indeed seems to be your perspective, OP!). If personal information is leaked from this, then depending on the jurisdiction, there may be more than reputational damage to deal with: there could also be legal headaches around breach of privacy.

          2. A Poster Has No Name*

            Yeah, you don’t need anyone or anything to decipher the code, just rebuild the thing. Keep any useful content, back up the database and start over.

            I can pretty much guarantee that a website written in “custom” code and maintained by one jerk is…not good and they can do better spinning up something on their own on a modern platform.

            1. MigraineMonth*

              If it’s been more than 2 years since it was created, I would recommend starting from scratch again even if it weren’t a nightmare of custom code. Web technologies have an extremely short half-life, and it’s easier to find a college student willing to create a site from scratch than a professional willing to wade into legacy code.

          3. Ally McBeal*

            OP said “the security and continuity of this database is, obviously, critical” … if there’s any private financial or otherwise sensitive information in the database, you MUST NOT use ChatGPT.

        2. Sloanicota*

          My guess is that it’s a more complicated website, since it’s apparently storing financial information. I have volunteered to make many easy out-of-the-box websites for nonprofits and small businesses just with Wix or WordPress, and it can take, like – an hour? particularly if you own the domain (if you’ve screwed up and let Fergus buy the domain on his own, that’s a bigger issue) – but you might need someone more experienced if you’ve got a customized site that does more complicated things. There are plugins for things like making reservations, offering subscriptions, sharing user comments, and hosting sales but perhaps this website does something unique.

        3. The Shenanigans*

          If nothing else, they can contract with a local college. My school had a list of companies willing to work around student schedules. Some local companies would also directly contact student clubs through the school with opportunities like this. Pay students the minimum wage, set up an internship, etc. This is exactly the kind of actual, real work experience college students need.

          1. Seven hobbits are highly effective, people*

            If this is an all-volunteer org, they may not be set up to properly hire employees and do things like pay into worker’s comp and issue W-2s. (My org has no employees – we pay a yearly retainer to our lawyer, but he’s not an employee, just outside counsel. Everyone else, including the person who files our taxes, is a volunteer.) They’d need to go with someone who already has a “fixing people’s websites” business of some kind who they could hire as a business instead unless they wanted to go through the hoops of getting payroll properly set up. (Plus, having the org’s only employee be an intern is a giant supervision mess.)

            As a non-profit they could, theoretically, offer an unpaid internship, but an org like the one I’m used to is also not a great place to learn professional norms and how the business world works so I’d hesitate to suggest they go that route. (Maybe a Boy Scout who needs an Eagle Scout project or a high school student who needs x number of volunteer hours to fulfill a requirement, but not something where the person doing it is supposed to be learning something about how workplaces function and getting experience for a future career.)

        4. Hosta*

          It would be sensible to make two copies of everything, one on a computer that isn’t connected to the internet and that Fergus can’t physically access. Just in case.

          1. Observer*


            It can sound paranoid, but it really, really is not. It is simple basic sense at this point.

        5. I Have RBF*


          I have knowledge of at least 15 computer languages, between macro, scripting and compiled languages, plus I am familiar with three generations of HTML. Someone like me could decipher a home built website given enough time and access. There are only so many ways to write conditional statements and loops, after all.

          Stuff in a database? Inform Fergus that regular backups to an outside location that the org chooses are required by auditors and insurance. Then get a DBA in there to extract the data into a new DB that is behind a VPN.

      4. Bagpuss*

        I agree with all of this including he part about not telling Fergus until after you have downloaded (or in a worst case scenario, screen-shotted) all of the essential information especially for the treasurer) That way, if Fergus is fine with it, you can then ask him to assist migrating information to the new site, if he isn’t you can get the new one up and running almost immediately and already have all the information needed, even if it requires some tedious data entry.

      5. Karo*

        It’s not infallible but the Way Back Machine ( is also a great resource. Plug in your specific URL and it’ll show every time your site has been crawled and what the page looked like at the time. You can get a sense of styling as well as all of the content from that date.

        1. WayBack tipster*

          Pro Tip: If you create an account with, you can request that they save specific pages. It is in your account under ‘My Web Archives’ and you can save a page today, check out the output now, and keep it around for when you need it. Don’t know if there is a limit, as I only do this rarely.

      6. Alton Brown's Evil Twin*


        The treasurer should also be going to your bank and requesting hardcopy dumps of the last 3 years of transactions, too. That will go a long way towards recreating their portion of the database.

        And don’t use your website for the treasurer’s job in the future. Quickbooks is cheap and will do everything you need.

        1. possibly the treasurer*

          Hi, I’m not 100% sure but I think I am the treasurer in #1. If so, I want to be clear that the database referred to does not contain detailed financial information beyond “so and so sent in a renewal payment on such and such a date.” All actual financial and accounting information lives with me (not in Quickbooks, but something like it). (And even Fergus agrees this is the way to go.)

          1. Properlike*

            Good news! Now transfer that data to off-the-shelf software so that others can easily take it over.

            Get all the financial data that Ferguson agrees is helpful, scrape up whatever else you can, and then announce a relaunching of the website once the domain is secured (either your original or a new one.)

          2. Chinookwind*

            I am president of a group like this and can attest to financial information on a central website probably being paid membership lists. I have dragged my group into a centralized email address (which also means e-transfers for membership fees for those who don’t have cheques) and storing a copy of our membership records on the cloud (think Dropbox) instead of on an Excel spreadsheet on one person’s computer which may lose access to if they die (which is what happened when I took over that list – that was a very awkward conversation with the widower).

            But, as electronically savvy as I am, I still insist that a hard copy list be written down somewhere so we can recreate it if the latest version has been corrupted. Is it a pain to have to look up if someone has paid in a notebook where it is entered chronologically and not alphabetically? Very much so. But it also means that the person in control of the electronic list can’t hold us hostage.

      7. Mockingjay*

        @Line lehmer: This is amazing advice, especially about building the new site secretly and pre-emptively backing up text and data.

      8. Observer*

        You will also need a plan to communicate the new web address to your members, and to pre-empt any complaints that Fergus might take to them or your other stakeholders. If the membership’s personal data and contact details are maintained on the site, ensure you have those backed up in full, and a message ready to go out explaining the change.

        It might sound scary, but you can’t afford to not do this. Good luck!

        This. X a million!

      9. Blackbeard*

        Yes to this, but don’t just do copy and paste. Run a web scraper to download ALL content of the website, and get a dump of the whole database; if you can’t get it as a file, print it on paper. That’ll be a pain in the ass to type it back, but at least you have your data.

        In the meantime, start building another website with this content. Definitely DO NOT ask Fergus for help, and don’t say anything to him!

        Another point: Fergus has probably made a website which is kind of a kludge, and for sure he hasn’t kept up with security recommendations and patches. This makes your site vulnerable to hackers. But you can use this to your advantage: consider having someone skilled hack the system, get access, and lock Fergus outside. No need to look for some hacker in the Dark Web; any junior professional with Infosec knowledge can fire up Metasploit and run a pentest against the server. That’s not illegal since you own the server.

        Based on what you wrote, looks like Fergus is the only person with some IT knowledge in your org, and he’s taking full advantage of it. Definitely bring aboard some computer professional and take back control.

      10. jojo*

        Programming falls under certain parameters so it can run. He is probably using cobalt or a prior computer language. Make two backups and hire a college kid to use one to decifer.. or find a retired computer geek. He only gets away with this bullying because he is the only programmer. Use another programmer against him.

      11. calonkat*

        Other people are also saying screenshot information, but London Lass has the better suggestion of copy-pasting the content into word or something. That way it can be redone in html much easier. I’d even suggest right clicking (windows) on the pages and saving them as full webpages if you have pictures and html only if you don’t. Or optionally, you can save the pictures themselves and “view source” and just copy the html. SOMEONE in your organization could take this on and have it done pretty quickly.

        You can look up the domain and see who is listed as the owner and probably get the provider (like godaddy) as well. If your organization is paying the bill (as you should be), you should be able to contact the company and have the access transferred immediately. If Fergus owns it outright and has been paying for it, then it’s probably his, but you once you’ve a new site, you can get all your logos and such removed from his.

        Websites are not magical, and he didn’t “write his own language” that’s somehow running on every browser perfectly. You can find a company to help you with all this or you obviously have had other volunteers who have a clue. It’s going to be painful for a while, but you all are in pain right now and there is a painfree existence out there.

    2. Goober*

      “One question, who owns the domain?”

      This is the tricky part, especially if it’s a public facing domain. (If it’s not, it’s just a matter of letting people know the new URL, and let Fergus play in his private sandbox forever, all by himself.)

      But there’s a process for recovering a domain name from a cybersquatter, especially if the non-profit is formally organized, i.e., registered as such. And make no mistake, the moment he does anything that he’s not supposed to with the web site (like deface it because you told him to take a hike), it’s cybersquatting . There are services that can facilitate this, and make it happen fairly quickly.

      As for the rest, I absolutely agree. Build the new site (or, better yet, hire a reputable service to do so in a standard package, like WordPress, so that nearly anyone can maintain it – they might even give you discounted rate if you’re a non-profit) without his knowledge.

      And for the record, he may claim he built it in a language only he knows, but it’s delivered in HTML, because that’s what web browsers know. Regardless of what’s in the back end. Any decent web scraping program can create a static copy of it, including pages that require a login (and again, there’s services that can help with that – probably including whoever you hire to build the replacement). That gives you *something* to put up while you straighten out the real replacement, if necessary, and should be able to recover the financial stuff.

      1. TechWorker*

        Yea to be honest I highly doubt that it is written in a *language* only Fergus knows – it might be absolutely terrible obfuscated code to the point no-one else can realistically know what it’s doing, but it’s vanishingly unlikely that he created a whole new language, even if that’s what he tells people…

        1. Timothy (TRiG)*

          Creating a custom CMS in a known language is more likely, but it’s certainly not impossible that he’s created his own language and interpreter/compiler. A surprisingly large number of people do, as a hobby.

          1. Lime green Pacer*

            Yup. My husband did that for fun & practice a few years ago. He also did it in the 1980s as a university computer science course for his degree in Comp Sci.

        2. Sandi*

          “it might be absolutely terrible obfuscated code to the point no-one else can realistically know what it’s doing”

          So… perl?

          I’m only joking, but my coworker loves perl yet can’t understand what his own code does.

          1. Sola Lingua Bona Lingua Mortua Est*

            I’m only joking, but my coworker loves perl yet can’t understand what his own code does.

            I wrote Perl off when the manual introduction I was given to learn it stated “only Perl can parse Perl.” Farewell, troubleshooting…

          2. I Have RBF*

            Okay, I gotta wade in here, as a long time Perl coder.

            Perl is a handy, powerful language for web stuff. Its regex libraries are extremely powerful. It’s also a very flexible language, and that’s where most people get tripped up. You see, it’s a great temptation to write very tight, cryptic code in Perl, without comments or anything. This is a very bad idea. What I do is write a bit more pedantic code, avoid shortcuts, and comment heavily anything that is ‘clever’ or non-obvious.

            If you don’t comment your own code, in most languages, you may not understand what you were doing when you come back to it six months later. With Perl, make it one month.

            Many older websites are written in Perl generated HTML with a MySQL backend. The other prominent language for web work is PHP, which is similar to Perl.

            But Fergus is being ridiculous.

        3. Sola Lingua Bona Lingua Mortua Est*

          [I]t might be absolutely terrible obfuscated code to the point no-one else can realistically know what it’s doing[.]

          From my professional experiences, it’s almost always this. “Engineered Job Security” is absolutely a thing, even if I’ve seen it hang its author more often than help them.

          On the bright side, my supervisor tells me he can hand such messes off to ChatGPT and get back something scrutable. I can’t vouch for it myself (Google Bard… not quite yet), but there are tools and professionals out there that can help even if it is that bad and the need is great enough.

          1. Paulina*

            Engineered Job Security is a thing. So is someone deciding to turn a system into their own private project, however. My guess is that there’s some custom stuff but not nearly as much as he likes to get people to think; the attitude is to protect the stuff he put together because he considers it his private project and achievement.

            1. Artemesia*

              I knew the organization I was consulting with had been had by their Fergus when I talked with him about cross training and he said ‘you can’t expect these admins to be able to understand boolean algebra (and in fact the rest of the staff had talked about how the data system was too complex for them to understand and only Fergus KNEW). I just looked him in the eye and said ‘you mean ‘and’ and ‘or’? I think they can handle that.’ Some of these guys built ridiculous but functional systems way back then and of course guard the gate. But there are so many web build softwares that are easy to use, that it is now not way back then.

          2. MigraineMonth*

            As a computer programmer, I am baffled that anyone has to go out of their way to make their code difficult to read.

            Most code is written like a stream-of-consciousness pre-rough-draft of an essay; it takes real discipline to always go back and restructure it into an intelligible essay with topic sentences and paragraph breaks, and to do that every time you need to make changes.

      2. Emmy Noether*

        Ah, I was also wondering if one can even write a website in anything other than html. I’m wondering though if there’s some sort of database (with donor info?) that is accessed via the site, and it’s the database, not the site itself, that uses Fergus’ special language.

        1. Kayem*

          It’s likely the database. I’ve seen some real bananas legacy coding that is running key systems in several organizations. Someone hired someone umpteen years ago and every new iteration of the website is still built on the same arcane backend.

          Though from the sounds of Fergus, I wouldn’t put it past him to go out of his way to obfuscate the system so people think it’s his special secret code sauce when it’s something more mundane.

          1. Other Alice*

            I’ve done some database archeology to understand and replicate some stored procedures that had been created twenty years ago and had been running daily and were mission critical, and nobody understood any more. It’s a pain in the ass. It can be done. The sooner you start, the sooner you get rid of Fergus.

            1. Seeking Second Childhood*

              Because one thing is sure, a custom system doesn’t get easier to understand by waiting. .. and it gets riskier every time there’s an OS update. (RIP the databases in Lotus Notes lost when there was no conversion funding with switch to Outlook)

        2. Peanut Hamper*

          Yeah, you can. This website for instance, is PHP based. PHP on the server generates HTML when a page request is made, and that HTML gets sent to your browser.

          So yep. Browsers only understand HTML. Servers can do pretty much anything, as long as they generate valid (or at least semi-valid) HTML.

        3. Roland*

          Well, the stuff people write to create a website is rarely plain html even for the simplest site. You’re almost certainly writing javascript or maybe php for the code running in users’ web browsers, and any language you can dream of for the server, which is where the website really lives, as it were. HTML describes what gets shown to the user, but there’s very little it can do beyond showing static content and simple forms. You have to use programming languages for that.

      3. Liisa*

        Yeah, agreed. I think what happened is probably Fergus *told* everyone that stuff is written in his own language that only he knows, relying on the fact that, to any sufficiently non-technical people, that will sound plausible and/or tech-jargony enough that nobody will question it. But realistically, while it is technically *possible* that Fergus wrote his own language and compiler, more likely than not he’s using an existing language – possible old or obscure or very poorly written, but still something that someone else could reasonably know.

        1. AmberFox*

          Yep. This. And even if somehow this guy wrote his own language… programming languages have rules. Even if you don’t know what the heck the language is, a decent programmer should be able to get in there and figure out enough basics to find where things are stored and go retrieve them.

          That said, if I had to guess? I would be willing to bet that either this guy is using something like functional programming that’s deliberately hard to read, or he’s convinced himself that when he adds these specific libraries he wrote to every program, it’s a Real Programming Language and not just, like, Java with bits added on. And he’s probably got the database saved as some weird format that can easily be renamed to a zip or csv and read that way.

          1. MigraineMonth*

            “JavaScript with bits added on” is a great description for Web Application Frameworks.

        2. Artemesia*

          This. My elderly mother was so buffaloed by her computer and talked about how when she had a problem her neighbor had come and ‘programmed it’ for her. Lots of people think it is all much more complicated than it is.

      4. The Cosmic Avenger*

        Yep, I remember back in the 90s when I first learned what a URI was, and how to build queries to get data that wasn’t otherwise available. But I doubt it’ll be that easy.

        I’m biased, and I know WordPress is easier for non-developers to administer than Drupal, but if they have a database they need to manage as part of the website, Drupal is the most flexible. But they might need to pay someone to script the data migration and set up the new site, as those aren’t things people are likely to just dabble in. I think their first step is to ask a decent web dev to simply look at the public website and evaluate the level of effort to scrape the data and set up a new site, that should only take a handful of hours, if that.

      5. Serapheena*

        I honestly think Fergus is just telling people it’s in a language he developed just to try to cement himself over as The Website Overlord even more.

        1. Quill*

          This. I doubt, as an unpaid volunteer, he is preemptively keeping up with all browser updates to make sure the site stays usable. I’ve seen some wild, web-based database setups (Including one that had to emulate Internet Explorer from 2004 to run… that had been sold to the company I was working for in 2012. Explaining to my boss what a business necessity it was to get a new one when “they only bought it 8 years ago” was fun.) but if it’s still functional on all major browsers and mobile, Fergus is probably greatly exaggerating his unique additions.

          1. Chirpy*

            Yeah, my work used to use such an ancient database that it had to run off an early 2000s version of Windows and their thoughts were “it’s too old to hack”…. around 2017 they were told it had to be replaced asap if they didn’t want to have the whole system crash…

      6. Colette*

        Yeah, he didn’t invent HTML, and I’d be willing to bet the database is a standard database as well. Maybe he has something custom between them … but maybe that’s just what he said.

      7. ariel*

        Agree that the domain is important! Make sure the org owns it and can retain it (whatever passwords and billing needs to be taken care of). Also, databases shouldn’t live solely online under 1 person’s care, you’re right! I would recommend something like Wild Apricot, if your org can afford it. It’s expensive and sometimes a pain, but if you are managing members, it’s straightforward and the member info can be downloaded in spreadsheets if you want to move on from that company eventually.

    3. Tiger Snake*

      And this is why everyone needs a plan for offboarding off any IT system they get. Things get old, better options come out, and vendors can get mean when they think they have you in a choke hold.

    4. Dragon_Dreamer*

      And get backups of all the financial data! That’s why you should always keep hardcopies in addition to digital ones, of any data that is truly irreplaceable.

      1. Delta Delta*

        The part about the financial data all being in this website makes me deeply uncomfortable. May need also to open new bank accounts before it becomes public knowledge that there’s a new website.

    5. NerdyKris*

      I think it’s highly unlikely that Fergus has created a whole new language that’s indecipherable to anyone else. It doesn’t make any sense, and it’s far more likely that he’s just using normal Java or HTML with weird naming conventions to obscure it.

      I would bet good money that if you had an actual programmer with experience look at the site, they’d be able to figure it out without Fergus.

      1. Peanut Hamper*

        For clarity, that’s JavaScript, which is a client-side programming language specifically for the web. (Although it can be baked into a pdf file, as well.)

        Java (no ‘Script’) is something completely different.

        1. MigraineMonth*

          Java is a lovely object-oriented programming language with consistent internal logic that is easy to port across different operating systems (e.g. from Microsoft to Apple).

          JavaScript is an awful scripting language with only a superficial resemblance to Java. JavaScript was written in 10 days, it is riddled with odd behavior and traps, and it is the foundation of the entire internet. *sigh*

          1. Sola Lingua Bona Lingua Mortua Est*

            Yea, coming from C, that’s a generous description of Java.

            Java is very much “write once, debug forever” when it comes to platform independence.

      2. Drag0nfly*

        Yep, any random web dev wouldn’t even have to come to the company. I often just use Chrome’s developer tools (it’s an extension to their browser) to inspect the codes of various websites if I see something cool. Or sometimes to just fix annoying formatting, like those horrible sites where the text goes all the way across the screen instead of using a reasonable line length. Sometimes the line heights may be too tight, or the font too small, and I will just do an on-spot fix so I can comfortably read the info I came to the site to get.

        Any person familiar with basic web development (HTML & CSS, plus JavaScript) can at least look at the code, and in five minutes or less know that Fergus is full of crap.

      3. Observer*

        I would bet good money that if you had an actual programmer with experience look at the site, they’d be able to figure it out without Fergus.

        Not necessarily. All the comments about “write only language” are relevant here. The point is that some “standard” languages are extremely hard to decode for all sorts of reasons. When you add in someone who *wants* their code to be hard to understand and *maybe* one of two custom pieces, it may not really be feasible to figure out what he is doing.

        I also think that it doesn’t matter. The OP is better off just pulling the data and redoing teh site from scratch.

    6. LW1*

      I have no idea who owns our domain. Another commenter noted that that’s something our treasurer should know so I’ll be emailing them later. Someone else mentioned cyber squatting and “hope for the best, plan for the worst:” I am absolutely planning on things to not go well with Fergus. Going to keep that note in the back of my mind.

      1. StarTrek Nutcase*

        Good luck, and reality is it will never be easier to switch programs. Every delay only adds to the hassle: in labor and cost of doing so.

        I worked where a client database program was built 20+ yrs ago and all that info still needed accessed for additions, changes and reports. The guy who wrote it was gone after year 5. But bosses kept putting off switching to a commercial program which offered frequent updating because of whining by some users and the initial cost in $$ and labor. SO, now the contents were 3-4 times what it has been, so costs, especially labor, were be exponentially more. Sure enough the program just completely failed one day unexpectedly and it was a horrendous mess.

        So moral is do it now as soon as you possibly can. Yes there will be problems, hassles, and complaints – but less than another year from now.

      2. Libellulebelle*

        I was on a nonprofit board a few years ago that had recently transitioned to a new web platform. There are various prepackaged platforms that are pretty user-friendly and have some database functionality that may better meet your needs compared with a really basic one like WordPress. The one we used was called Wild Apricot, but I’m sure there are others.

        1. WantonSeedStitch*

          This! Wild Apricot is very common for nonprofits. I also used to use it as a member of a nonprofit board, and for someone like me with NO web design skills whatsoever, it was not difficult to use. Lots of functionality for stuff like membership management, too.

          1. Delores Van Cartier*

            I used wild apricot for a society of non-profit professionals. It was super easy to set up for membership management (accepting payments, reminders of when a membership was about to renew, meeting announcements, etc.). The website builder is pretty similar to any drag-and-drop builder.

            On a side note, this may also be an opportunity to review your organization’s policies around volunteers and your volunteer standards and responsibility agreement. Volunteers can always go rogue, but it is helpful when you can review expectations from the start, so if any issue arises, you’ll have something for backup.

            1. ariel*

              Such a good point about volunteer management. Opportunity for a board retreat and commitment to some new visions/goals…. like a database that’s accessible to all.

        2. CheerfulGinger*

          I volunteer with a similar type of all volunteer non-profit. We use StarChapter, very similar to Wild Apricot. No tech skills needed! There are solutions out there to solve this very problem.

      3. Pastor Petty Labelle*

        Also when you get the new website set up — and have control of the domain name — tell Fergus his services are no longer needed. He is a volunteer, you don’t have to keep letting him volunteer. But make sure you control that domain first.

      4. Two Dog Night*

        Regarding the treasurer: I’d say step 1 should be getting all their info into standard software packages–Quickbooks for financials, and a donor database to keep track of donations (if applicable). It’s going to cost some money, but not that much, and you really need to make sure all that is somewhere far away from Fergus. I hope you can somehow pull the existing data out of Fergus’s system without his help.

        I really wish I could help you with this… I’ve helped put together websites for non-profits, and I’ve served as treasurer for a couple, and I’m dying to get in there and figure it out. Good luck!

      5. Aphrodite*

        I am a non-tech person so I am staying out of most of this discussion but I wanted to point out that someone above mentioned that if the email system is controlled or managed or handled by Fergus, find another way to communicate. Maybe an off-site in-person meeting with the treasurer?

    7. rebelwithmouseyhair*

      Yes, and keep Fergus well out of it all. Alison suggests letting him help but I think he needs to be got rid of entirely. He’d have been sacked long ago if you’d been paid staff. He’s not only an information hoarder, he’s unpleasant. The people he drove off could have made great contributions!

    8. Seeking Second Childhood*

      OP1 If this seems like an overreaction consider:

      Can Fergus respond to a tax audit or other legally binding request for information?

      Has Fergus tested cybersecurity or might you be inadvertently displaying donor info to anyone who does a “view source code”?

      What happens if Fergus stops volunteering? Gets laid off from his day job & decides he should be hired for future maintenance? or bluntly dies?

      Fergus’s system gets hacked and your donor info is stolen.

      1. Seeking Second Childhood*

        oops, last paragraph fixed:

        If Fergus’s system gets hacked and your donor info is stolen, they may be unwilling to donate again ever.

      2. Properlike*

        All this. I was waiting for someone to ask.

        If you’re a registered nonprofit (I assume you are, since you sound like you have a board and a treasurer who needs access) then there are legal requirements for documentation of finances, of minutes, of… everything.

        A lack of those can do a lot of damage to your nonprofit. I hope you have insurance to protect your board in case donor information does get hacked… or simply because it’s a good idea!

        The point is, you should probably hire an attorney who works with nonprofits, to get you up to speed. That person can do an audit. Fergus may be a bully, but the attorney can outline the penalties for screwing around with financial data, cybersquatting, harassment, etc etc (if it should come to that – not up front, but later.) Even paying an accountant to audit would help officially bridge this problem, as they can tell you what you need to have and make formal requests to get it off the Fergus website. (Is it a website? Or is it a separate database?)

        If you’re chapter of a parent organization, then they can also help out, and in fact should have accountants and attorneys on retainer who do the work for chapters.

        Do not tell Fergus. If you have to lie to him, it’s “we’re professionalizing the board.” Externalize the requests. And then, the moment you have what you need, have that attorney send him a letter saying his services are no longer needed, the entire website needs to be deleted, penalties for not doing so are xyz.

        And never let one person hold your organization hostage ever again.

        1. Golden Raven*

          Amen to all that, especially to the last sentence!

          Make a promise to yourself and your organization to never again let any one person become so “important” that you feel you have no choice but to put up with his “abusive bully(ing)”. Remember Alison’s “hit by a bus” scenario; what happens if that person is incapacitated / leaves the organization – will your whole agency implode for lack of one person’s skills?

          Seriously, LW1: never again become so beholden to any one person that you feel that you MUST retain them, however outrageous their behavior. That way lies members and staff quitting in droves (and in disgust) because they’re tired of that person’s abusive bullying. And that goes double (at least!) for an organization relying on volunteers – they’re not even bound to their jobs by a paycheck. Learn from this experience and vow never to let this nightmare happen again.

      3. M*

        > What happens if Fergus stops volunteering? Gets laid off from his day job & decides he should be hired for future maintenance? or bluntly dies?

        To emphasise here – I volunteered with a non-profit for a number of years that had a Fergus, with the added problem that their Fergus was *lovely*. I say “added problem”, because it meant they had absolutely no urgency in fixing the fact that their website – which was central to the delivery of their programs, and needed to do several relatively complicated things – had been hacked together as a hobby project and had no backend documentation.

        Their Fergus graduated uni, got a full-time job, and closed out his volunteering. Two weeks later the website fell over, in the middle of a key period. They spent six months doing quite a lot of very high-intensity data entry tasks by a combination of email and manual entry while a professional rebuilt it from scratch because no-one except Fergus could work out what had gone wrong.

        Unique custom sites are for companies with teams of web developers on staff, not non-profits whose primary work isn’t web design. Get a suite of professional tools that it’s someone *else’s* job to debug, plugged into WordPress if they need to be web-accessible, set up ASAP. In your case, your Fergus is not lovely, and your treasurer is apparently reliant on a database he’s got complete possession of. Treat it as a crisis before it becomes one.

    9. Reality.Bites*

      I think that there’s a big chance Fergus has remote access and will sabotage things. I think someone needs to be brought in to remove his access and he needs to be “fired.” He needs to not be given any prior warning he no longer has this position.

      1. Pastor Petty Labelle*

        YES. Make sure that Fergus has NO access to the domain, the website or anything else. Have someone do this WHILE he is being told he is being let go. After the conversation is too late.

      2. Hosta*

        If there is any thought, no matter how passing, that Fergus might engage in some sabotage, the site might need to be built again from the ground up, just to make sure there’s not a back door he could use to get back in after he’s removed. I’d also be wary of keyloggers on any computer he’s had access to

        1. Observer*

          I agree with you completely – with one caveat. There is not “if”. Based on what the OP says, the idea of sabotage is one that they need to take seriously, not just in passing.

      1. Frank Doyle*

        Agreed. View Source and save the html (as much as is visible), don’t just screenshot the website.

        Hire someone who knows what they’re doing! Stop relying solely on volunteers. You can have volunteers keep it updated, but for this you need a professional.

        1. Jackalope*

          This is key! Given the circumstances you 100% need to pay someone who knows what they’re doing to fix this, even if you can’t keep paying them. At the very least you can have them come in and get everything straightened out, and then find someone who isn’t Fergus to keep it going after that. But you will need to pay someone to make sure you get the skills needed.

    10. Cat's Paw for Cats*

      Adding my voice to the Don’t Tell Fergus crowd. Arrange to have all the important information preserved in some way to protect it, then arrange a new platform and plan for moving the info over and only then inform Fergus. And when the dust settles, get rid of the toxic waste dump that is Fergus.

    11. Miette*

      I agree that doing this (or getting most of the way there) without Fergus is the way to go.

      And the domain ownership needs to be sorted asap, because Fergus can redirect it anywhere he wants whenever he wants and you will be screwed.

      As recommended upthread, copy-paste page content in addition to the screenshots (for the design), and also download whatever documents are posted (like PDFs) and images so you won’t have to recreate them later.

      1. M*

        A web developer will be able to grab the page source, and specific files like JavaScript and image assets using the dev tools (if they don’t have access to the backend, which would be easier).

        I really hope that OP gets in touch with a real developer. I want to see this monstrosity myself, tbh.

    12. SadieMae*

      Yes, this. Fergus seems super likely to just delete the current website in a fit of pique. And/or to do something like using a client database to send out a mass email that could damage the agency’s credibility and lose more clients.

      Get all the info off the site however you can, then lock Fergus out of the old site, *then* tell him. (If you aren’t sure you can lock him out – if you think he might have built a back door in for this very reason – just download the info, secretly set up the new site (with no access point for Fergus, obviously), then shut the old site down completely. Don’t tell Fergus until all these steps have been taken.)

      It’s tempting for reasonable people to go easy on a Fergus because we project onto him our own reasonable mindset. Like, “‘Of course he won’t ‘burn it all down,’ that would be crazy!” But Fergus has already shown himself to be unreasonable and even vindictive. We also often hesitate to take direct and strict action because we don’t want to hurt our Fergus’s feelings, but there again, it’s not unreasonable for you to take actions to improve and protect your own agency’s website – and Fergus, by making that impossible, is the one who’s making it weird.

    13. RagingADHD*

      Screenshots for formatting /design maybe. But any actual data that can be worked with (as the Treasurer does) can be exported or copied.

    14. Just an observer*

      LW1, it sounds like what he is doing is illegal. I would take steps, as others suggested, to start a new website without his knowledge. But also consult with an attorney in case he retaliates or tries to sabotage.

    15. Glad I don't work there*

      Some of this is mentioned here and there in these comments, but it should be clear:
      –Someone with computer and security experience needs to look at the system before taking major steps, but very soon. A professional consultant, perhaps a local college professor, etc., could help make a plan or do the actual work.
      –A computer system may comprise segments that are not web-related, for example external processing programs, IRS reports, and the like. These certainly could be created in any language, even those not integrated with HTML, etc. Incidentally, personal or highly modified languages are not that rare. Furthermore, someone like this is capable of putting jokers or “job security” into the code, such as “If Fergus has not signed-in in 30 days, start making Swiss cheese of the data.”
      –A lawyer needs to be consulted immediately. Perhaps if this rogue programmer knew of consequences such as arrest or even jail for creating damage or blocking business, he might not cause too much trouble, or use back doors and secret codes to “blow up” the system after he is gone.

    16. learnedthehardway*

      The Treasurer could also set up a parallel system – like QuickBooks or something like that – and transfer the information over for a couple of months. That way, they could get all the information out and into a useable format, without alerting Fergus.

      Then you get an external service provider to build and host a website for the organization. Screenshots can capture all the content.

      Personally, I wouldn’t tell Fergus that the website is being created by a service provider until you are well down the path and have all the website information captured. I also would not involve him in the process – he’s a bully, has held the organization hostage with his complete control of the existing website, he’s caused attrition in the organization – you don’t owe him the courtesy, and you should be getting him out of the organization entirely, and keeping him from taking any ownership/control of the new website. He WILL torpedo the process, if he is given a chance.

      1. TootsNYC*

        the treasurer’s information is going to be the hardest part.
        And any database containing donor info, etc.

        But also look into this: Where did the data in the database come from? Bank statement, etc.? Is that info available in its original form anywhere? (Bank statements probably will be)

        If it’s something like donor databases, get Fergus to generate some printouts for crosschecking, etc., and then you’ve got the info in hard-copy form.

        And ponder whether it would really be all that horrible if you lost the info that’s in there.

    17. Artemesia*

      I am an old lady and have my own travel blog web site. There are easily used web site building programs that anyone can use. For an organization web site you might want to hire it done and get something better BUT in the meantime, screen shot current site to capture the information and then create a new one using something like wordpress that includes the information you need and disseminate the link. Ask Fergus to take down his site or get advice on how to remove it as a rep of your organization.

      Don’t discuss it; just do it.

      I once consulted with an office that was similarly hostage to someone who had invented a cumbersome data management system and had everyone intimidated. It was surprisingly easy once he was gone to install a new system everyone could use.

    18. The Gollux, Not a Mere Device*

      Also, note that “who owns the domain?” and “who controls the domain?” may have different answers.

      I just saw an article about US military email messages being misdirected, because people were typing “$” instead of “$” .ml is the top-level domain for Mali.

      They had hired someone to run the domain for them, on a ten-year contract. So, for ten years “who owns the .ml domain?” was “Mali” but “who controls it?” was this guy in Europe. (Yes, one person.) He says he can’t get the US military to pay attention to the problem.

      That ten-year contract is now expiring and not being renewed, so the answer to “who controls the .ml domain?” is likely to be “someone in a government that is allied with Russia” even if Mali doesn’t decide it makes sense to ask a Russian company to handle it for them.

    19. M*

      Whatever language he is using, it is compiling to HTML and JavaScript like every other website, because that is what browsers understand. Personally, as a web developer myself, I wouldn’t bother with keeping any of it, it won’t be worth the effort to fix. But I would be able to salvage a significant amount if necessary.

      Liberate the database, you need your data. The rest I’m sure can be redone, and redoing it will probably improve it. I’d go the route of backups. Convince him that someone, maybe your accountant, wants a backup for legal reasons. Get that and then get him out of there, do not allow him to work with whoever comes in to fix things.

      1. TootsNYC*

        so if they got a backup, could they hand that backup to someone who could extract info, etc.?

    20. Elizabeth West*

      This, and make sure all the treasurer data is backed up somewhere Fergus can’t get to it.

    21. TootsNYC*

      the database is the tricky part, because that info is often not visible on the website itself.

      And it may well have important vendor information.

      the other pages are really not difficult to reproduce.
      But the contents of the database might be.

      1. TootsNYC*

        donor information, not vendor.

        Vendors are easily recreated from scratch; donor lists might not be.
        (though they might be found elsewhere, like in a file that was used to print labels, etc.)

    22. Ransomware Alert*

      Not sure if anyone else has flagged this, but there’s a 0% chance your proprietary-language website has adequate cybersecurity controls implemented. It would be one thing if it was just web pages, but why is your treasurer’s database involved in the website at all?? Get it off of there ASAP.

    23. Hillia*

      That’s what I was thinking. Make sure the domain registration is under your control and Fergus is not an administrator, as well as the actual website host company (unless it’s hosted on your own server). If there are financial or other records stored in the website, are there existing reports you could run that would give you all of your data in case Fergus deletes it all (and it’s a 99.99999% probability that he will)? If you at least have the data, you can either run a tedious project to manually enter it all into the new system, or if you have someone who understands data transfer, possibly convert the reports into a file that can be loaded all at once.

      Fergus will absolutely destroy everything he can as soon as he figures out what’s up, so you have to be way ahead of him.

    24. Thin Mints didn't make me thin*

      I use a program called SiteSucker to copy all the files for a site quickly.

      I am not a pro Web developer, but I build WordPress sites for freelance clients from time to time. I did one for my cousin’s HOA in two hours the other night. If all you want is a copy of an existing site, it should take very little time to set up.

      If Fergus owns the domain, you can set it up on a new domain quickly while you work with him to transfer ownership to the organization. If the organization owns the domain, you can just point the nameservers to a new site.

    25. Rainy*

      Yeah, this needs to be done without giving him warning, and run some kind of report with all the financial data. Will it suck to re-enter everything by hand? Yes, it will, but it will suck less than continuing to deal with Fergus.

      1. WestsideStory*

        What I’m not seeing in these comments – and what I’d like to suggest – is after screenshooting or otherwise collecting all the data on the website pages – is simply disable/turn off the website. Can the site “go down” for a week or two without damaging the organization’s operations?
        It’s true you need control of the domain to do this, but the benefit is stopping Fergus quickly, without having to build up a new site while fearfully wondering if he will get wind of it.
        I’ve run a few small sites for various entities and have done such a pause “for maintenance” when switching platforms. But I am curious how the obvious professionals commenting here might feel about taking a hard stop.

    26. OhNoYouDidn't*

      I was going to say the same thing. Also, download any pertinent info you might need to retain. For example, I think the OP said something about doner info? Download all that first. But for heaven’s sake, DON’T include him in the process or he may sabotage it.

    27. NotAnotherManager!*

      Rather than take screenshots (or in addition to), I would try to capture the content in a hypertext format. There are a few options for preservation that are more useful than pictures/full recoding:

      There is a tool called HTTP Track that will download full websites, though there can be limited ability to pull apps/code and Flash content (which hopefully no one has anymore).

      You can also use full versions of PDF creators like Acrobat Pro to capture websites and recurse through links/sub-pages in the advanced settings. You go to File > Create > From Webpage.

      As others have noted, has some options so that you can avoid full loss, if Fergus goes nuclear and takes you offline completely.

    28. SongbirdT*

      LW1, once you’ve done all of the above do a quick Google search for alternatives. For example…

      There are tools out there that were initially built for SALES teams, but work for tons of use cases without having to FORCE anything. They have a database and website building capabilities on the same platform, so you don’t have to mess with integrations – all friendly to non-developers. Some also offer free options for NON-PROFITs. You’ll probably have a lot of SUCCESS with those tools once you send Fergus PACKing.

      good luck!

    29. Anne Wentworth*

      Came here to say the same thing. DONT.TELL.FERGUS.

      LW#1 needs to _hire_ a company to build a replacement for the website and the database behind Fergus’s back AND figure out Fergus’s set-up without his knowledge. When and only when their data and resources have been safely duplicated/backed up/secured, domain access changed, and all of Fergus’s accounts deactivated, then you tell Fergus that his services are no longer needed.

    30. Love to WFH*

      Excellent question about who owns the domain! I’ve handed over my credit card info to a nonprofit to pay for the domain hosting, though the volunteer who did the transaction used a the non-profit’s email address.

  3. Past Lurker*

    I thought the question was if you can get fired the first time, like if you call your boss Jenny instead of Jennifer one time and they fire you for it.

    1. Kubble*

      You can get fired for calling your boss Jenny if she goes by Jenny. That’s at will employment.

      1. Well...*

        I think the answer here was less “is it legal” and more “is it okay.” I would say in many workplaces, firing someone for calling Jenny Jenny would be seen as pretty unprofessional.

        Not the case for calling Jennifer Jenny after she repeatedly asked you not to.

        I’d say doing it once would also fall into the category of an absurd but legal reason to fire someone. People sometimes try out shorter names because they think they heard someone else do it. I’ve been guilty of it before, and it can be an honest mistake.

        1. Observer*

          We’re doing a lot of speculating, so I don’t want to be too definitive. But the thing is that you can’t really say that someone is “shortening” Bill by using Billy. And going to “Billy the Kid”, which is the second example the OP gave is absolutely not about a shorter or easier way to say the name. So the question here is what is going on and why is the OP (or the person the OP is talking about) set on doing this?

          I could obviously be wrong, but this has a very strong feel of someone who is trying to feel out just how far up to the line of disrespect they can go to without getting into trouble and also someone with a history.

          If I’m right about that, then it wouldn’t actually be absurd.

    2. Buzzybeeworld*

      In the US in 49 out of 50 states (and sometimes in the 50th ) you can be fired for any reason or no reason (except for very specific exceptions like being fired because of membership in a protected class such as race, sex, religion, national origin).

      You absolutely can be fired the first time you call your boss a nickname. You can be fired the 100th time even without a warning. Your boss can tell you she loves you calling her that nickname and still fire you over it.

      1. Lab lady*

        Seconding this. There’s a good chance in the US that your boss can fire you for any reason or no reason at all.

        As a secondary issue…. its a dick move to try to rename someone. Call people what they ask to be called. This goes for your team, your colleagues, and your boss.

        1. Chocolate Teapot*

          There have questions about nicknames on here before. I remember one where a new employee had the same name as the person who was writing in and wanted to know if it was alright to ask the new employee to choose a nickname.

          1. Falling Diphthong*

            That was fascinating, given how many offices function fine with “Mike,” “New Mike,” “Accounting Mike,” “Mike by the Printer,” and “Mike Who Does Janet’s Old Job.”

              1. Gyne*

                I picture it as more like descriptors, like you wouldn’t call Mike Who Does Janet’s Old Job that directly, you’d call him Mike, but if your new colleague wanted to know where to send their receipts for the lunches they expensed while training, you’d tell them Accounting Mike.

                1. Oysters and Gender Freedoms*

                  Or, for that matter, if someone wanted to know who would shoe their horse, you’d tell them John Smith, while the guy who could fix their roof would be John Thatcher.

                2. TootsNYC*

                  we had two Kathy/Cathy’s on our yearbook staff. If you tried to describe them, you’d say “with glasses” (oops, both…), “long brown hair” (oops…). You could have said skinny/chubby, but that was rude, and no one would do that.

                  So we said, “the Cathy that brought the popcorn,” and then “popcorn Cathy,” and then just “Popcorn.” It evolved.

                  The other Kathy had a last name with an unusual syllable (Stubblefield, eg), so she became “Kathy Field,” and then just “Field.”

                3. Avery*

                  I went through something similar to TootsNYC in my high school literary magazine staff. Back before I transitioned and changed my name, I had a very common girl’s name, and it happened that there was another girl who was part of the literary magazine staff with the same first name. And the same initial for the last name. And we both had long-ish brown hair, and glasses…
                  We ended up being “deadname Junior” and “deadname Senior” because the other one was a couple years older than I was.

              2. Falling Diphthong*

                I think of it more akin to how our cell phones have recreated the early days of surnames. So in olden times you had Mike Smith, Mike Ford, and Mike Newhouse. Now we have Mike Painter, Mike Next Door, and Mike Softball.

                All of these people you call Mike to their face, and by the extended identifier when talking to other people or trying to find them in your cell phone contacts.

                1. Quill*

                  My favorite is old friends who still have the first class I shared with them or their dorm room number in my contacts. No, Anne Jones Philosophy 101, Anne Smith Ourdorm 230, I definitely know the difference between you. Now, at least.

            1. Quill*

              I know of a person who was known, (though not to coworkers, to an extended family) as Human John.

              John the dog had been around longer, after all.

              1. AnonORama*

                LOL! My parents have two neighbors named Leroy — one’s a man, and one’s a golden retriever. They call them Leroy and Puppy Leroy, but same idea.

            2. whingedrinking*

              There was a time in my life where on a regular basis I was interacting with/referring to Actor Dan, Stage Manager Dan, Teacher Dan, Roommate Dan, High School Dan, and my favourite, Boss-Man Dan.
              I also know far too many Andrews. Some agree to go by “Drew”, but they pretty much all refuse to be Andy.

        2. Jade*

          It’s not OPs job to give nicknames. I can’t imagine doing this to my BOSS. What were they thinking? Trying to be funny ?

          1. wordswords*

            I mean, there are teams where I can imagine nicknaming my boss, with the right kind of informal rapport. (Or, well, someone doing so; I’m not much of a nickname-y person.) Obviously, if the boss didn’t like it or showed any signs of being even lukewarm on the nickname, I’d knock it off immediately.

            But I think it’s safe to say that if you have any kind of concern at all about being disciplined for it, let alone fired(!), it’s best to not push your luck by trying!

            1. Jackalope*

              Yup. I work with A boss (not currently MY boss but used to be) that gave me a spontaneous nickname, so I returned the favor. (Both nicknames are based on our real names, not just something random.) I’ve done that with other people before as well, although more commonly friends for obvious reasons. I never do it if someone is against the idea, and I try to be particularly scrupulous about using a version of their name that they want if it’s important to them. (I also try to ask first to see if the person is okay with it and don’t use a nickname if they are not.) But as someone who finds nicknames to be a way to show warm feelings and affection, and who has been around other people who also feel that way, I will continue using them with people who agree. (The supervisor that I mentioned previously is someone I’ve worked with for almost 10 years now, which is part of why I felt comfortable doing so. Also, as mentioned, said supervisor gives most people nicknames so has shown that they are okay with it.)

            2. NotAnotherManager!*

              Yes, we had a nickname for my prior boss that he was well-aware of and loved, but we had a good working rapport and also good sense on when it was appropriate to use it (i.e., not in business emails, formal meetings, or with customers). Had he ever said, hey, I don’t love being called that or anything approaching disapproval, we’d have knocked it right off.

              If there is any concern about discipline for using a nickname, then it’s probably a no-go.

        3. TootsNYC*

          Yeah, it can be a dick move to suddenly apply a nickname to someone.

          Nicknames indicate intimacy; your siblings, your friends–they’re the ones who give you nicknames.

          Applying a nickname to someone you’re not already quite close with is a dick move. It’s a dominance move, in many cases. In others, it’s an attempt to indicate intimacy, and it can be highly inappropriate or even manipulative.

          I would never try to force an intimate status on my boss by using a nickname, especially not a diminutive (adding the “-y” or something like ‘the Kid’). I have occasionally nicknamed my boss “Boss,” but not as a constant; just in a situation in which I wanted to enforce that I was cheerfully recognizing that they outranked me and I was going to firmly and enthusiastically follow their directions.

      2. ferrina*

        Yep. I had a boss try to fire me for an error that occurred in another department. Apparently I should have done that department’s job for them?

        HR stepped in and turned the situation into a lay-off. It impacted how easy it was for me to get unemployment payments- if you are fired for cause it may make you ineligible for unemployment.

    3. Heffalump*

      Some years ago there was a ballot initiative in Colorado that would have prohibited firing employees without just cause. What would constitute just cause was spelled out in the initiative. As a believer in fairness and a former Colorado resident, I was quite interested.

      As it happened, the sponsors of the initiative withdrew it shortly before the election–I forget the backstory. If it had remained on the ballot and passed, I would have been interested to see how it played out.

    4. Observer*

      I thought the question was if you can get fired the first time, like if you call your boss Jenny instead of Jennifer one time and they fire you for it.

      It seems to me that there is more to the story than the OP is telling us. But based on the language, it’s pretty clear that they KNOW that someone is likely to object. And they are also choosing a pair of nicknames that may not be “officially” derogatory, but they are definitely diminutives. So, yes, I think it would be ok, even a first time. Without knowing more, it’s hard to say if I would have a conversation first or not, but I can definitely see a lot of scenarios that fit in with what the letter says (and doesn’t say) that would make it an appropriate reaction.

  4. Buzzybeeworld*

    Advice to any reader who ever is in a position to approve software for your company: unless your company employs a large team of developers full-time you should never ever ever use a bespoke software program for critical operations. It always ends up broken and unsupported.

    1. Kyle S.*

      Relevant news from the tech world: Vox Media announced they were discontinuing their custom website software and switching to something off-the-shelf. Their original plan was to license the software to other news websites, but since that market never materialized they decided to cut their losses and pay another company for their experience.

    2. Not Australian*

      And even then… I worked for a large (county-wide) organisation that commissioned bespoke software for something which nowadays could be run from a cellphone: they were just that far ahead of the curve. Many years and many complex problems later, and with considerable wasted investment along the way, they ended up having to scrap it in favour of an out of the box solution.

    3. pcake*

      Buzzybeeworld* – you’re so right! We had custom scripts written a few times years back, and every time the programmers retired, disappeared or went into another line of work, leaving our server at risk of attack.

    4. Bit o' Brit*

      Even hyper-customised versions of out-of-the-box software should be avoided as much as possible. We recently transitioned away from one where the company that makes the software understood less about our implementation than we did and it made it impossible to upgrade to the SaaS version when they decided to stop supporting the self-hosted version.

      1. Susan Calvin*

        As someone who’s spent most of their career on the other side of that table; hard agree. I love doing customizations! But if you spend a 2 year project on it because you want it just so, and then come back 10 years later wanting an upgrade to our current release (because you want to move to our cloud, or even just for compatibility because your own server needs a security upgrade), you can neither be surprised that this will be another substantial project, nor that the look and feel* of the software has changed during the last decade!

        *obviously changing business critical functions is one thing, but I’ve had users have meltdowns over new fonts or icons, too

      2. Charlotte Lucas*

        Agreed! I wonder if my old job is still struggling with the Oracle database custom-built by an employee who left after 6 months & didn’t have documentation.

        1. Quill*

          Maybe this is because I don’t do programming, maybe it’s because I come from a science background, but I don’t make so much as a macro without leaving attached information for people on how to use it. (Literally in the same spreadsheet in the case of the macro – the point was to make running the numbers easier for everyone, after all!)

      3. Llama Llama*

        Seriously. I work for a giant company which utilizes a giant company for its software. It is so insanely customized and causes lots of headaches. We have teams of people to assist but I have had the same open issue for 2.5 years now that they are still trying to unwind (ie its not being ignored!).

    5. Kayem*

      I used to work in a law office where we relied on a particular bespoke system the state used to upload and input court data for all districts, counties, and municipalities. It’s awful. It was put into place in the early days of the internet and I’m pretty sure hasn’t been updated since. The state pays a fee of 60-80% of all local court fees collected to the company that installed it for continued use. Said company not only stopped developing the software ages ago, it’s long since been removed from any mention in any documentation of anything on their website. But they have no problem continuing to quietly take the fees.

      Partner and I joked about offering to make them a new site for only 20-40% of the local court fees.

      1. Pastor Petty Labelle*

        Better than Maryland, rather than sign on to PACER, they had the SAME COMPANY create a special program just for Maryland e-filing. It’s so bad it makes PACER look like a breeze to use.

        1. Kayem*

          Maryland’s is a breeze compared to ours. There’s no point in inputting dates because it can’t distinguish between filing date and the date of additional entries. It also can’t distinguish between people and other entities. And my favorite, all scanned documents have to be scanned upside down or (rotated) because the system automatically rotates everything 180 degrees.

      2. Coverage Associate*

        California paid a billion dollars for a study about creating a single e filing platform across 58 counties and learned only that it could pay over a billion dollars to make it happen.

    6. Timothy (TRiG)*

      I tend to agree.

      But then, I work for a small company that builds that out-of-the-box solution for a niche industry, so I would.

    7. Keymaster of Gozer*

      I currently support over 250 different applications at my firm – a lot of which were those ‘oh it’s a bespoke but it looks cool’ ones. Granted, some are from the 1990s.

      The rule for critical systems or systems that contain sensitive or personal information is: sturdy and backed up regularly.

    8. Seeking Second Childhood*

      Corollary: If IT suggests your custom report would be more efficiently formatted via export to an Excel file, believe them.

      Excel already programmed the setting to decimal-align your currency data!

    9. kiki*

      Yes!! And if you for some reason find that you do need a bespoke solution for something, remember that maintaining software needs time and budget– almost as much as building the software in the first place! I see so many companies spend their whole budget on building a program but then get caught off guard when there is maintenance work needed.

    10. Pastor Petty Labelle*

      I literally today just found out about the UK Post Office Scandal. Apparently the Post Office requested bespoke softward to handle transactions. It was a hot mess. It literally could not register transactions properly, so sub postmasters (you know the kindly people in the little village shop who also ran the post office?) were being accused of theft and other crimes because the books didn’t balance. Rather than admit the software was at fault, they had the sub postmasters charged with crimes.

      OP, you are dealing with donor information. You need it to be secure and reliable. Fergus needs to be gone.

    11. Deuce of Gears*

      This. They write bespoke code for critical ops at my husband’s work (my husband does some of it!)…but it’s a special case: it’s extremely specialized scientific research (LIGO – gravitational astrophysics/gravitational wave detection), they design the instruments and have to write their own code for them because there functionally IS no “WordPress” (mostly in Python IIRC), and it’s NSF-funded so that code is public (if you’re a USAn, it’s your tax dollars at work! but you don’t have to be USAn to access to the code/released data). So, uh, if for some reason you have a very large backyard and you are a gazillionaire and can build YOUR own gravity-wave-detection interferometer, you could have at it!

      1. La Triviata*

        At an old job, many years ago, the organization (a non-profit) had hired a programmer to create custom software for finance, membership, and the bookstore. The programmer (and, later, a partner) had decided that they would develop the software for selling to other organizations. Which would be fine, except after years and years of updates (which required staff to learn the updates) they had never completed it. I’m no longer with them, don’t have contact with them, so as far as I know, they’re still going through the constant updates.

    12. Frankie Mermaids*

      Speaking as someone who has spent 9 months rebuilding a bespoke site in WordPress because the old site is so old/turnover means no one can fix it/edit it/it’s completely un-securable and even our own server blocks it occasionally…. YUP. just YUP. take action NOW.

    13. Mill Miker*

      Even if you’re using something off-the-shelf, it’s so, so, worth it to have at least one developer who’s job is to do routine maintenance. Not content updates, not new features, just maintenance.

      Something like WordPress has updates all the time, and so do all the plugins, and sometimes those updates are super-critical security updates. If it’s been months since anything was last updated, you might have to get “caught up” before you can do the critical security stuff.

      Aside from that, it’s also good to have someone keeping an eye on disk usage, the server OS, etc. Software is not nearly as shelf-stable as everyone wants it to be.

      Having someone who can come in for even a few hours once a week to do routine maintenance can make a huge difference when it eventually comes time for bigger upgrades.

      1. Quill*

        Yeah, when it comes to tech – if you’re large enough to be handling payments through a website, you need to pay someone to be maintaining it.

    14. WestsideStory*

      Oh God yes. In-house legacy proprietary software has been the bane of my existence for two decades. For most commercial businesses, there seems absolutely no reason to re-invent what’s available off the shelf or is open source.

  5. Kyle S.*

    I’m curious about the backstory behind LW4’s question. Have they already been fired for calling their boss Billy the Kid in front of others?

    1. Myrin*

      I’m always wildly curious about questions asked in this format (like “If someone did” or “If I could”) – has it happened before? And if so, to the OP or to someone else? Do they think that’s a good or a bad thing? Are they planning on doing it and want input? Do they feel so strongly that they’re going to ignore the input either way? Is it something they encountered in a book or movie and were wondering about? Is it a completely hypothetical thought exercise?

    2. Captain dddd-cccc-ddWdd*

      I think it is just hypothetical, but I could also see it happening where they actually did call the boss Billy the Kid or whatever, then reflected on it later and got anxious about whether they could be fired for it.

    3. Bibliovore*

      I’m curious, too.

      Also, while the name may be just an example, “Billy the Kid” is not precisely a “nothing derogatory or hurtful” kind of work nickname. Beyond the obvious that calling your boss a kid isn’t great, and that not everyone wants to be called a diminutive form of their name, the original Billy the Kid was a criminal whose actions got him shot and killed.

      1. Lime green Pacer*

        Unless your boss‘s name is William Kidd, in which case it got old years ago. I met someone with this name and had to bite my tongue.

        1. Bibliovore*

          Oooh, yeah.

          I read an article long ago about people whose names tended to raise eyebrows. One was Donald Duck. He said his parents named him Donald on the premise that everyone would call him that regardless.

          1. Harried HR*

            I went to elementary school with a kid named William Head… as you can imagine the kid was teased mercilessly the last I heard he moved out of country and legally changed his name… What were his parents thinking !!! (SMH)

            1. AnonORama*

              Hey, for several years the president of Duke University was named Richard Brodhead. I bet he got tired of being called Dick, although he’s been a high-level university administrator for years, so it’s probably been a while since someone called him that to his face. Unless they blurted it out! (I went there, but never met him, which I’m glad about given my propensity to stick my foot in my mouth.)

          2. anononon*

            Years ago my old!job had a new starter called Irene Smellie, and through an unfortunate set of IT circumstances her email address was set up as I think it took about fifteen seconds for someone to go ‘oh hell no!’ and call the service desk to have it reset to something less offensive. It didn’t stop her nickname being ‘Stinker’ though… :(

            1. Cheese Victim*

              Yeah, I went to college with a Claudette Rappy. The school email addresses were first initial, last name. 4 years of that. :(

        2. Avery*

          Yep. I know someone named Tom Jones. He rolls with the jokes, but I can tell they got old decades ago.

    4. Earlk*

      I assumed it was someone newish to the workforce who wants to be more relaxed but has no idea what’s too relaxed yet.

      1. dogmom*

        Oh that’s too funny, I assumed it was someone older who thinks those darn Millennials are just too dang sensitive!

    5. Irish Teacher*

      Honestly, my initial guess was less charitable than most people’s. I was wondering if they disliked their boss and wanted to call him/her a nickname he/she disliked to wind them up and was asking if they could do that without the risk of repercussions.

      More charitably, maybe they just have a habit of shortening people’s names without thinking or they sort of think of him by a nickname (one of my students had a surname the same as the first name of a fictional character that he actually resembled both in looks and personality and I kept nearly using his surname by accident, so maybe the boss say is called Harold and has a scar on his forehead and the LW keeps thinking of him as Harry Potter) and they are afraid they’ll let it slip and are worried they’ll get in trouble if they do.

      1. rebelwithmouseyhair*

        Having always privately given toxic bosses nicknames that reflect their own special brand of toxicity, this was totally where my mind went.
        I was always very careful not to use them with any but the most trustworthy of colleagues.

        1. Rainbow*

          He wasn’t my boss (he seemed to think he was though), but I used to work with a guy who both wore very tight shirts with an unusual number of buttons undone, and had a name that sounded a bit like Bob Fossil (the Mighty Boosh character who also dresses that way and does dramatic/disturbing dancing). Obviously I constantly called him Bob Fossil in my head, and lived in fear of accidentally saying it out loud.

          1. Rainbow*

            Also he was a bit of an Old Guard barrier to me as a rare younger person getting a voice within the organization, so triple reason for “Fossil”.

  6. Seven hobbits are highly effective, people*

    LW #1: I’m ming some assumptions here about what kind of org you’re dealing with based on my own personal collection of all-volunteer-nonprofit-bees, but I suspect a lot of this is similar from org to org.

    First, figure out what information your treasurer actually needs, and get that preserved locally in some not-on-the-website form. This may be a tedious process of pulling information out of the database in a very annoying one-person-at-a-time way, but hopefully there’s some sort of report they can run so it’s not quite that bad.

    Second, make sure officers and the Board have some non-Fergus-controlled method of contact, assuming that you’re currently using an email list and email addresses run through Fergustown.

    Third, try to pull off any and all other important information from your existing site. You probably won’t able to get everything you want without access to the database directly (which I’m assuming runs through Fergus and Fergus only), but anything you can save and might want your should archive by saving it to a local machine. This is easiest with static pages and harder the more your website wants to be full of Javascript, database queries, and bees, but grab what you can. Good things to grab include which email addresses are on any given mailing list, your bylaws, and your membership list with whatever contact info you can have. You will want to send a bulk email to your members and anyone else likely to need to be in the loop about the exciting upcoming changes to your website, so grab that info if at all possible.

    Fourth, find out everything you can about your web hosting situation. Is Fergus self-hosting this thing on a machine in his closet? Are you paying a web host somewhere with org funds? Is Fergus paying for your hosting himself? Is the domain name registered as belonging to your org or to Fergus? (Don’t ask Fergus this – your treasurer should know if the org is paying for it and if so who they’re paying, although they might pay several years at a time so you may have to look at old budgets. Otherwise, you can look up who the domain is registered to, but it may be obfuscated depending on how it was registered.) If possible, get someone non-Fregus added to the hosting and domain accounts. Ideally, you would also make a full backup of the database and website at this point and before telling him.

    Also, if he runs your social media accounts you’ll want to see if there’s anything you can do to get control of them, back. I know nothing about that process, but find out what you can.

    Then, research and make a list of what specific outside tools you’re going to use if your website goes out in a blaze of drama. (Mailchimp is good for being able to send bulk email, I know there are WordPress plugins for members-only access to parts of a website if you need that, you may be able to get a Google for Nonprofits account for mail/docs/etc. but I also don’t know the details of how to sign up for that. Quickbooks may be able to do what your treasurer needs, depending on what that is.) You will probably have to spend some money on hosting/licensing costs for some of this stuff. Find out what tools other similar orgs use – I’ve had good luck emailing people I barely know at similar orgs in other regions and asking them what tool they use for [whatever]. When picking a tool, prioritize how easy it is to get your data back out of it again if you want to switch tools. Make a spreadsheet of tools, what you will use them for, what information you’ll need to get them stood up, and how much they will cost. Be ready to push go on all of this.

    Then, tell Fergus that it’s time for a change, and give him the choice of a graceful handoff or leaving in a huff that moment. (You do not have to spell that out, and can act as though *of course* he will want to help with the graceful handoff, but be clear in your mind that those are his choices.) If you want, you can pitch this as the first of many such moves in the org, that moving forward the goal is for no one person to be irreplaceable, and that in fact within the next decade every volunteer will be expected to take a one-year sabbatical to prevent burnout and make sure that multiple people can cover for each other. The website is your pilot project, and so it needs to transition to something that someone else can maintain for an entire year while he is on sabbatical by [date that is soon], starting by getting someone else authorized on your domain, web host, and socials if that’s him currently, and following with getting everything archived and then transitioned to other tools.

    Use the research you’ve already done if he starts saying that he doesn’t know of a tool that does [task], and if the database is at all reasonable and he is trying in good faith, he should be able to get it to spit out csv files that you’ll be able to import into your replacement systems. (Pretty much every outside tool will take csv files for import – research what your selected tools actually want and in what format.)

    (Tweak the sabbatical thing as needed to be plausible in your org culture, but our all-volunteer org got healthier when our “irreplaceable people” actually DID start taking an entire year at a time off. There are still some things that only one person knows well, but they are things that we also know someone else who knows it kind of badly and we can ask if the other person gets hit by a bus.)

    1. Captain dddd-cccc-ddWdd*

      Great advice, although I wonder if Fergus would see through the “making sure no one is a single point of failure and the website is our proving ground” approach.

      I’ve encountered many Fergus types who are quite ‘paranoid’ about security etc and would instantly question this.

      I say this because I infer that similar conversations have been had already about the website (e.g. a new field needs to be added to the database for twitter handle of a donor. “is there anything Sue can do to help with that?” – “NO!!! I’m the only one able to add a new field to the database because it’s really complex and blah blah blah technical mumbo jumbo”).

      The database is really the key part, all the other functionality can be built from scratch (most of it probably isn’t that complex – the org probably has a bunch of standard “user journeys” that exist already on thousands of sites). I wonder if OP knows whether Fergus has regular backups already. Getting hold of one of those backups for a pro to have a look at would be a good starting point. (you would think the ‘paranoid type would have triple redundant backups… but in my experience they are just as likely to say something arrogant like “this is bullet proof so why do we need them”!)

      1. MsM*

        If he sees through it, then he gets a “sorry you feel that way: we’d of course prefer your cooperation, but we’re moving forward with this regardless.” Like Seven Hobbits says, he can either take the graceful exit or try to follow through on his threats and find that’s already been prepared for, but the point is that he doesn’t get to call the shots any more.

    2. Agent Diane*

      On the socials side, most of the platforms have a method for recovering accounts if a grumpy employee has changed the password to lock the org out but it will depend if the accounts are registered with an org email. If Fergus has set them up, and set them to go to his personal email, you will need to change that.

      You can say you’ve realised there is a security risk to the org and that you are moving to a system where the password is changed every 12 months to reduce the risk of being hacked. This has the benefit of being good practise anyway!

      You can also use security as a reason to move the Treasurer’s database. As someone in Europe, I have to check any org mailing lists I run are GDPR compliant. So if you have even one European person on your mailing list, you can ask Fergus to help move the database to a GDPR compliant platform – and name the one you’ve researched.

      1. Emma*

        Regularly enforced password changes are considered poor security practise nowadays, though that shouldn’t stop LW using then tactically in this situation!

        1. It's My Birthday (almost)*

          I’m curious, why? My gov org requires us to change to LAN passwords every sixty days. It’s a pain.

          1. Slightly Less Evil Bunny*

            You’ve actually hit on the reason :-) It’s a pain, and such frequent changes can be hard to remember. So it increases the chances that people will write down their passwords. Which of course is a poor security practice.

            1. OrigCassandra*

              Or people respond with patterns, like incrementing a number at the end of a password — after all, why pick a strong password if you have to change it shortly? Password cracking software knows about people’s common patterns and will try them out before moving on to brute force.

              The guy who originally came up with formerly-standard-now-discredited password practices admitted in 2016 that he didn’t know what he was doing and basically made it all up. So yeah.

              1. Observer*

                Password cracking software knows about people’s common patterns and will try them out before moving on to brute force.

                But you can have strong passwords and use incrementing, especially if you are using a decent password manager. Also, incrementing works really well for situations where you’re worrying about a password database getting compromised. Given that this is one of the most common ways that people’s data gets stolen, even a single character change can be quite useful.

                It’s true that enforced password changes are not necessarily the best practice in all situations, but it turns out that the situation is more complex than a lot of the discussion would indicate.

                1. Emma*

                  If you’re using a password manager, you don’t need to increment, because you don’t need to know your password by heart. You can just generate a new list of 3-5 random words to use as a password each time you need to change it (e.g. because someone who uses the account has left the org, because you gave the password to IT so they could troubleshoot something etc)

          2. another Hero*

            in addition to what Slightly Less Evil Bunny said (you don’t want everyone’s passwords on post-its on the back of their monitors in an office anybody can just get into), it can encourage using simpler passwords because you have to remember a new one so often. lots of people become more likely at that point to use something more guessable rather than, say, coming up with a new way to remember a diceware pw every 60 days. plus, if your password is strong and uncompromised, changing it doesn’t add anything for security, really. if you lucked out enough to do it in between a data breach and finding out about (or anyone acting maliciously on) the data breach, awesome, but an enforced pw change once a year as suggested above has low odds of accomplishing that. so it decreased security in exchange for…not really increasing security. (you should of course change any pw that might have been compromised!)

        2. Observer*

          Regularly enforced password changes are considered poor security practise nowadays, though that shouldn’t stop LW using then tactically in this situation!

          Nope, not the case. There was a time when that was the thinking, but what I’m seeing now is a lot more nuanced. Because a lot depends on the specifics of the situation.

      2. Helewise*

        I haven’t had success getting socials to grant access to profiles like this, unfortunately. We had a situation in a volunteer-led nonprofit where our Fergus just completely disappeared and refused to answer any phone calls, emails, or requests of any kind and even with the .org email address, an active webpage, etc. the social platform declined our requests to return access to us. So unfortunately a Plan B for this might be necessary, too.

    3. Mornington Cresent*

      Further to point #4, one of the best tools for finding out your domain provider is the Whois Lookup tool- it’ll tell you who this is and roughly how long this has been the case. I’ve used this tool a lot at work to assist clients in launching their websites and it’s very useful!

    4. Dragon_Dreamer*

      And be prepared to have a forensic data recovery done if he’s built a timebomb into the system. Something that would implode everything if he was forced to leave. KrollOnTrack is who the government uses, and I’ve had good experiences getting private data back.

      If you watch Forensic Files, they even covered such a case. Season 8, episode 39, fired SysAdmin for Omega manufacturing sabotaged their systems are he was fired. Kroll recovered the data and found the suspect.

      1. Keymaster of Gozer*

        Very good advice – frankly any company/organisation that has critical data should know of a good data recovery service just in case. The first instinct of anyone caught in a lie is usually to delete the evidence.

    5. Little Sushi Roll*

      Wow, this is comprehensive and useful!
      Potentially dumb question, but maybe worth thinking about – is there a chance Fergus has confidential info at home from website back ups; if he were to leave the org in a huff (in the face of the website changes), would you be confident to trust he deleted them, or require another method here? (I’m assuming the database has personal details).

    6. Seeking Second Childhood*

      Another resource for capturing website is Acrobat Professional– it’s not perfect because page breaks match your defined printer’s page size, but it can crawl layers easily.

    7. teapot analyst*

      You also need to get a mailing list of everyone in your database ready offline now to send out announcements about the change. If everything goes well, it can be a bland ‘we are moving to this new platform’ kind of email. If everything goes badly, you will have everyone’s information to keep them updated on where they can find information.

      Anyone who is a current donor needs to have their information confirmed *now* with people who have not donated in more than a year at a lower priority for confirmation. Hopefully an annual donor list maintenance process is part of your ongoing work, if it’s not, now is the time you implement it.

    8. new year, new name*

      All this advice is great but I just want to say that I love the idea of requiring volunteer sabbaticals! I’m part of an all-volunteer nonprofit that’s surprisingly functional (it’s so non-toxic that it could practically qualify for the Safer Choice logo) but even that doesn’t prevent burnout. In addition to the other benefits, a sabbatical would give volunteers a graceful exit path if they want to quit but feel like they can’t – they can just not come back from their time away.

    9. Miette*

      Very good advice here. Also, the database access/copy request should come from the treasurer under the umbrella of needing to be transparent for auditing/tax or some similar purpose, which is not something he will have standing to argue against.

    10. Littorally*

      All of this — this is excellent advice, and very well detailed.

      The biggest thing that stands out to me is that the treasurer, assuming they’re someone with a reasonably professional-level understanding of financials, should be even more troubled by this situation than you seem to be (which is not to say you don’t sound troubled, but as a finance person the back of my head is SCREAMING).

      Money is the lifeblood of any org. Y’all are volunteers so it sounds like money vulnerability isn’t threatening to hit any of you in the checkbook, but your org still presumably has a mission to run, and that mission will be up the proverbial creek sans paddle if the money disappears, or if all the money records disappear. This is an existential crisis waiting to happen.

      Your treasurer should be working ASAP on whatever kind of backup record keeping they have the technical competence for. They may not be a programmer who can build their own personal database from scratch, but — something, anything. They need records that are under their direct control and do not need Fergus’ continued cooperation to manage. That might be an excel spreadsheet, hell, that might be an old-fashioned accounting logbook filled out in quill pen like you just pulled them bodily out of the American Revolution, it doesn’t matter. SOMETHING. If Fergus and your website disappear and the very next day auditors show up, your treasurer should have something to show them.

    11. WestsideStory*

      I like the sabbatical idea; at the nonprofit I volunteer at, we’ve been talking about how to grow our “bench” so critical roles at least have redundancy if not a formal succession path.

  7. The_artist_formerly_known_as_Anon-2*

    4, I had a boss that I got along extremely well with. We would engage in “male bonding ” things – one morning our director was in from out of town, and was horrified that we greeted each other that morning by thumbing our noses. We didn’t know she was looking.

    But we would NEVER disrespect each other.

    1. Cat Tree*

      Even if you’re not disrespecting each other, it’s unprofessional and it presumably excludes female employees from being included. Save your “male bonding” for outside of work, please.

      1. La Triviata*

        We had someone in my office who routinely gave people nicknames. She persisted in using them on every occasion even when asked not to. I’m convinced one person who reported to her quit specifically because of this (her nickname was something like “Gertrude” – an outdated and unattractive name that had nothing to do with her real name).

      2. I went to school with only 1 Jennifer*

        FFS, these are two individual people who have an existing relationship. The_artist isn’t saying that the boss thumbed noses at everyone, or at all and only men, they’re saying that the boss thumbed noses with THEM. (And fwiw, I wouldn’t call that a male bonding thing at all. I would call it a silly thing, and maybe something that people who worked at a Ren Faire would do.)

  8. Sprigatito*

    Question 2 made my eye start twitching, because it sounded exactly like my last boss. About three weeks after my team was moved under him, he called me and started lecturing me on how I was “rude” and “unprofessional” and it wasn’t until he’d been going for about twenty minutes that it came out that the entirety of his complaint was because I didn’t put some kind of greeting at the beginning of emails or chat messages.

    1. LifeBeforeCorona*

      I follow the lead of my manager. At my last job, everything was very informal and we used casual a group chat which I hated because I was constantly pinged on many useless texts. Now I use email and I follow the lead of my manager who begins with “Hey Corona” and ends with “thanks”. The grandboss gets a more formal “Good Day” because their emails are generally more serious and likely to be cc’d to others outside of our organization. But often they too can be casual if it’s a quick query or response.

      1. Agile Phalanges*

        Definitely. I mirror the sender I’m replying to, if any, or do what seems to be my boss’ preference if I’m initiating. I’ve had bosses that just start in on the email without a greeting, and a boss that always used “Dear ___.” If I’m initiating an email to an outside contact, I’ll usually split the difference with a “Good morning/afternoon, ____,” (if they can be reasonably expected to be in the same time zone) or just “Hello, ____.” I think “Dear” is a little too personal for work communications, myself, but am happy to use it if it seems to be the other person’s preference.

    2. rebelwithmouseyhair*

      Yeah, I was once berated for answering an email in which the client had written “what’s your phone number” without even a signature let alone a greeting, with our phone number. Sure I didn’t greet the guy, but I did take the trouble of copying the number into the body of the email rather than just saying “in my signature” as I would have done with a colleague or sub-contractor. He called me less than a minute after I sent that message, and we discussed his problem and he ended up sending me a whole load more work because he was impressed with my answers, so I really don’t think a lack of “Dear Client” was a problem. The boss was just looking for something, anything, to beat me with.

      1. Sloanicota*

        It seems to me that the boss didn’t understand that OP’s email was part of an ongoing conversation; if this was the first time she read it (or the first time she was cc-d in) she probably had a moment’s irritation at “one more thing!” as the opener, and being at sea about the topic more generally. I actually don’t think this is the known gender issue of women needing to seem warmer but not too emotional; it sounds like the boss is asking for a more formal standard. The boss is being silly here, as casual emails are typically fine and can build rapport, but OP should just make a note that the boss is a bit silly about this, and try to comply.

        1. Ama*

          It reminds me a bit of a former boss I had who insisted exclamation points in emails –for any reason –were unprofessional. I had to really work on never using them (I wasn’t even allowed to send out something that said “A reminder that we’re closed Monday for Memorial Day. Have a great long weekend!”)

          It was a huge culture shock when I moved to my current employer where the CEO uses not just exclamation points but emojis in emails all the time (never in a really formal official communication, obviously, but one of the things I do appreciate about her is that she understands that different types of emails can have different types of language).

    3. Angstrom*

      Context matters. The first email in a chain with a colleague? Greeting is appropriate. A dozen emails in? Not so much. “Was that 20 or 200?” “200” is fine.
      Emailing with someone outside the organization? Greeting is appropriate.
      Also, if you’re CCing several people, a greeting helps make it clear who is the primary recipient.
      These are differences most people can figure out. Must Use Formal Greeting All The Time is just not how people communicate, even in a “professional” environment.

      1. Totally Minnie*

        I had a boss who always felt insulted when somebody emailed her without a greeting, but in her case it felt like the LW from yesterday who was wondering if being called Ms. Lastname would make people treat her more respectfully. There were a lot of bigger problems in our office with top administrators not treating staff respectfully and the email thing was the thing my boss latched on to because it was an easier explanation than the tangled web of other disrespectful things.

    4. I'm Just Here For The Cats!!*

      I had something similar but it was because I didn’t chat with the senior reps when I called for help. I would say Hi Rachel do you know where I can find the document for llama groomers licensure? I’ve looked in the groomer files but I don’t see it.” Apparently, because I didn’t ask how their day was and chat with them it was a problem. Some of the Senior reps had talked to my boss about it. I guess being efficient and not wasting clients’ time was a problem for them.

      1. Caliente Papillon*

        Wow, I find it so amusing – in a sad way – when “higher ups” do this crap. They cannot exist without being kowtowed to. And the only people they can get to do this is people who have to out of fear for their jobs. It’s the difference between commanding respect and demanding respect. Pathetic

    5. The Shenanigans*

      The only person who put greetings in chat messages is my Grandmother who still think chat or text goes by regular letter rules. It’s so out of date it’s like insisting on horse and buggies over cars.

    6. Cheese Victim*

      That would send me running directly into the loving arms of Malicious Compliance and start writing greetings that are straight out of the 16th or 17th century: To the company’s most excellent and revered Boss-ship, from Anita in Accounting, second office from the left and most humble, greeting!

    7. There You Are*

      The boss that I still have nightmares about over a decade later once sent me a scathing email about how unprofessional I was when I congratulated an outside salesperson on a huge win (that I helped facilitate as an inside sales person).

      Two things to know: He and I had worked closely together for months, and it was a thing across the sales org to call someone a “rock star” when they closed a big deal.

      Many of the replies to the announcement about the big contract were along the lines of, “Way to go, rock star!” As in, there were 6 or 7 emails calling him a rock star. So I replied to the email chain and said, “Absolutely amazing job landing that, Sales Person! May I have your autograph?”

      And got chewed out via email and later in person for being so disrespectful. She never once checked with Sales Person if he felt disrespected (he didn’t; he replied 1:1 to me that I’d have to wait in line with the rest of his adoring fans to get his autograph). She just jumped straight to telling me how horrible I was for stepping out of line. [She was *displeased* that I wasn’t humble and obsequious, and that I *dared* to joke around with someone higher on the ladder than I was.]

  9. Aggretsuko*

    #2: this is one of the million things I get written up for. I have to start EVERY DAMN EMAIL with “Dear Name” and every one has to have some kind of signoff. Even if it’s just a continual conversation that has been going on for days and at this point they know who they are talking to, I get written up if I leave one “Dear Name” off, because IT’S SO OFFENSIVE.

    Meanwhile, everyone else can do “Hi X” and it’s fine.

    1. allathian*

      That sort of thing would get management in trouble here (Finland) for discriminatory behavior and workplace bullying, either everyone’s required to use a “professional” greeting, or everyone can use a more informal address. You can’t single one person out and require them to be more formal than the rest.

      But then, I’ve called my teachers by their first names, or in some cases by their nicknames (always at their request), since daycare, so the expected level of formality is different.

    2. AnonInCanada*

      Your boss is a jerk. Plain and simple. What a waste of time for both you and the recipient of the email to have to begin every email in an ongoing thread with a salutation and end it with a sign-off that your auto-appended signature can’t already do. The initial email, especially with a client: yes, begin with a salutation. Otherwise, there’s no need.

      Your boss is just finding some excuse to harass you into quitting, so they won’t have to pay severance. Maybe it’s time to dust off the resume and go job hunting. I wouldn’t want to work for a jerk like that!

  10. The_artist_formerly_known_as_Anon-2*

    #1 – all volunteers? Remember the old Yuban coffee ads from the 1960s – where John R. Arbuckle once said =


    Grab screenshots and hire someone to build a website for you – and document it.

    1. Timothy (TRiG)*

      I mean, definitely record the text, not just screenshots, so someone doesn’t have to type it all in again. Ideally, use something like HTTrack Website downloader, which will also store all the HTML and images in their original forms, not just in the low quality that a screenshot will preserve. It’ll also preserve image slideshows, etc.

    2. arjumand*

      Exactly what I wanted to say – literally everyone in your org could be a volunteer, but your website needs to be paid for.

      Do some fundraising. For example, AO3 is non-profit too, and mostly run by volunteers, except for anything to do with legal and the website itself, server space etc, so they have fundraising drives twice a year and you can donate at any time, with little gifts as perks to donors ( mugs, bags, stickers, etc).

      1. Zoe Karvounopsina*

        AO3 has no paid staff, and is currently in the middle of a series of crises, so maybe don’t use them as an example.

        1. Engineer*

          If you mean the DDOS attack, they got that straightened out faster than Twitter’s self-DDOS, and to prove arjumand’s point further, they’re paying for additonal security instead of just using the volunteers.

          1. Quill*

            Yeah, it was down for a day (ish. I think it may have been less than that, it just wasn’t up in the 6 hours I was paying attention.) Give it a few months and the incident becomes negligible. I remember fan sites and tiny forums. You never knew if it was down because the person who owned the domain had stopped paying for it, or if it was down because somebody was trying to put up a new page and failing, badly. Or if a sketchy banner ad was crashing it for you, specifically.

          2. Zoe Karvounopsina*

            No, it was the ongoing and substantiated concerns about volunteer abuse and racism, and the various ongoing issues with finance handling.

            1. Lellow*

              Yup, I was literally scrolling the comments to see if I was going to be the first person to make an “is this about the OTW?” crack

              1. Zoe Karvounopsina*

                OTW is very good in some ways, but in others it is an example of what not to do in non-profits…

      2. Zoe Karvounopsina*

        On second thoughts, that’s a really great example! AO3 suffers from a lack of paid staff, which causes a number of issues, some unique to them, some probably not (load bearing volunteers suffering burnout because they are doing all this work in addition to their paid jobs). Some things need to be paid, because you need them to be done professionally. This is one of them. Possibly so are other roles, perhaps take the chance to look at the whole organisation?

      3. rebelwithmouseyhair*

        Yes, I volunteer in an org with like 300+ volunteers and one paid treasurer, and we sub-contract the website. Certain volunteers in charge of publications and sales get to add articles and photos etc to the website, but everything else has to go through the professional webmaster.

        1. Keymaster of Gozer*

          I was the ‘IT Person’ for a tiny charity service once – rest of the place was volunteers but me and the accountant were paid and had contracts. Because what we were protecting against (data breach, financial fraud) would cost way more than what they paid us.

          1. Observer*

            Because what we were protecting against (data breach, financial fraud) would cost way more than what they paid us.


      4. Lexie*

        It may not be that simple though. I’m on the board of a very small all volunteer organization. To pay someone to build a website for us we would most likely have to pull money away from our mission. We already spend most of the year fundraising so it would take years of saving any small surplus we might have to scrape together enough to pay someone to develop a website. Which is why our only internet presence is Facebook and Givebutter.

        1. Observer*

          To pay someone to build a website for us we would most likely have to pull money away from our mission.

          If you are using your site for your mission, the making sure that it’s secure and usable is NOT “taking money away from your mission.” It’s direct investment in your mission.

          Now, based on your comment, it’s clear that your organization wouldn’t get any functional benefit from having a web sate outside of the presence you already have. So it makes a lot of sense to not pay someone. But it also makes sense to just not have a web site. Which means that for your organization, spending the money makes no sense.

          But that’s a different scenario than what is being discussed here. The OP’s organization is using their site to serve their members. So much so that they can’t be without a web site. If an organization’s web site is that important, then paying for a professional to make sure that it’s done right is no different than paying the hosting and domain registration fees.

    3. Sara without an H*

      Was coming here to say something similar. LW#1, I know your organization relies on volunteers, but you may have grown to the point where you need some actual hired help. Back when Fergus volunteered to build your database and other IT structure, I’m sure everybody thought that was awfully nice of him, without thinking through the implications for the future. Now, of course, you’re paying for that.

      Short version: There are some things that are actually cheaper if you pay for them.

  11. AnneMoliviaColemuff*

    I’m dying to know the context behind #4. Is this someone who got fired for non-consensual nicknames, or is it someone who is doing a lot of research before trialling a new nickname?

    1. The Prettiest Curse*

      My best guess is that it’s someone floating a trial balloon ahead of implementing a new nickname. Honestly, the answer to this is to have as many nicknames for people as you like – but those nicknames never, EVER leave the inside of your head, for ANY reason. And if you’re someone who occasionally lacks a filter between brain and mouth (or keyboard) – better to lay off the nicknames altogether.

      1. LifeBeforeCorona*

        I agree completely. I hate nicknames for myself and always respond with “That’s not my name.” However some people love them and see their usage as a sign of acceptance within thr group.

        1. Chilipepper Attitude*

          My name is one that does not really have a nickname/cannot be shortened and as I grew up I realized that I love not having a nickname. I also chose a name for our son that has no clear nickname.

          1. Irish Teacher*

            My name is one that has about a million and five nicknames (obviously an exaggeration), some of which I absolutely hate. I usually get called by my full name though. One of my colleagues has taken to using a short that isn’t even a known nickname, but I don’t mind that, both because it’s not a version I hate and because the way he does it is sort of affectionate.

            But in general, I use my full name. It’s one of those long ones and a very common name among people over 40 in my country so I guess a lot of people go by shorts because there are a lot of us. But I like the full thing and it’s annoying when people insist on shortening it. When I was a teen, it got shortened a lot, often because “it’s easier to spell the short.” It…isn’t really a hard name to spell.

          2. rebelwithmouseyhair*

            My parents had names that could be shortened in multiple ways and they both hated it, so my brother and I were given the shortest possible names. Friends added bits on for affectionate nicknaming purposes (like Sam became Sammy).

        2. The Prettiest Curse*

          I have a first name that has a lot of potentially unflattering rhymes, so nicknames tend to re-activate less-than-happy childhood memories for me. I know that others don’t have that association and (as you said) use them as a sign of affection etc. – but I wouldn’t use a nickname for anyone unless I was 100% certain it would be welcomed by that person.

        3. Paulina*

          I used to have an older colleague who used nicknames for many of my colleagues. It stuck out because he always used something that wasn’t the name or even nickname that the person answered to. It always felt a bit demeaning — like he was going to decide what he wanted to call people and couldn’t be bothered to pay attention to what they wanted, and in some cases was deliberately underscoring that by picking the wrong nickname. Not sure which of my name’s many nickname versions he used behind my back, but his approach definitely did not feel like one of acceptance. Especially with the nicknames he kept using even when it confused people.

          We never let him do introductions.

      2. Artemesia*

        I envisioned an old fart resentful that the ‘kid’ is now bossing him around wants to get away with calling the boss Billy the Kid. You don’t ‘nickname up’. and it is rude to nickname down as well. It is a well known bullying tactic. WBush used to do it to his subordinates and they all had to grin and bear it because he was the President (and before that the BOSS) but lots of them were unpleasant.

    2. Big Pig*

      Most nicknames are initially non-consensual if they happen organically. They are just usually not given to or by bosses and of course they should not be kept up if consent is not given.

      1. The Prettiest Curse*

        Yeah, given the power differentials involved, you don’t want to have to make your boss say “please stop calling me Butthead Bob, I don’t like it.” (Plus, there are definitely bosses out there who would find it less awkward to just fire someone than to have that particular conversation!)

  12. madhatter360*

    Not quite the same situation but I suspect something similar to letter 1 has happened at a local ice cream place. They have seasonal flavors, but the website still lists the spring menu and their Instagram (which they previously posted on at least weekly) seems to have been deleted.
    I assume whoever was in charge of the website and social media was let go/left and may not have shared how to do their job with anyone else.

    1. anononon*

      This is the risk of having a ‘single point of failure’ on things like social media and websites. There are so many ‘abandoned’ websites and Instagram accounts! Our local pub (which is still VERY much open and busy and serving food and drinks) hasn’t updated its website or social media for months (their Xmas menu is still on the website, their last posts on socials were about the party for New Year’s Eve). It’s such an important part of business these days and yet lots of companies (and charities) don’t prioritise it.

    2. The Shenanigans*

      Yeah fwiw to the OP whenever I see anything like that I assume the org or company is out of business or too disorganized to bother with. So this isn’t just about the website. It’s about making sure the org looks functional at all.

    3. Weaponized Pumpkin*

      It’s really common, unfortunately. They ask someone (employee / friend / intern) to set up a site or socials without any real understanding of what happens next. And, perhaps they’ve solved a lot of this by now, but early on social media had frustrating rules where accounts must be held by real people, and technically a person can’t have multiple accounts. This led to a lot of pages/groups being set up using the personal accounts of someone in the organization, and chaos ensues.

      1. Seven hobbits are highly effective, people*

        Yeah, I’m always amazed by how many social media type places don’t have an obvious workflow for organizational accounts rather than individual ones. Often the best you can do is sign up with an @org email address alias specific to the role, and then tell everyone not to enable 2FA so you can reset the password using that email address as the person behind it changes (or use an org-owned reassignable Google Voice number for SMS-based 2FA or something). Issues with this process are left as an exercise for the reader, who is now cringing.

  13. Thorton*

    for #1, you need to get a systems/network/security administrator to review ALL of your software systems and your tech. Since Fergus wrote the back end software, and it is still in development, you need to make sure it will not be security risk in the future. Make sure it does open back doors to other programs, gives Fergus administrator access to all software in the company, that once you have your new website, he cannot overwrite the new one with his exclusive programming language, and that his programming language does not leave your company vulnerable to cyber attacks. And use this to develop a set of Policies and Guidelines around your org’s IT. You can find many articles on best practices in the IT industry to help you. Creating those policies now will prevent a future Fergus situation.

    1. Peanut Hamper*

      As they are a non-profit, they may not be able to afford a person like this, but someone below mentioned Taproot, and they should look into this.

      I am definitely seconding having a good set of IT policies! They should be in writing, and volunteers should have to sign off on them.

      1. MsM*

        Also a good potential consulting project for a local university, with appropriate scoping and making sure the students document everything.

      2. Observer*

        They should definitely look into taproot, local colleges and any private entities (foundations and / or associations related to their mission.) But if they can’t get what they need this way, they are going to *have* to afford it, the same way they HAVE to afford the web hosting fees.

  14. Keymaster of Gozer*

    OP1: Encountered this more than once in my career. There’s always some self-professed ‘genius’ who wrote a system in a language ‘he invented’ and who refuses to let anyone see it.

    Invariably this means when an actual IT expert gets called in they find some hideously clunky Visual Basic/html mashup that has more holes than a pair of tights. If they really did invent a whole new language that was brilliant then Stack Overflow would go wild.

    You’ve got a major security problem here. Critical data relating to your business is not under your control and you have no way of knowing where it is actually going.

    I actually do wish to cause alarm here. This is a serious issue. I know hiring in an actual developer would be expensive but it’s going to be cheaper than the damage your current volunteer is doing.

    And if you can’t afford to migrate systems or get this guy away then return to Excel/paper/phone. As Alison says – if he walked out tomorrow you’d still have to find a solution.

    (I’ll eat my own hat if he actually did invent a totally new programming language)

    1. fanciestcat*

      Seconding this, I have a feeling Fergus treats everyone like a threat because he knows if someone skilled ever sees the backend he’s out as webmaster because it’s almost certainly a Frankenstein’s monster of a website.

      1. Keymaster of Gozer*

        Number of times I’ve heard ‘I wrote it all myself and it’s totally new and brilliant and never seen before and you won’t understand it’? Probably around 43

        Number of times the same system has the kind of code I’d do at 2am after 48 hours sleep deprivation? Probably around 43.

        It’s pretty much admitting that what he’s done won’t stand up to more than half a minute’s expert eyes before it reveals itself to be spaghetti code at best and My First Visual Basic at worst.

      2. ScruffyInternHerder*

        I think I’ve dealt with a Fergus, and he loathed me for no other reason than I knew just enough about computers that I had the audacity to question his BS. And it was indeed BS.

    2. The Prettiest Curse*

      My entire coding knowledge consists of HTML and a bit of CSS, and even I can tell that this dude probably didn’t invent a whole new programming language!

      1. Quill*

        And even though mine is “I can scrape together enough HTML to make a pretty blog page” and “I have opened the .txt of a couple of game mods to tweak values following a tutorial” I can tell that if it really was that unique overall there’s no way a single person is keeping up with all browsers and their updates for this to output an actually useable website.

    3. bamcheeks*

      I actually do wish to cause alarm here

      Yeah, same here! I know I’m GDPR-pilled and I formation governance is les strict in the US, but it’s not THAT lax. LW should absolutely be considering this an existential threat to the organisation, and if you do manage to get it sorted out, asking some very difficult questions about your overall governance and leadership about how you got into this situation in the first place.

      If this was a financial mess, it would be, “we’re in debt to roughly twice the organisation’s annual income, nobody knows how this happened” levels of badness.

      1. Keymaster of Gozer*

        There’s also quite a number of off the shelf financial tools and website packages that are quite cheap and pretty sturdy if you’re just running a small operation off them. They tend to have robust support too AND they’ll have clearly stated what they can or cannot do with your data.

        The guy who rocked up claiming a whole new programming way of life is the same ilk who run financial fraud – ‘hand everything over to me and don’t worry about it. No you can’t access it because reasons’

        And then when you find the company account drained and the new guy doesn’t return your calls then it’s a very serious conversation with the tax office.

    4. Peanut Hamper*

      Seconding all of this. There is no way that Fergus is on top of every security issue that comes up and is updating things to prevent issues.

      I have worked with people like Fergus before. I doubt very much that Fergus knows as much as he claims he does, which is why he’s bristly and doesn’t like to work with people. He really doesn’t want to admit to others how little he knows, and is worried that anybody that takes a peak at his source code will realize that. He is a major risk to your organization.

      I’m also seconding all the people who are saying that Fergus should be kept in the dark about this until a new website is up and running, and then to get rid of him ASAP. Don’t give him a chance to screw up the new website.

      1. rebelwithmouseyhair*

        yeah I think he should be kept completely in the dark about the new website, and retired. He’s been chasing people away, who knows what they might have been able to contribute!

      2. Captain dddd-cccc-ddWdd*

        It’s a huge risk. I don’t think it is too much of an exaggeration to say a data breach or similar could be an extinction level event for the organisation (reputational damage, fines, no one will donate in the future knowing that their information could get disclosed to whoever, etc).

      3. CommanderBanana*

        This is SO true. I worked with a Fergus at my last org who managed to get himself promoted to IT Deputy Director by bullying and sabotaging the rest of the department, so none of the other staff lasted very long.

        Aside from being a trash fire of a person, his actual technical skills were really lacking. We’d repeatedly be told something wasn’t possible with our database or site, then find out when we went to the developers that it was, he just didn’t know how to do it and wasn’t willing to either admit that or to try to find out. It was really apparent in meetings that he didn’t really know what he was talking about, but he was so abrasive and confrontational that most people weren’t willing to push.

    5. I'll eat my hat too..*

      Absolutely, also, this is one of the reasons “legacy” software doesn’t get put out to pasture.

      The volunteers who left…I am sure many realized the emperor had no clothes, but it wasn’t worth staying.

    6. CommanderBanana*

      Yes, and I don’t get the impression from the letter that the organization really grasps how disastrous this could be, since they’re still trying to find a volunteer to fix it.

      1. Keymaster of Gozer*

        It gave me shivers that’s for sure. I deal with operations security a lot and they’d go a very interesting shade of white if we had that kind of system within spitting distance of our networks.

    7. M*

      At most, I bet he wrote some kind of custom framework. Like, he thought he could do React but better. Or just as likely he’s so inexperienced that he had no idea what React was and thought he was doing something that hadn’t been done (better, and open source). I too would be shocked if it was an actual language.

      I used to work for a company that had their own custom closed-source framework. It was complete crap, and I still chuckle to myself occasionally at their idea of being able to charge people to use it.

    8. I went to school with only 1 Jennifer*

      I would make you a hat to eat. Maybe out of spaghetti noodles? (If you’re wheat-sensitive like I am, I’ll use some round rice noodles this really good Burmese place nearby uses.)

  15. pcake*

    LW1, you have only Fergus’ word for it that your site and databases are particularly secure, and unless he updates for every new piece of malware that can inject itself, which I can’t imagine a single person being able to keep up with, I’d suggest moving your site asap.

    Alison’s suggestion to screencap all your pages is good; having someone copy/paste all the text will make it quick and easy to move. Don’t give him a hint you’re moving to a new database and script – I’ve known several businesses who had angry webmasters pull their sites down.

    You could use WordPress – it’s easy, there are tons of free and inexpensive themes (designs), and there’s a zillion tutorials. Many hosting plans actually come with WP pre-installed. You could pay someone to move you to WP, then change the password. I would suggest keeping important databases perhaps not on your site – or at least not in the same database and script install for extra security.

    Best of luck to you!

    1. Susan*

      From around 1998 to 2007, I volunteered to create a lot of websites and even wrote my own content management system for them. I loved it – it gave me social recognition and I could try out many ideas I had. I was definitely no Fergus either. I always tried really hard to keep everyone happy. I was also willing to switch to off-the-shelf software (e.g. WordPress or a wiki engine) if that was what was requested. A few years later, I was again looking for an organization to do this for because I had moved to a new city and wanted to make friends. That turned out to be impossible. Either the organizations already had a Fergus who absolutely did not want me to compete for his position. Or they were only communicating through a platform like Facebook. I found that very annoying at first, but because of the many “Fergus” stories, I could unfortunately understand it.

    2. Captain dddd-cccc-ddWdd*

      I’d bet dollars to donuts that there’s at least one significant security hole in here, that would allow someone with know-how to get access to someone else’s information that is stored in the database. Fergus will insist that this is impossible because “each donor has a unique prime number as the link to their page, so no one will guess it” or some such thing.

    3. The Shenanigans*

      Yeah on security…has anyone asked him any security questions? Like, asked him what the current concerns are? Or tried to trip him up by asking if the fictitious SmoothieGo ransomware attack is a concern? B/c I’d bet a large amount of money he can’t tell you what ransomware even is, let alone protect the website from it.

    4. Don't Be Longsuffering*

      No, please don’t use a volunteer, for the security reasons listed above– such as back doors to other parts of your organization and the huge possibility of malware. Please hire professionals. If you can’t afford it, you need to go back to paper and pencil, as another commenter suggested.

  16. WoodswomanWrites*

    #1 – There is a wonderful foundation called Taproot that provides free technical advice to nonprofits by using professionals who volunteer to help. Unlike other foundations that provide grants, Taproot provides in-kind support that would otherwise be expensive to hire for. I know of an organization that greatly benefited from Taproot’s services.

    I’m putting the link to their website in a reply.

    1. WoodswomanWrites*

      Here’s Taproot’s website, They specifically mention that they can help with technology.

      Here’s their approach: “Nonprofit organizations don’t always have access to the… technology or planning resources they need to tackle the issues facing our communities. Organizations are understaffed, operating on a shoestring budget, and need support. Skilled volunteers can help.”

      Your post is reminding me of a volunteer that was involved in the agency I worked with years ago when technology was new. He was overstepping his role and annoyed when full-time managers rightly didn’t accept his ideas for how to do things. Before he departed, he deliberately scrambled the programming of our single kiosk for the public. Located in a rural area, it took a while for us to find someone to restore it.

    2. Look at all options*

      Also the big tech companies (Microsoft, Salesforce etc) offer discounts for nonprofits and often support to implement the products.

    3. Cat named Brian*

      Also Firespring has templates for non profits. Reasonably priced dependent on size.

  17. bamcheeks*

    I am — really confused by question 1. What kind of website has a database included/attached that the treasurer needs access to? This makes it sound like some kind of e-commerce site rather than a simple WordPress-able site. Either that or it has something incredibly simple like a form embedded in it, but Fergus has bamboozled you all with Technical Words.

    LW, you definitely need to cut Fergus out, but if you in fact DO have some kind of e-commerce site that your service depends on, or some kind of donation system or even somewhere where people enter personal details that need to be stored securely, consider whether the non-profit is actually viable run on volunteer labour. If you don’t have a paid technical person, you shouldn’t have anything more complicated than a simple WordPress site which is basically a notice board for your organisation. Even if you have forms or other functions on it, they should have separate access which are available to more than one person in your leadership team. And more than one of you should understand how this stuff works.

    If you definitely need something more complex than a simple notice board and can’t afford to pay someone to develop and manage it for you, you need at the very least to prioritise “get someone with basic tech knowledge/skills” on the board or as part of your leadership. Because Fergus should not ever have had the power to do this, and if your board doesn’t have the skills and knowledge to recognise that and say, hold on, no, this makes no sense and also sounds like terrible practice, it’s not fit for purpose.

    1. Peanut Hamper*

      I was confused by that, too. It’s possible that Fergus cobbled some online database for the treasurer to use, instead of going with actual accounting software like QuickBooks or PeachTree.

      Regardless, there are a lot of open source software solutions out there that LW should be looking into. This entire process should take a skilled person anywhere from a day to a week (at most) to accomplish.

    2. very anon for this*

      This, all of this.

      I did a double-take reading #1 because I’ve seen this exact scenario play out before. It was in a small, mission-driven nonprofit where everyone was a volunteer. What happened was: the abusive volunteer was informed she was being kicked out and responded by taking the external website and internal comms system hostage, sending leadership a literal ransom note for them. A member of leadership with tech expertise stepped up to retrieve access to the systems and succeeded, but was then pressured into becoming the new unpaid and overstretched tech person, because no one else knew the first thing about maintaining this stuff and it had kind of just been the first person’s pet project.

      Going forward, she repeatedly tried to warn the other leadership about the dangers of her being a single point of failure and the toll it was taking to be an unpaid on-call webmaster, but was never really taken seriously because she always gave 110% and managed to keep things running smoothly, inadvertently keeping them from having to face the actual level of precarity. Then she became the target of abuse and harassment by another member of leadership (yeah, this place had issues) and the fact that she was a single point of failure turned into a method of coercion by several others — “you can’t leave, we’d lose our entire online infrastructure, don’t you care about our mission?” — never mind that she’d been begging them to explore other options for over a year. When the harassment finally escalated to a traumatic level and she left abruptly, the organisation did collapse, and the remaining leadership’s final act was to publicly blame her for it.

      Sooooo…yeah. OP1, if you’re managing your website in-house, you really need to have more than one person (ideally several) who knows how to maintain it to whatever standard is necessary for your operations. If you want complicated custom stuff beyond most people’s abilities, to be maintained/developed with a professional degree of reliability, you need to pay someone — and I think it’s safest for that to be someone external, who is unaffected by and uninvested in your internal politics. In my example, both tech people were technically part of leadership, but the rest of leadership tended to pigeonhole them as “IT” and arrange things such that their tech workload displaced their other more generalised leadership responsibilities. So they could blame the tech person for all non-ideal situations pertaining to the website, while simultaneously preventing her from individually making any high-level organisational decisions (that only she had the expertise to make) in order to solve those problems. Tech infrastructure needs to remain in a kind of neutral territory, or else things can get very messed up.

    3. Keymaster of Gozer*

      Depends on the software – you can make anything website viewable if you really want to (though it’s not a good idea in some cases).

      You raise a good point though – if it’s e-commerce or has anything to do with taking/doing payments you NEED to have that secured. If it stores people’s personal details then it has to be locked down.

    4. WellRed*

      It’s also possible the LW isn’t clear on how the whole thing is set up or simply using the wrong language. Not everyone speaks tech.

      1. bamcheeks*

        Right, but that’s the problem. Whether it’s actually a database or simply a spreadsheet of member or donor data, or something else analogous, it’s being held online in a way that only Fergus has access to. There should be *somebody* on the board who recognises what a massive risk this is– you don’t have to have a person who can understand code or develop a database, but not having any idea of information governance is like trying to run an organisation without anyone who understands financial or fiduciary responsibilities.

        1. Keymaster of Gozer*

          To be honest you don’t need to know the extact technical specs – just a clear outline of exactly WHAT the website is handling (text only? video hosting? payment processing? client data lookup? etc) and how that data is stored and backed up.

          An IT analyst worth their salt will be able to make reasoned assumptions based upon that and viewing of the website and be able to advise the next steps.

          Short rule: If you have software handling key parts of the company operations then someone at the firm needs to know the name of it, what it handles, how to audit it and if it is backed up/has a failover.

          OP in this case is describing a situation where nobody except this ‘developer’ (he sounds more like a jackass to me) knows if the questions CAN be answered.

          Get a real techie in, don’t let your volunteer know and boot him out as soon as possible. Not only is a lousy tech, he sounds like he’s toxic as well.

    5. NonprofitsAreWeird*

      I put a longer top level response below, but sadly this isn’t uncommon for non-profits. There’s a whole industry around non-profit CRM systems to run the whole business (except HR) that tack on some website tools. If he’s highly customized one of the older/more obscure systems to generate a better website he could (possibly legitimately) think of it as his own creation.

    6. Granger Chase*

      I was part of a nonprofit fraternal organization in college, and our website had a section for members to pay their dues. Our Treasurer and President had access to the backend of this. It allowed people to pay online through credit or debit card, bank transfer, etc. instead of needing to bring in cash or a check to a meeting. It was a big reason we used the website we did.

    7. Saberise*

      Someone replied here that says they think they are the treasurer in question. They said the information is like who paid their membership and when. Which I guess would make sense if they can renew their membership via the website. All the actual accounting is done in something like Quicken.

      1. Observer*

        I saw that one. And the thing is that this is still waaaay too much information to actually STAY on the web site.

        And, this is their dues history. How on earth do you keep information that important on a site that only one person controls and which effectively has no security. There are sooooo many ways that this could go wrong. Especially if dues are a major source of the organizations revenue!

    1. Slow Gin Lizz*

      Yeah, it could be derogatory because someone doesn’t like being called “kid” or because Billy the Kid was not a particularly nice person, so when you call someone that you are essentially inferring that that person is also a thief and murderer.

      1. The Shenanigans*

        Oh I wouldn’t go that far. Most people, at least in America, think of Billy the Kidd and similar sorts of baddies as a sort of folk anti-hero. It’s like cops and robbers, not real history, and so usually meant playfully.

        That said, if someone tells someone else that their name is Xavier and they don’t want to be called anything else, then it’s rude to call him anything else except Xavier.

        So there’s no reason to try to find something derogatory in order to justify a no. Billy the Kidd (or whatever the real nickname is) could be – and likely is – just meant playfully. It doesn’t matter. The boss said that’s not his name, so don’t use it.

  18. Marzipan*

    #4, I’m noticing that your example of a non-derogatory nickname is perhaps not quite so neutral as you think it is. Obviously I recognise the reference but leaving that aside, appending ‘the kid’ to a name carries implications of youth which someone – especially a manager – could easily hear as critical (i.e. Bill is much too young to be a manager, lacks gravitas, or whatever).

    I assume that this was a made-up example and not the actual nickname you really wanted to ask about but I mention it as a suggestion that your perception of a nickname nobody could possibly consider objectionable may not be shared by everyone, and they nicknames in general are an area where it’s important to tread very lightly.

    1. amoeba*

      Apart from that – I’d imagine many Bills/Billys are very, very annoyed by being called Billy the Kid. If you have a name that has that kind of association, everybody will think they’re brilliant for discovering that great joke for the first time. Well, they’re not and it’s *most definitely* not the first time, more probably the 10000th.

      (And yes, I have a name like that and while I’m generally no averse to nicknames, being called “Alice in wonderland” has very definitely lost any charm somewhere in primary school.)

      1. LifeBeforeCorona*

        I’ve heard every possible mangling of my name and years later, they aren’t clever or funny, just really tired. I changed my favourite eyeglass style that I had for years because so many people thought they were making a clever Harry Potter reference.

      2. Red Reader the Adulting Fairy*

        Yuh huh. I’m Ginger. I once worked at an office with a Mary Ann. We both started actively avoiding each other on my second day because the jokes got that annoying that fast for both of us, and to this day I have zero tolerance for Gilligan’s Island jokes. (The show has been off the air for literal decades, when will people forget???)

      3. Constance Lloyd*

        I get so many Audrey Hepburn/Breakfast at Tiffany’s comments, I’m just thrilled when someone chooses Little Shop of Horrors instead.

      4. metadata minion*

        Yep. There was apparently a show in the 70s with at title featuring my (not rare, but not super-common either) last name, and the only reason I know this is that multiple teachers from elementary school through high school insisted on making jokes about it.

    2. Samwise*

      Not to mention that Billy the Kid was an infamous murderer. Even if Billy the Kid is made-up — give some thought to history with any nickname.

      1. Cherries Jubilee*

        … nah, nicknames and jokes in general work differently than that. No one who isn’t performatively oversensitive would be offended by the association with Billy the Kid just because he’s a historical killer. The cultural cachet isn’t 1:1 correlated like that.

        1. Cherries Jubilee*

          (The nonconsensual nickname issue still stands, though. If you’re annoying your boss, then yes you could get fired for it.)

        2. Katydid*

          A pacifist would have a perfectly good reason to object, without earning the pejorative label, “performatively oversensitive.” ;)

  19. Wherever the Orchestra?*

    To OP 1:

    Imagine that Fergus has been hit by the Lotto-Bus, and is no longer around to assist with the website.

    1)What would you need to do? (Other commentators have already give you much more in depth explanations of what you should do)

    2) Now, go do what you would after that Lotto-Bus hit – and don’t involve Fergus at all (like others I doubt that he would be helpful, but do believe he’d just be importing his fiefdom to a new platform. Also, who owns that domain/url?)

    3) Launch new platform while giving Fergus a grand sendoff, thanking him for his many years of service to the Org. (Get the board in agreement with this – honestly you do not need a bully IT guy hanging around). And yes, get him out as the new site launches so he can’t do damage to it.

    In all seriousness, Fergus is dead weight, and is costing you in brain drain every time he runs off a volunteer. He’s hurting your mission – set yourselves free. He may also be setting you up for legal/tax/financial issues with his Fiefdom hold over the website and all things that the Treasurer needs access to.

  20. Filicophyta*

    LW#1 I don’t know what country you are in, but if you are an officially recognized NGO or NPO, there are probably legal requirements around financial reporting which Fergus’ system might be breaking. The taxman will want info about donations and expenditures accessible.
    I agree with others above that most of the work should be done without him / before he knows, but govt regulations are a reason to give him if needed.

    1. Observer*

      Good point. If those donations are tax deductible, that’s another reason why that database is REALLY important.

  21. Kwebbel*

    OP2 – I know there are significant issues with doing so, but I just tried putting an informal email of mine into ChatGPT and asked it to create a formal email out of the text. The result was a very quick fix that I could use with an overly obsessive manager.

    I’m conscious that this just treats the symptoms rather than the source of the problem (and, again, that there may be restrictions on using ChatGPT in your office in this case, so you’d need to weigh this), but is it a potential solution that keeps you sane while giving the manager what she apparently wants?

    1. ecnaseener*

      That seems like overkill when the only thing the boss has asked for is “Hi Name” at the start. There are real downsides to abandoning LW’s natural writing style in favor of whatever chatgpt decides is “formal” – it’ll certainly require extra proofreading time, and it’ll probably come off as stilted or frosty.

      1. Boolie*

        I agree. (I am generally suspicious of AI in general, even knowing how prevalent it is in ways we might not even clock…but yeah, overkill in this case).

        Additionally I might consider a skip-level meeting to address the weird power play here.

    2. OrigCassandra*

      And if the email was about something confidential, Sam Altman and the rest of OpenAI now know about it. They retain prompts, possibly to use in further model training. Possibly for blackmail, who knows?

      This is a big REASON many organizations place restrictions on ChatGPT use. It’s not arbitrary interference. There are real risks here.

  22. Arthenonyma*

    NGL question 1 made me go OOH A CHALLENGE… I would absolutely take on the task of “steal the website out from under fergus and port the database to something standard”, for free, as a fun puzzle to solve! So maybe you need to find a volunteer who feels the same way :)

    1. Harper the Other One*

      LOL I am not a techy person but I know my first thought was “someone out there would find it fun to fix this!”

    2. Peanut Hamper*

      Same. I would seriously consider taking a week off from work to do this, if the nonprofit had a mission that I strongly supported. This would probably be the most enjoyable vacation I’ve had in a while.

      LW, there are people out there who would love this challenge.

    3. LW1*

      LW1 here…I’m not above accepting strangers as volunteers from the internet. Now I just need to figure out how to get you my contact info without sharing it to the world…!

      1. Keymaster of Gozer*

        My expertise is database management else I’d be well up for that. I doubt he’s got some good encryption so porting the whole load out to file would probably be easy if you got someone who knew what they were doing.

        The ‘the person with the only access to this system left and we need to migrate the data over to a new system’ is a line I guarantee IT professionals have heard more than once!

        1. MigraineMonth*

          Unfortunately, so is the line ‘the person with access to the system left five years ago, and they still have admin security on the database’.

      2. Arthenonyma*

        I’m genuinely interested, but I would need more detail before I could say whether it would be within my technical capabilities (I’m also disabled so I’d be cautious about overcommitting). At the very least though, I could have a look and tell you what I think needs to be done, so that it might be easier to find someone with the right skills. If you do want to get in touch with some of the people on this thread, I’d suggest creating a throwaway email account and giving that out!

      3. Sandi*

        If Alison has the time, she can forward any offers to you (she would have your email address).

      4. bamcheeks*

        I am sure everyone who reads AAM is a very fine and upstanding person, but you should probably do a bit more thinking about information security before you get another volunteer-designed website!

        1. Ask a Manager* Post author

          Agreed — and I don’t think I can comfortably connect people in a situation like this without actually knowing enough about the volunteer(s) to vouch for them. But there are volunteer orgs like Taproot that would be great to contact for help.

          1. Arthenonyma*

            Yes, I think I agree now actually – I was initially thinking of this in terms of needing someone to sit down and do the non-glamourous grunt work of copying all the website content somewhere, looking through the domain setup etc. I was reading “database” as something like the backend to a WordPress site, but if it’s actually more involved with personal data than that, 100% agree that LW1 needs to talk to a vetted professional first!

      5. ThisIsNotADuplicateComment*

        There’s been at least one instance where Alison has helped commenters get in touch with a letter writer so she may be able to help you (this was a few years back when the site was smaller so might not be feasible for her now). If she can’t you could also consider creating a burner email to post here and then give your real email out over that.

      6. Properlike*

        With all due respect, LW#1…. I think you’re not the best person to be this high-level in a nonprofit. A nonprofit is still a *business*, and you keep relying on the volunteer kindness of others, letting someone shadow-run your org for YEARS and drive off members, and now accepting help from strangers on the internet?

        Please, find a President who’s going to make protecting this nonprofit entity and its reputation PARAMOUNT over anyone’s feelings or convenience.

    4. learnedthehardway*

      I would disagree – they need an independent company to do this, not an individual tied to the organization in any way. A) it needs to be confidential at the outset, until the data is captured. B) they need to NOT put the org’s website into the hands of a single person again.

      1. Fieldpoppy*

        A lot of ink has been spilled on this topic but I’ll add my $0.02. I’ve been running an all-volunteer not for profit for 16 years. The specifics of our mission meant that our fundraising was extremely tied to being able to say that 97% of funds raised went directly to the mission. (The 3% was liability insurance because we had a sporting fundraiser, bank and credit card fees and filing our taxes). The folks here who are going straight to « have some paid positions » don’t get that this isn’t always commensurate with the community established to support it.

        All of that said I learned a long time ago that volunteers who suck the life out of any part of it are a huge liability. One of our core team got an accountant friend to help him set up our bookkeeping and the team member has maintained it. We use a third party donor platform to process donations (and issue tax receipts). And I taught myself to use square space in one afternoon. It’s really not difficult — I’m not a techy person but I feel good knowing that we have a simple site with tons of plug in functionality and I know what is what.

        My advice is to scrape what content you can from your existing site, teach yourself or a trusted colleague to set up WP or Squarespace, use a 3rd party platform for processing donations (eg Canada Helps) and cut Fergus loose. Who knows who you’ll attract if his toxic grip is gone. Good luck!

  23. Ink*

    #3-I’d avoid the audiobook excuse. Quiet contemplation, getting your thoughts in order, weekly call with your grandma maybe: sure. But if she’s pushy enough you feel like you “have” to go along with carpooling, she’s potentially pushy enough you will find yourself wanting to get out of a carpool AND a book club

    1. UKDancer*

      Yes any of these. I mean from what I can see the OP has never said she doesn’t want the ride and the other person probably thinks she’s doing a good thing by offering the ride. If OP doesn’t want the ride just make a polite excuse. The ride offeror might actually be happier not giving OP a ride but offering for politeness.

    2. Slow Gin Lizz*

      Yes, I agree. I think the best excuse really is that you have to run some errand on the way to or from the meeting, or that you plan to meet a friend for dinner on the way home or something like that. For people I haven’t wanted to carpool with to rehearsals I’ve had in the evenings after my day job I have used the excuse of “Oh, I’m not going to be leaving from home, I’m coming from the office and the timing is really tight” for people who live near me who wanted rides. (Timing is an awesome excuse to give with people you know really want to be early for rehearsals; they won’t risk being late or even just on time.) However, after reading AAM for years I finally stopped giving excuses at all and just said, “Oh, sorry, I can’t carpool this week,” and the people I didn’t want to give rides to stopped asking. So maybe a simple “Oh, thanks for the offer but it won’t work for me this month” repeated each time boss offers will work, OP, with the added bonus that perhaps boss will get the hint and stop offering.

    3. Artemesia*

      The ‘I need to make other stops along the way’ is the most solid. and if pushed, it is ‘well these things aren’t predictable and it isn’t convenient to be matching schedules with someone else and possibly inconveniencing them.’

  24. Timothy (TRiG)*

    #1 If you’re making a backup of the site before doing anything else, I would not rely on screenshots. These will not preserve stuff like image slideshows, are hard to work from, and are definitely not what your new developer wants to see. Instead, use HTTrack Website Downloader. It’s free software you can download and install on your computer, and it’ll give you a full backup of the site and its publicly visible content. It’s a static site, so contact/login forms won’t work, and it won’t contain anything that’s private, behind a login screen. But when you’re passing the data to a new developer, it’ll be in a format they can understand and work with.

    The other thing it’d be nice to get is a full database dump. I imagine that Fergus has a custom CMS in a known language (such as PHP or Python, most likely), but it’s not impossible that he’s actually created his own language: that is a hobby for some people. However, it’s vanishingly unlikely that he’s created his own database manager. That’s almost certainly an off-the-shelf solution such as MySQL, MSSQL, or possibly even Access. Whatever it is, if you can get a full dump of the database and a HTTrack backup, your new developer probably won’t even want to look at the existing code, so you don’t need it.

    (I’ve been in the position of the new developer in this situation more than once.)

    1. Peanut Hamper*

      Yes, I was coming to recommend HTTrack. It’s super easy to use, and it’s free.

      But hell, if you’ve got some savvy wiz kid sitting around, you can download an entire website from the command line using wget, which is baked into every Linux distro out there.

      1. kitryan*

        If they download the whole site/database is it also useful to do some screenshots of the live site to kind of show how it’s currently operating? Or maybe if there’s specific functionality that the current site has that is particularly custom that they really need, doing some screen recordings of how it works? Kind of providing a phenotype to go with the genotype of the downloaded site?
        In case there really is some super weird set up where how it’s supposed to output is unclear, to help the person or company that they end up working with – I don’t know too much about the topic but I am curious as to how tough it could be to sort out the site info from a downloaded copy.

        1. Peanut Hamper*

          You can’t really pull down anything with HTTrack or wget that you can’t get with a web browser. They’ll pull down images, html files, javascript and css files, and anything they find at the end of an internal link.

          So you could theoretically just toss those files onto a web server and have a functioning website.

          But if there is a database that people use to log into the website, these tools won’t be able to pull that down. But at least you could recreate your website content in a different content management system by just copying and pasting from these files, rather than retyping everything by hand.

        2. Timothy (TRiG)*

          HTTrack should be able to recreate a static copy of the current site. That is, it’ll preserve everything that doesn’t require server-side cleverness. (The HTTrack version will still have contact forms and login forms, but they won’t work, because they require data to be sent to the server and do something. A HTTrack copy of Ask a Manager would still have this comment box I’m typing into now, but it wouldn’t do anything when the submit button is hit.) Screenshots or screen recordings of anything publicly visible are probably not needed, but would do no harm. Screenshots of the non-public part of the site are probably more useful.

          1. kitryan*

            Thanks guys for the answers, I’m strictly a ‘makes my own website from templates’ person, so I only sort of get what’s ‘under the hood’ but I find it all interesting!

  25. Emotional Spock*

    LW 2 – Boss wants a greeting in emails? I’m all in when it comes to Malicious Compliance.
    Here are some I’d start with in future CC’d emails:
    G’Day Mates,
    ‘Ello Gov’nors,
    And lastly, the “full Smithers” – Hididley Ho, neighbor

    1. Peanut Hamper*

      I laughed, but most of these would probably result in a write up, knowing this boss.

      Interestingly though, “Ahoy” is what Alexander Graham Bell thought people should say when answering the phone. I regret that we didn’t go with that choice.

      1. MigraineMonth*

        I like that French uses a different word to say hello on the phone (“Allô!”). German uses the standard greeting, but a different way of saying goodbye (“until I hear you again” instead of “until I see you again”).

    2. Governmint Condition*

      I like the space alien standard of “Greetings.”

      BTW, I’m sure you meant Flanders, not Smithers.

    3. The Shenanigans*

      You can also go the historical route:

      How now,
      Good Morrow,
      Greetings unto,


      All of these are perfectly polite, just dated. So any write up goes to the ridiculous boss’s boss or HR.

    4. fhqwhgads*

      You mean “full Flanders”, no?

      Also I regularly receive work emails with greetings like G’day, Howdy, Hiya, and I did used to work with one person who consistently used Ahoy!

      But I don’t work with people as unreasonable as LW2’s boss.

  26. Kiitemso*

    I hope LW 1 gets the website back from Fergus and I hope they write an update on what happened and how they did it!

    1. LW1*

      LW1 here: I am addicted to the Updates posts so I will absolutely be sending in an update! Or two. However many it takes!

  27. antiqueight*

    I had this manager – she wrote me up for having a poor communication style because I didn’t always open and or close with the formal greeting/sign off. I ended up adding the sign off to my signature.
    So many things about that work place and that manager have left me with nervous ticks and twitches which are now out of place in my more accepting and.. I suppose normal.. environments.

  28. DJ Abbott*

    #1, don’t let Fergus help with the new website. He’s very likely to sabotage it, or try to create a repeat of the current situation. He sounds like someone who would do pretty much anything, so don’t let him near it.
    When it’s time for him to go, have security ready to remove him if necessary. Change all the locks, both physical and technical, so he can’t get back in.

  29. Needs Coffee*

    OP1 – lots of people have already addressed the technical aspects of the website themselves. But the part that’s got me extremely concerned for your organization is that someone *not* your treasurer is holding on to mission critical data, with apparently no backups. I am also making assumptions about things you didn’t say and have concerns about your membership and contact information lists.

    I am known as a pessimist and a negative Nelly about financial and PII in our all-volunteer organization, but your org may want to have a lawyer and a CPA on alert in case Fergus threatens/sabotages your data.

    Get your data out ASAP! And then please put security and backup procedures in place for the future.

    1. Keymaster of Gozer*

      From years of experience with these type of people I can guarantee he’s going to threaten to delete the whole thing the instant he catches wind that his game isn’t working any more.

      Screenshot everything first. And keep the files on a system HE doesn’t have access to. I get that OP may think some of us here are paranoid but we’re paranoid for a reason.

      1. DJ Abbott*

        I’m not a techie, but I’ve experienced people like Fergus. Yes, he will go there.
        It doesn’t hurt to be prepared, just in case. If preparations turn out not to be necessary, that’s ok.

    2. The Shenanigans*

      Agreed. It is simply not possible to be too cynical or suspicious when it comes to INFOSEC. Every single story that starts with “I never thought they would do that!” ends with “…but they did and it cost us dearly.”.

  30. Les*

    “I and the rest of the staff thought of a great nickname for you! We mostly use it when you’re not around, but since you like nicknames so much we could start using it to your face…unless you want to drop nicknaming altogether.”

  31. I should really pick a name*


    I don’t know what the financial state of the non-profit is, but if the situation is that critical, I think the organization should look at paying someone to set up a website as opposed to hunting for volunteers.

    1. Peanut Hamper*

      The thing of it is, though, with the solutions that are available out there now, you shouldn’t have to pay a professional to set something up.

      I can spin up a WordPress website from the command line in about five minutes. I can add admins and regular users in about another five, if there aren’t a ton of them. I can register a new domain name and if I choose a registrar close to my host’s physical location, DNS propagates in about 30 minutes.

      So all told, I can have it up and running in about an hour, and that includes time to make a cup of coffee.

      And all of that will be far more secure than anything Fergus has come up with.

      1. I should really pick a name*

        The main thing that makes me think “find a professional” is the reference to a database for the treasurer. That sounds like something you don’t want to take chances with.

        Additionally, they haven’t found any volunteers yet, so paying someone might be the only way to make it happen at all.

    2. MigraineMonth*

      If they shell out for an out-of-the-box website solution, I think they will have no trouble finding volunteers (or learning to do it themselves).

  32. Captain dddd-cccc-ddWdd*

    OP2 (greetings and sign offs in emails) – if it is just a preference of the boss you probably need to go along with it, but I wonder if it is symptomatic of the boss jumping to conclusions in other areas as well.

    1. Artemesia*

      he is decade out of date on email etiquette so I suspect he is full of bees in other ways too. Yes you have to do it because the boss requests it — but he is waving a red flag at you.

  33. Nopity Nope*

    LW1, lots of good advice already. There’s an org that matches virtual volunteers with non-profits, and website setup/management is a pretty common request. Look into catchafire dot org. You can request advice on the best out-of-the-box solution for your organization, help with initial setup and updates going forward.

    (For anyone else working in a non-profit or who is interested in volunteering, there are tons of other projects, including design, data analysis, interviewing, and much, much more.)

    Also, it seems unlikely that the treasurer’s database is actually part of the website per se, and more likely that it’s simply in a database accessed via the website. If that’s the case, there’s a good chance that the data can be exported to Excel or another program. Same with other components. If no one has the specs on the site, it might be useful to do some exploring to see if there are options to export or otherwise extract key data just in case Fergus goes nuclear.

    1. kiki*

      Yes, I was also going to call out that unless Fergus has done something incredibly wild or takes away access to the database, getting information from the current database into some other program should be very straightforward and would allow the treasurer to continue forward with their work, though there might be a learning curve with whatever new program or database software is used.

  34. Peanut Hamper*

    With regard to #2, it really depends on the context for me.

    If I am writing an email to somebody cold, about something for which they have no context (i.e., this is a completely new topic), then yes, I’ll include a greeting. It seems weird not to.

    But if it’s a follow-up to something we were just discussing recently, then I probably wouldn’t include a greeting. But my first paragraph would also reference that earlier context: “Also, Daryl is changing the TPS report covers we were talking about from blue to green” or “Heads-up on the Smith project: I gave you the wrong date. It should be the 16th and not the 15th.”

  35. Sloanicota*

    #5 – if you’re looking for someone to affirm that this sucks, it does. Your whole company is being laid off with, as you say, essentially no severance, just a few weeks of notice (which granted is still better than some scenarios, but probably doesn’t make you feel better). They are basically saying they don’t mind if you walk out today because you’re no longer necessary. I doubt you have legal recourse but you can certainly feel crappy about them, leave a crappy glassdoor review about the owner’s lack of loyalty, and take your favorite stapler with you on your last day. Meanwhile, job search.

    1. Peanut Hamper*

      They don’t mind if you walk out now because that would be a voluntary quit and you probably wouldn’t get unemployment in that case.

      And this is definitely a case of “no severance”. Severance is money you get after you stop working; it’s not the money you get for the work you do between being informed you are let go and that actual last day. The fact that the company is mis-using this word is very disturbing to me.

      1. Lady_Lessa*

        Yes, it does. Once I was laid off, but to get severance I had to sign a paper saying I was leaving voluntarily. By that time, I had been through enough layoffs to avoid that. I lawyered up, and got both the severance and release from my non-compete agreement.

        Unemployment grin. Because I was working in one state, but living in another, I had to file with the employer’s state. No problem, until the time I had to go in for an in-person check. That truly involved going to the main office (far side of the city) and signing in on a computer in their lobby. What a waste.

      2. I should really pick a name*

        In my experience, severance is in lieu of notice.

        Basically, instead of giving you X weeks notice of your layoff, they pay you for X weeks and your last day is today.

        1. Sloanicota*

          True, but I guess I’ve heard of plenty of people who were told same-day that they were being downsized/laid off/fired not-for-cause and not given another penny, usually because the business was going under*, so I’m trying to say the company’s only shred of courtesy here is that they’re giving OP a heads up and “letting” them work till the end of the month at their current salary. Still pretty crappy but they are probably telling themselves since they gave you the shot at another job they don’t owe severance. If I was OP I’d try to get a job at the other company just to stay employed longer, maybe plan to stay in a hotel or something while I job search and GTFO pronto.

          *I work in a sector with small organizations that rarely meet the 50 person standard; perhaps OP does not.

  36. NonprofitsAreWeird*

    For those of you questioning that a treasurer could need to use the website to do their job, non-profits are weird. I’m working for a non-profit now. It appears to be normal practice to treat your website as an offshoot of your CRM system that runs most/all administrative functions other than internal HR. When I started our website was horribly constrained in the weirdest ways because it was an afterthought on top of a database designed for member management added on when websites became a necessary thing and only grudgingly updated since. It’s billed as a plus because it’s assumed the main point of your website is to attract members and to handle donors.

    About a year ago we updated to a more modern, more feature-rich version of this. It’s got a lot more features but it still has weird idiosyncrasies and is designed to manage members and donors with the website as an offshoot, although they do provide the mechanisms to support a better website. Specific types of data (such as financial) can be sent to other systems but that’s a choice and needs to be configured or it remains local.

    I have no idea if this is the type of setup the OP has, but I suspect yes. Fergus may have customized a lot of stuff to get it to behave as desired and some of these systems are older and esoteric (like our original system). Migrating was not fun but it was doable.

    If so, the OP doesn’t just need a new website, they need to replace all of the underlying functions too. Good luck!

    1. Peanut Hamper*

      You mentioned this up above, and I appreciate the more detailed insight here. This is definitely not the way businesses operate, but is the normal for non-profits, I guess. Interesting!

    2. CommanderBanana*

      Really good point. I’ve worked almost exclusively for nonprofits (sob) and this has been true of several of the places I’ve worked. Also weird, grafted together systems or systems that have to be updated across several platforms because they aren’t dynamic.

    3. Sloanicota*

      True although ours also handles some of HR *LOLsob* (at least job postings and applications).

    4. Saberise*

      The treasurer posted above (well thinks they are). She said it was basically to see when people renewed the memberships, which is likely through the website. The actual accounting is through something like Quicken.

  37. The Dude Abides*

    Re: #4

    It depends entirely on the individual context/vibe within your office.

    I have a nameplate holder outside my office, and I have two nameplates that a report had made for me – one is “professional,” the other has a nickname, lists my title as “Department Boss Man,” and has a non-traditional color scheme. Most days I have the normal one, but 1-2 days a week I’ll switch to the “Boss Man.”

    Would this fly at most offices? No, and I acknowledge such. Within my current office, it is pretty on-brand with the vibe my boss is trying to cultivate. For context, I work in a satellite office of a state agency, and the office is not open to the public under any circumstances – even the contracted janitors have to pass background checks in order to work in my building.

  38. CommanderBanana*

    Hoo boy. I have been a volunteer at various organizations, both nonprofits and government agencies, for years and there are so many issues with this situation. Managing volunteers can be extremely challenging at the best of times, but having a volunteer be the single gatekeeper for a mission critical platform was such a terrible decision from the outset.

    You have got to transition to a new website as soon as you can, and you need to hire someone with the technical expertise to do it quickly, and try to salvage what information you can from the existing website. This is so way beyond what you should be expecting to be able to do with volunteer labor. IMHO, there is no way to “fix” this that involves Fergus or continuing to depend on a volunteer to do it.

    1. Sloanicota*

      If I’m understanding correctly, the organization is all-volunteer, which is a set-up I’ve seen work okay for certain missions with a certain board, but probably always prone to gaps in professionalism.

  39. LW1*

    LW1 here: omg so many amazing comments (and *squeee* Alison answered my email!), please please please keep the advice coming. I am so very thankful! A few observations seem to be common throughout the comments, so some more details: my background is history and political science. Thanks to friends and family, I know enough of the lingo the hip kids are using when it comes to websites, databases, programming…all that tech stuff…but otherwise my knowledge is, “Why, yes, those words are in English…” There is another board member that is a programmer so maybe I can get them to come reply to some of these more technical comments. I am, the board is, very much concerned that if Fergus finds out about all this, he’ll pack up his toys and go home – but as Alison and others have pointed out, that may happen anyway for a variety of reasons. We’ve been trying to do things without his knowledge (and please keep that in mind with the rest of my comments below) but I’m now thinking we need to bring it all out into the open and let the website fall where it may.

    A few years ago, we did try to create a web team to rebuild the website but, well, life happened, and ultimately, no new website was created. I’ve been wanting to restart the web team for a while now and this latest incident has spurred me back to action. However, we’re finding it extremely difficult to find people in our organization to participate. (There are 250 or so active members in our organization. We’re small but fun!) We’ve asked everyone we know with programming skills, but no one’s said yes and it’s not like I can tie them to a desk and make them build a website. I find it very frustrating that no one is happy with this situation, yet no one is willing to help.

    Our webmaster does work for one of the big tech companies, so to a certain point, I do trust him regarding security. However, I say again, I’m not a programmer so when it comes to security, backups, data privacy laws, I have to trust the word of him and others that security is up to standard, that we do have backups of our data, etc. Although, we do have members internationally so whoever brought up the European GDPR, thanks, I am now terrified and need to go research what in the heck that is :)

    I have mentioned in the past that it does seem like hiring someone to do the initial build is the best solution, but we don’t have gobs of money floating around and I have no idea how to find someone that would probably have to be paid at intern or “capstone project for senior in college” levels. And then would they even be skilled enough to deal with all the security stuff I don’t understand? That last question is best answered by someone else is our organization but again, no one is willing to help.

    To whomever mentioned HTTrack and Taproot, I am absolutely going to be looking into those this evening, along with WordPress. Thank you!

    And of course, I will absolutely be updating!

    1. Pescadero*

      “I have mentioned in the past that it does seem like hiring someone to do the initial build is the best solution”

      No… you need to hire someone (or subcontract it out) to be in charge of it forever. Not just the initial build.

      This is not a job you can depend on volunteers for, unless you want to be guaranteed of repeated failure.

        1. No Tribble At All*

          Yes, one of my friends is a small business owner and she contracts out her IT. She shockingly doesn’t have a website but has someone who can help her with IT/computer problems, proactively creating backups, data security, that sort of thing. She said she was skeptical at first but has found it very helpful. It is a service and it needs to be paid for.

      1. MigraineMonth*

        I think this depends on the complexity of the site and how much the org is willing to pay for an out-of-the-box solution. For example, I don’t think you need a programmer or an IT professional just to update WordPress every once in a while, but you would need to pay WordPress’ ongoing costs.

      2. Seven hobbits are highly effective, people*

        I disagree that hiring someone is the best way to go for this org. They can decide between hiring a person to run their custom web stuff, or offloading their various web things to companies that run those sorts of services and paying them. For a small org that lacks the infrastructure to train and supervise an IT team, offloading to external vendors that usually deal with small businesses or other non-profits in their niche is almost certainly a better choice.

        Like, I could hire a person who knows enough about mailing lists, keeping personal data secure, how to stay off spam lists, etc., to deal with all of our email communications, or I could pay Mailchimp a monthly fee to deal with it instead. I could hire someone who knows enough about database design and programming to make some sort of customized membership database, or I could license an existing product that already does that, because there are quite a few products in that space already and several of them are targeted at the small business level rather than large enterprises. I really recommend that an org like this see how many things they can outsource like that, because it’s much more sustainable to find a string of volunteers to post meeting minutes on a WordPress site, compose mailings to send through Mailchimp, or do the initial data-entry to add a new member to the membership site than it is to find someone to take over the weeds of a homegrown, complex website with all kinds of custom database nonsense.

        Sometimes there just isn’t an appropriate tool because your use-case is too niche and non-commercial in nature, but at this point my particular org is down to only ONE custom database with legacy code system and we’ve managed to find commercial replacements for the rest of them. (That one is really niche, and really is worth it for us to maintain at this point because it saves a lot of volunteer-hours over every other tool we’ve found, but it’s definitely something where I check every few years to see if there’s a solid tool with a similar feature-set as either an actively-maintained open source project or as a commercial tool. Also, ours is not run by an information-hoarder, it’s just old and full of the kind of legacy code where it’s hard for a new person to get started so most new people tend to nope out once they see the codebase, plus the original coder has not released it any place with version control so updates from him have to be integrated into things from our fork through more…old-school means (we have version-control on our fork, but that only helps so much). I know I will eventually be dumb enough to get involved with the actual code, but I’ve been avoiding it as best I can so far.)

        1. Seven hobbits are highly effective, people*

          Also, when you’re looking for a jack-of-all-trades person who will take a low salary to be your only paid IT person (probably part time), overseen by a Board of non-technical volunteers, there is a non-zero chance that you have just hired a brand-new Fergus and will now be paying for the privilege.

    2. OrigCassandra*

      It may make sense, when you talk to some of your techier volunteers, to split this problem in two or even three:

      * ditching Fergus and getting the website on a sustainable platform, a one-time project
      * documenting the new platform for others’ use
      * handling ongoing maintenance and updates

      I personally wouldn’t want to do all three of those… but I’d volunteer for one of them! Maybe even two.

    3. Keymaster of Gozer*

      I know you say that that you have so many people and they are all volunteers and you can’t affrod to pay a professional to sort this but –

      – if you want to continue you going to have to. Now there are many IT professionals who’ll negioate a reduced rate for non-profits IF the job is clear and outlined well (we need more than ‘just sort this and we might need changes. Know clearly what you want to end up with – what functionality does it have? What data needs to be stored and where? etc).

      It’s like hiring someone to do the financials for the company – yes technically you might be able to get away with someone just volunteering their time but the risks are enormous. Sorry but this is going to cost money to fix.

      (And the GDPR thing – well, let’s just say if this site containts any personal data about staff in europe or the UK you *really* need to get a professional in. The fines are large)

    4. Dog and cat fosterer*

      I have volunteered with so many animal rescue nonprofits where IT and financial work was done by an unpaid volunteer, so I don’t agree with the commenters who say that every nonprofit has to hire someone otherwise it will be a disaster. One rescue recently completely updated the look of their website and a couple volunteers did everything. These volunteers used the previous content, it was maybe 20-40 pages total, and they created a couple new application forms instead of downloading and filling out a PDF file. In their case no maintenance is needed because all data is kept offline and almost every rescue uses social media (Facebook) to share adoptable animals.

      It is a very different situation when there is a database with financial info because that results in security issues, but the idea that nonprofits all have to pay for IT expertise for their websites is at odds with the many, many, many small nonprofits and charities that can’t afford it and find another way.

      1. doreen*

        I tend to think that what happens here is that people have a very specific view of what a non-profit is and why one would have a website and also how much money they have. I’m not talking about whether they can afford to pay a professional , but I’ve been the treasurer for organizations that rarely have as much as $1000 in the bank and it’s not going to be a disaster just because I’m not a professional. ( if it’s going to be a disaster, it’s going to be because I ,specifically, am not competent)

    5. Marionberry*

      Good luck LW1. And fwiw, as someone who works at a cash-strapped nonprofit, you need to prioritize acquiring the necessary funds to fix this. Perhaps you can pitch it to a couple of your most loyal donors. You’ve tried to fix it in-house, it’s a precarious situation, and getting the money to get it done needs to be your top priority.

    6. Quandong*

      Hi LW1,

      thank you for explaining a bit more!

      From the outside you seem to be *severely* underestimating the trouble your org is in. There should be alarm bells ringing in your ears!

      Please take seriously the advice from posters about privacy and information security.

      Honestly this looks like a debacle which could end the org and result in legal action against the board, including you.

      This is not the time to ask for volunteers!! You need to pay professionals for legal advice and IT right away. Undoubtedly this goes against the culture of your org but you must take these measures.

      Good luck!

    7. Observer*

      Our webmaster does work for one of the big tech companies, so to a certain point, I do trust him regarding security.

      Nope. Firstly, you don’t really know what he does and it’s quite possible that he doesn’t know all that much about security.

      Secondly, even if he *knows* that doesn’t mean that he is actually doing everything that he needs to be. Keep in mind that he is contravening one of the most basic rules of security and survivability by insisting on being the single point of failure. That’s Business Continuity 101! Using a language that he created but hasn’t finished is only slightly less problematic from a professional and security point of view. (That’s assuming that this is what he actually did. If he’s lying, well….)

      On top of that, the guy is not trustworthy, so there is that. He could be doing all the right things other than holding your site and data hostage, but if he decides to blow it all up, that’s not going to help you since you have no access to any of it.

      Although, we do have members internationally so whoever brought up the European GDPR, thanks, I am now terrified and need to go research what in the heck that is :)

      GDPR is the data privacy law of the EU. And yes, if you breach it and that is found out, you’re probably going out of business.

  40. Telephone Sanitizer, Third Class*

    He’s not a manager, but there’s a guy in my office who’s been the recipient of a lot of goofy nicknames. He’s not a fan of it but doesn’t complain, but imo it’s starting to get a bit annoying.

  41. OhNo!*

    OP1: Re-read what you posted, “The security and continuity of this database is, obviously, critical, and there are many other parts to our website that would make our members very unhappy to not have access to.”

    Regarding Fergus, no one can speak to him and find out what he’s about, what does he want, accolades, money, what? The first mistake was having him use his own code to create the website, and the next was to let him run amok with it. Find a trusted web programmer to help you figure out the best way to backup all the data and then put it into a format that is more widely used. I sincerely hope Fergus had to sign some kind confidentiality agreement so if he does use the data in some nefarious way there will be legal ramifications.

    If I was a donor to your organization and got wind of this, I would be very concerned.

  42. Falling Diphthong*

    OP1, I want to pull out this line, though it’s not the crux of your problem.

    We have had conversations with him that, admittedly, might have been too gentle, but honestly, I don’t think he’s genuinely listening.

    I think Fergus is deeply devoted to being difficult. But for more normal people and circumstances, sometimes being over gentle makes the recurring complaint into background noise. “Mmm, mmm hmm. I hear you saying that you do not like it when I give people nicknames. Uh huh–Wait! You said I’m going to be on a PIP, or fired, if I don’t cut it out?! Why didn’t you tell me this was a problem!”

    And many offices do have the recurring Complaint About The Commute, or Complaint About How We Used To Have Bagels On Thursdays, and no one is expected to do anything but hmm and nod and agree that it sure is like that. It can be easy to lump a recurring gentle complaint in with Why The New Copy Machine Is Worse.

  43. Alex*

    Making a simple website is not that hard. Anyone can learn in a few days.

    Make a list of “We must have X on our website for our business to function” features. If nothing on that list exceeds text, images, or forms, you can definitely have someone learn to do it fairly easily.

    If it does exceed that, you may need to hire someone, but literally thousands of people can do this for you, and you may even be able to find someone who values your mission who would give you a discount.

    1. M*

      Not getting a professional to do professional work is how they got into this mess in the first place. Highly do not recommend.

  44. Essess*

    For the website, if that website contains data that belongs to the organization, then you really should speak to a lawyer to prepare for any legal needs to order the db access and records to be handed over to the organization, and also prepare any warnings about destruction/sabotage of data. That data does not belong to Fergus, it belongs to the organization so there are legal repercussions to Fergus if he denies access or destroys the data.

    First start by letting Fergus know that you want a backup of the data for audit and security purposes. Once you have the actual db data, then the rest can be recreated by any web developer. If he tries to refuse, that’s when you bring out the prepared documents declaring the rights of the organization for access their their own data.

  45. Marzipan Shepherdess*

    LW1: Many people have offered excellent suggestions about what to do with your agency’s website preparatory to booting out Fergus and replacing him (and his personal computer language -WTH?!). However, there’s another aspect to this that LW1 emphasized – and it has nothing to do with technology.

    Fergus is so toxic that LW1’s agency has lost members (again, WTH?!) and no one wants to work with him. Getting him out of there should be Priority One, right up there with finding someone to take over running the website! One “abusive bully” can poison an entire small agency, and Fergus is doing that right now. LW1, please heed the suggestions offered here and recognize that getting this man out of your agency is crucial to its continued success. Reputations can spread like wildfire today, and you DON’T want Fergus to be known as representative of your entire agency.

    1. CommanderBanana*

      Right? I have seen this happen with small nonprofits in my years in the nonprofit world, and this is a great way to ensure that your nonprofit is crippled or eventually ceases to exist except as a letterhead.

      1. I Have RBF*

        IME, the smaller the non-profit, the bigger the egos. The most f’ed up non-profits that I’ve worked with have been tiny little fiefdoms with more politics than community impact.

        Yes, managing volunteers is hard. I’ve done it, including having to fire a volunteer because they were causing friction with several others who were doing us a big favor for free. But you have to hold everyone to certain levels of professionalism, or else the whole thing devolves into pettiness, arguments and egos.

        The moment a volunteer is more invested in their ego than the mission is the time to cut them loose.

    2. Falling Diphthong*

      One of the sadder sociological truths I’ve encountered is that one great person doesn’t impact the group as much as one horrible person. (Picture each armed with an axe.)

    3. Liane*

      LW 1:
      There is an epic saga* in the archives about a rogue museum volunteer who was doing everything from holding part of the collection hostage in his home to running off a salaried staffer. I t doesn’t involve IT but I strongly suggest reading those posts. They might be give you and your board an idea of the magnitude of grief your org is in for if you don’t get control of your website/database and sever ties with Fergus. (I will go searching & will reply with link if I find it.

      * = 2 or 3 update letters

  46. El l*

    Alison is absolutely right about the “hit by a bus” rubric – and that’s a basic best-practice for computer systems learned from endless horror stories.

    And a just-as big second one is: Don’t ever leave financial controls in the hands of a software* developer! Because that’s effectively what you’re doing here. Namely, if you don’t understand the treasurer’s database, you have no way of verifying he has not built a back door to hide or move money. Google as examples “FTX”, “Jerome Kerviel”, or “Kweku Adoboli” if you want to see examples of people using system knowledge to hide embezzlement and fraud.

    This is an organizational-survival level problem. You need to fire him ASAP, and spend money to buy 2 pieces of off-the-shelf software to handle your financial controls and your website. He should never have been in control of the website, let alone financial plumbing. Need to rectify that now before something worse than his bad attitude happens.

    *Or even someone very proficient in IT and similar systems

  47. Quill*

    LW 1: This stood out to me. “Fergus built our website some number of years back, in a computer language he invented and hasn’t finished developing.”

    In addition to transferring your website, you also need a written policy that you will not be working with untested tech in future. I’m honestly surprised that the site functions on multiple browsers if Fergus isn’t using anything standard enough that they will interact with it. Especially if it was designed “some years ago.” If Fergus’ claim resembles reality the basic functionality of the site on all platforms – multiple browsers, multiple browsers’ mobile apps – needs to be verified.

    There’s also the strong possibility that Fergus is lying about inventing a whole computer language to puff up his qualifications. Either way, you need to make a website that more than one person can upkeep, and this is important – do not tell Fergus until it’s already live, so he has less time to interfere. (Ideally this is when you also tell him you won’t need him and his behavior anymore at the organization, and make sure he gives up control of the site he built.)

    1. Alex*

      Yeah I had this thought too–really? He made up a language? Hm…..I’m calling some bs right there. Sure, you can make up computer languages. My computer science 101 course had concept questions based on a language that they made up, to avoid anyone cheating! BUT….that doesn’t meant that you can just throw that up on a server and anyone with your standard Mac or PC can type in www. fergussucks .com and use your site.

      Has Fergus just SAID this, knowing that no one else has enough tech knowledge to call him out on it? That would be diabolical and we definitely need an update!

  48. RagingADHD*

    #4. Don’t call people out of their name.

    Their name is whatever they tell you their name is.

    It isn’t complicated. It’s a very simple corollary of Wheaton’s Law, which is just as applicable IRL as online. It is completely legal to fire people for violating Wheaton’s Law at work, and IMO it should be done far more often.

  49. The Shenanigans*

    Ugh the ridiculous greeting boss makes me crazy. I’d be super tempted to use super casual greetings like what up dawg and yo yo bossman, etc. Or write [boss decreed greeting here] then continue on.

    What I’d actually do is use historical or over the top formal greetings for fun (if the office culture was up for it) eg greetings unto [name]. Or I’d just go for bare minimum like “Hi -” with no name or anything and just sign off “- bye.”

    If anyone said it looked weird or I didn’t need to use a greeting I’d say plainly [boss full name] ordered it done, take it up with them.

  50. Lemondrops*

    #2 – if the email was between you and your co-worker, how did your boss know about it? Is the bigger question to be asking here really why your boss is seeing every email (which Alison has addressed in the past)?

    1. Eldritch Office Worker*

      “She gave me an example of an email I had recently sent to a colleague and cc’d my boss for visibility

  51. Lauren*

    Hire an intern to copy and paste every piece of content on the site to another place. You could also hire a college student who has experience in web design, but needs a portfolio. It is a lower cost for you because they normally would not get first jobs without showing past work.

    There are scrapers for meta data like Screaming Frog for a small cost or free if site is under 500 pages. There are scrapers for all content visible to users too for a cost. After that switch hosting with Fergus’ help, then hire someone else to port the content more seamlessly into WordPress or something. The platform needs to be switched, but protect yourself by saving the content at least before he destroys it as Wayback Machine only saves so much. Save what you can before telling him.

  52. Thurley*

    OP1: Act fast! People like Fergus are very protective of their power and are often extra sensitive to changes in the wind. I’d assume he’s already on high alert from you writing this letter. (think body language and how you treat him vs any technical spying, but don’t rule that out) Your mannerisms have changed in the process of deciding to act instead of suffer.

    I recommend a summer “executive planning retreat” as soon as possible to get this done in a day or two. Call it a planning retreat, but this should be a “doing” retreat. Make fast decisions and make them happen that day. Reach out to organizations similar to yours and talk to their tech person. See if one of them is available to get even just the structure set up so you can enter information as you get it. Be sure they understand they can’t reach out to Fergus out of professional courtesy. Also look to high school and college students for data entry and other technical help. They’re much more tech savvy, faster typists, and are often looking for volunteer opportunities for college applications and degree requirements.

    Your database and financial information is your first priority. The rest can be recreated. I’ve learned from experience not to trust “home grown” accounting “software”. You want quickbooks or some sort of official equivalent designed by accountants not programmers. Even professional financial software can be manipulated by someone who knows what they’re doing. Again, I’m not implying malice or theft, just people being lazy or expedient, or making the data show what they think it should. It might be worth having an audit done to make sure your financials are solid. You can also reach out to your local branch of the United Way (our United Way has a volunteer group to evaluate grant applications) and VITA tax office to find financially savvy volunteers for this piece.

    How much money can you throw at this problem? Both to make Fergus go away and to create your system going forward? Is there a donor you can reach out to for some quick funding? You absolutely can do this on the cheap, but as the saying goes: you can have fast, cheap, and good…but not all at once. Fast and good are the priorities I’d choose. Also, would Fergus go more quietly with a cash gratuity for all his years of service?

    Fergus is being abusive both financially and mentally. Expect him to break what he can on the way out. Expect him to hold things hostage. Fortunately this is nothing new to the technical people who volunteer and work with small businesses and non-profits. They’ll know how to deal with lost or hijacked access to accounts and services or they’ll know someone who does. And those services have done this before as well and will have procedures for reclaiming access. He doesn’t have as much power as you think he has. I’d also be willing to bet his “language” isn’t so special or mysterious. It’s probably based off of something else and he may only have his own library of tools and calls it a language to make him seem more important and powerful. Plus, his stuff has to work with the internet so it has to follow certain rules.

    This recovery and recreation process seems scary and overwhelming to you, but to other people this is very doable and fun. I’d love a project like this. But be sure going forward that no one person holds all the access to mission critical tools and information.

    1. I Have RBF*

      But be sure going forward that no one person holds all the access to mission critical tools and information.

      This is critical. I’ve worked in volunteer orgs where I’ve been The IT Person. I always kept things in a state where I could hand them off, and indeed tried to spread the info around to avoid the bus problem. Because I didn’t want to be obligated for the rest of my life. The smaller the org, the more mercurial the politics were. More than once I’ve been asked to turn stuff over so that “my nephew who needs work experience can do it”, or some such. It was annoying, but nepotism in small orgs doesn’t slow down to even a jog, much less a crawl. As long as it was being done, it was fine, although sometimes it felt like I was being replaced with a person that had no clue. I still did a diligent handover, because I always kept that stuff ready in case I needed to quit for my health, job search or vacation. I learned long ago that being a single point of failure or the “only person who can do X” actually sucks.

      If someone is building an empire, even an empire of one, they need to get cut off at the knees. Any personal issue that they have (illness, accident, lotto win, angry snit, etc) can be disastrous to your org. It’s fine to have volunteers in those positions, as long as they understand that they have to have backups/seconds/fully capable assistants, etc.

  53. J!*

    LW #1 if you’re a union affiliate (just a guess, since you talk about 1st vice president and treasurer) definitely check with your international to see if they have any resources they can share with you! There may be a staffer who could help support a transition, or even a free out-of-the-box solution they can offer.

    (Same goes if you’re not a union and part of a national group of other nonprofits like yours. Even if it’s a loose network, they may have more ways to help than you realize.)

  54. Everything Bagel*

    LW2, I agree with Allison’s advice for you, but wanted to add that something I do when I convert from an IM conversation to an email is start by writing, “Per our IM conversation,” or “Further to our IM conversation…” because it helps me understand the conversation if need to refer to it sometime later. It makes more sense to me and possibly others that it’s being extended from a separate conversation and there’s not something missing from the email, which could be confusing. Otherwise, yeah, your boss is being silly with requiring a greeting, unless she would consider what I suggested as a greeting. I do.

  55. El l*

    You rarely see companies design their own financial databases, and there’s a reason for that. There’s a long history of people with software knowledge who are able to hide transactions and steal money because they know how to hide it in the system or the code. They have the ability to cover their tracks.

    You need an industry-standard financial software, or you leave yourself vulnerable to fraud and embezzlement from Fergus. Even if he’s trustworthy, that is not best practice, and if you undergo audits I would be shocked if the auditors didn’t point that out.

    He needs to go ASAP, and there needs to be a willingness to buy off-the-shelf financial software that can be understood by multiple people. (And then you need to address the website)

  56. Mark This Confidential And Leave It Laying Around*

    Re: Fergus the gate-keeping webmaster? DON’T tell him you are migrating to a more useable platform (wordpress, Squarespace, Wix, the list is long and accessible). Just get started. Your treasurer can screenshot/download what she needs to start building TODAY and begin migrating critical information right away. Only assign migration to people you trust to maintain a cone of silence on this. Assume he will find out eventually. Then delete his email address from your system and fire him. He’s a computer virus in human form.

  57. I should really pick a name*


    Why would you want to give someone a nickname if you even have to ask yourself whether it could get you fired?

    That strongly implies that you have some sense that they don’t want a nickname, or they don’t want that particular nickname.

  58. skadhu*

    Lots of people have already gotten into the details of what you need to do, but… You have two issues to deal with. One is your problem with Fergus and one is your problem with organizational attitudes toward paying for services.

    As others have said, there are lots of ways to access and recreate a website, and a professional will know exactly how to do it. Fergus could certainly sabotage the existing site, but he cannot actually hold it hostage in the way he’s telling you that he can.

    Hire a professional to do the basic tasks of getting a new domain name and host and create a new website using a common platform like WordPress and a template that is as simple as possible given your requirements. Much of any backend CMS can also be set up using bog-standard software. A lot of software is free if you only want to do simple things; if your needs are more complex you may need to pay for it. But a pro can advise you as to what will work best for you (and it may be that you don’t actually need your website to do really complex stuff even if Fergus said you did).

    In your position, you can’t afford not to hire a pro to get you out of this mess.

    Ultimately you can have them create a website that any non-expert can fairly easily update and add to. Once that is done and a volunteer is trained, you can stop paying the expert if you really need to, but you need to think about that carefully, because backend management is more work than you may think it is.

    And that means looking at your second problem going forward. A lot of small nonprofits try to get everything done by volunteers because they want to save the money to fund the actual services they provide. This is ideal—but the ideal is not always practical when it comes to technical stuff. Note that a cost-benefit analysis of whether to hire or only use pros, if the analysis is done by non-experts, can easily miss a lot of hidden costs because non-experts don’t know the entirety of what is involved.

    And of course there’s the question of security, especially if you are dealing with member databases and/or financial info: do your non-expert volunteers know how to ensure that data is protected? Are you in compliance with privacy legislation? Making sure things are set up by a pro can prevent a lot of headaches down the road.

    I’m on the board of a nonprofit currently dealing with this exact problem. A lot of tasks (such as creating and managing a website or database or communications generally) have gotten more technical over the years, because what we can do in those areas has gotten more complex (which works to our benefit!). Though we want and need to have volunteers handle as much as possible, we’re realizing that there are some things that are much more efficiently and competently and securely done by professionals—and that if we don’t hire professionals those tasks won’t get done at all, and that will impede our “real” work.

    My advice (all of which has been said by others) is to hire a professional to get you out of the mess and set you up for success in the future. You can ask a pro to set up a system that can be at least partially run by volunteers going forward, but you need someone who is an expert to do at least that part of it. And you need to look closely at the actual pros and cons of contracting for ongoing services from professionals.

    And do NOT tell Fergus this is happening until it is complete.

  59. Observer*

    #1 – Hostage Website.

    Allison is right, but she wasn’t strong enough. What is going on puts your organization in jeopardy. You are also putting your Board and possibly some of the top level decision makers in legal jeopardy. I know that this sounds hyperbolic, but “database for our treasurer” says that you’re dealing with fiscal data that almost certainly includes things like credit card data, bank information and / or payment information for vendors and consultants – some of whom may individuals, so you’ve personally identifiable information PII in the mix. All of the membership features mean that you are probably holding sensitive membership data there, too. And again, the rules and regulations about this stuff can be really tough. And keep in mind that even if all you have is name, date of birth (dob) / birthday and age, and telephone # / Address, you are holding what is considered legally protected PII. Depending on what you are doing and where you are located, there could be a whole additional layer of regulations involved.

    Try to get a volunteer to redo the site from scratch with no help or input from Fergus. But if you can’t *pay for it* You don’t really have any choice in the matter. Insisting n volunteers in this case is like insisting that you’re not going to pay your rent or utilities and you’re not going to pay for supplies. How are you paying for hosting right now? Pay for the consultant on the same basis as you pay for that.

    Depending on the regulations you are almost certainly violating, you may be better of shutting down if you can’t pull off a rewrite. But even if your not facing that level of risk, the damage to you if people realize what is going on is severe. And if you have a data breach – or Fergus decides to weaponize his access to your data even more, that could easily shut you down. And in that case, the odds of someone coming after you are high, even if they cannot point to a specific law you broke.

    Alison’s advice to look at WordPress is excellent. There are tons of very solid add ons, so you should be able to do whatever you need to, one way or another. I would also look at SquareSpace for hosting, as they have a lot of features to help with the “back end” stuff. I’d still use WordPress, and code as much as you can in WordPress because that gives you a lot of flexibility. But SquareSpace (or a similar service) can help you get the more back end stuff up much more easily and quickly. And if you ever need to move, you’ll still have your data and most of the web site.

  60. astonished nerd*

    A website in his own unfinished language? WTF? That’s one hell of a power move.

    I would see if you can convince him to export the database as a csv file or something. Maybe claim you want to back up all his hard work. Or someone else is interested in how it works and wants to see a summary. Then you can reconstruct the database from that

    1. CeeCee*

      Fergus from #1 may be one of those folks who obscured the work to “protect” their work. Definitely power move. It’s not good, but I’ve heard it done in many places.

  61. Audiophile*

    I am the first vice president of a nonprofit. We’re all volunteers, including our webmaster, Fergus.

    Everyone’s a volunteer? That can’t be right.

    Regardless, no one should be the sole keeper of any task. It’s just too risky.

    1. Orange You Glad*

      Why can’t that be right? I work with plenty of all-volunteer organizations.

    2. Seven hobbits are highly effective, people*

      There are many, many small non-profits that work this way. Some of them have been around for decades. Think less “run like a business, but doesn’t make a profit at it” and more “overgrown bowling league” here. (I can think of several niche performance groups on the ren faire circuit that are organized this way, as well as fan-run conventions and other similar things. It wouldn’t surprise me if the actual faires are also run that way, come to think of it.)

      However, the further away you get from “12 person barbershop group needs someone checking their email address regularly to see which festival applications were accepted, and if any of them are paid this year, and I guess the website should have a link to our YouTube channel with performance clips and also a contact us form” and into “actual business is transacted on our website” your needs scale accordingly.

  62. Rick Tq*

    OP1, you might have someone Fergus trusts explain just how much legal trouble he would be in if he did anything to impede the organization moving their website to a new platform. He might be the webmaster now, but that doesn’t give him any special ownership, he is doing work for hire.

    The first thing you need to do is contact your domain registrar and have it moved under organization control instead of Fergus (which it may be now)..

  63. Immortal for a limited time*

    LW #1 – is the bully volunteer merely the only one who *understands* the database? Or does he actually have possession of the only copy of your organization’s data on a server or cloud storage or hard drive (or whatever) that he owns and controls? If it’s the latter, that was really not smart of the organization, but still, the data does not belong to him and you might be able to force him to securely transfer it back to you by hiring an attorney. If the organization has ownership of / access to the actual data behind the website, then doing what Alison suggested is what the org should have done yesterday. Take him out of the equation. “I’ll build you a website using an obscure language that nobody but I can know about or understand”? Um, no. The red flags are so large they have enveloped all the common sense that should be required to run a nonprofit.

  64. Snooks*

    Assume that Fergus is a genius and don’t underestimate how malicious he could be. Hire a top- notch expert (no interns,volunteers, etc) to sort this out. It will be cheaper in the long run. Before you start moving or copying data, consider that Fergus may be monitoring activity on the system and attack.

  65. FD*

    Fergus is a problem, but I also think you don’t realize how potentially bad this situation is.

    It sounds to me like you’ve got a single service running both your front end, the part that number see, and your back end, your database and other customer information.

    What exactly does that mean?

    Do you store full credit card information by chance?

    What about bank account and routing information for your entity or others?

    Do you have information about minors, such as full names, addresses, or contact information?

    Do you store any social security numbers?

    Right now, I would be less worried about Fergus denying you access to the website then I would about Fergus having access to the information that he does, and what will happen if it’s not properly secured.

    I’ll be honest, if you’re not only an all volunteer organization, but you’re not paying anybody to manage your website or for a CRM, I’m suspicious that the situation probably isn’t salvageable and that what you should really be doing is thinking about shutting down because the funding clearly isn’t there.

    I understand there may be a knee jerk reaction to that if you serve vulnerable populations, but what exactly happens if the personal information with those vulnerable people gets out there, especially if you serve populations who could be significantly harmed by their information being leaked? (For example, if you serve trans people and your client database gets leaked, potentially outing people.) You might be better off finding a partner organization that will help out your clients.

    If you want to keep existing, you really should have your website and your CRM as separate entities. The CRM can handle things like securing client information. If you need some of it to be publicly searchable, find a CRM that has a compatible plugin with whatever you use for your website. Squarespace is very good for simple websites with relatively simple integrations, WordPress will handle more complicated integrations.

    With Squarespace, you’re probably talking a few hundred dollars a year. If you need to do an integration with WordPress you might need to hire a professional, which will run multiple thousands of dollars. If it’s a pretty simple integration, you might be able to do it yourself, and then you’re down to just paying hosting costs and domain costs which are going to be few hundred dollars a year.

    1. SB*

      “With Squarespace, you’re probably talking a few hundred dollars a year. If you need to do an integration with WordPress you might need to hire a professional, which will run multiple thousands of dollars. If it’s a pretty simple integration, you might be able to do it yourself, and then you’re down to just paying hosting costs and domain costs which are going to be few hundred dollars a year.”

      And there is probably someone out there who would be willing to donate the money to achieve this if they let a few of the right people know what they need.

      Bloody well thought out & written reply BTW.

  66. Anne Shirley*

    In addition to not telling Fergus, I would even go a step further and not divulge how you dealt with the situation. Use vague wording such as “The matter has been dealt with.”

    Don’t give Fergus any ammunition for a hissy fit about “HIS work,” not that he has any grounds for one. His contribution (even if he really did invent the code) is the volunteer equivalent of a work-for-hire. Plus you do not want to get into an endless back-and-forth with this guy about how you’re making a huge mistake and are not equipped to create a new site without him. This is not a negotiation.

    Make sure there is at least one other volunteer present when you “fire” him. Safety in numbers, witnesses, etc. Fergus is not going to go quietly.

  67. Dedicated1776*

    If you have to ask if you can call someone by a nickname, you aren’t close enough to call them by a nickname. This is true at work and personally.

    1. Jackalope*

      I mean… doesn’t that go against the whole gaining consent part? Part of my experience as someone who like giving – and receiving – nicknames is making sure the person is okay with it before using it. It usually means there’s a certain level of comfort with them beforehand, but I try to give them veto powers before calling them something else.

  68. Orange You Glad*

    LW 1 – I’m going through a similar scenario right now with the nonprofit I volunteer with except we reached the “hit by a bus” stage with our Fergus and he withdrew from all obligations with our organization very abruptly. We are now in the panicked stage of picking up all the pieces of what he was gatekeeping and trying to understand what he was doing.

    As a group, you need to take a stand against Fergus. Do what Allison and others have said and start rebuilding your website on a new platform. Transition any systems Fergus has been managing. I’m assuming if the website database is tied to your Treasurer’s activities, it probably relates to donations or issuing grants/funds. The Treasurer should be managing that system going forward with your website person just managing the integration with the website. But you all need to be united on this front since you will get pushback from Fergus and any of his supporters.

    In a way, you are lucky Fergus is only holding the website hostage – that can be changed. My Fergus was also our Treasurer and had his hands in all kinds of systems and relationships. We found a lot of activities that shouldn’t have been done or should have been someone else’s responsibility all along. We also had a registration system he completely built/coded himself that no one could understand so we are starting fresh with an out-of-the-box solution this year and moving on.

    1. June*

      Very doubtful. I know the person who’d be in the Fergus role and I don’t believe he’d do that. Also, it’s not written in a language he made up. Ruby on Rails has its issues, but that’s not one of them.

      1. Zoe Karvounopsina*

        I keep wondering if one day someone’s going to write in about AO3, but their biggest problems would probably be too identifiable.

  69. Coverage Associate*

    Re #1: additional advice from a non techie who has been in a similar position, only our website people got dementia (the techie) and died (less techy, but had all institutional knowledge).

    For small organizations, I really encourage that bills come in paper form. We lost our website briefly and a couple members because no one paid the web hosting bill because it went to emails associated with the unavailable people. Had a paper bill come, it would have been seen and dealt with. (Organization leadership using personal emails for organization business is another issue, but I know it costs about $7/person to fix, plus someone to manage the emails.)

    We also had accounting on bespoke software. It took a CPA to sort it out, and our accounting still will never satisfy a CPA or pass an audit. It could have been very expensive if the family of one of the deceased members hadn’t wrapped the CPA’s time sorting out the organization’s finances into her time sorting out the individual’s finances and paid for all of it.

    The solution going forward for the accounting was a quickbooks subscription, which I think is $70/month for what we need. There are non profit bookkeeping for dummies books that assume you are using software like quickbooks and may be available from the public library.

    You still have issues with both not sharing passwords but still sharing necessary information in case of sudden illness, etc.

    For the website in general, we pay a professional about $1000/year to make small changes and easy regular posts. The original website was $10000 maybe? Again, paid a professional.

    1. I Have RBF*

      Hosting: I know a hosting company that used to have free hosting for non-profits, not sure about now. They offer WordPress sites, with WP support and unlimited email for $20/month. There are probably several out there.

      Finance: Most accounting software for non-profits has a monthly cost. IIRC, QuickBooks for NonProfits or Aplos are the primary ones. Figure $70 – $150/month.

      Password/Access: A tricky thing to handle, but insist that all role-based passwords are backed up in your office safe, or some other method to recover access if a volunteer disappears. Ideally, multiple people have root level access to recover things.

    2. Orange You Glad*

      Also, if paper invoicing doesn’t work (I know it wouldn’t for my org) I recommend shared email addresses for things like billing and communicating with outside contractors. We have some set up so when our QuickBooks subscription is due, the contact email actually goes to 5 of us. This helps with visibility, transparency, and accountability. We also used these general emails when signing up for master accounts on the systems we use so if one person drops out, we can still recover the password and get access.

  70. Ollie*

    Make a list of all the functions the website does. Pick one that is most important and find a way to replace it perhaps with an out of the box system like Quickbooks for the treasurer stuff. Do double entry for a while to make sure everything is coming out equal. Then pick the next most important. Or, if you can get a look at the code have a consultant take a look at it. I find it hard to believe that Fergus has created his own language. More likely he is using something obscure or outdated.

  71. IveGot99ProblemsAndYoure12thOnTheChecklist*

    re: Fergus
    If cost and skills are a concern for replatforming your website, try searching for your local Hackerthon. LOTS of communities have 24 ‘thons where developers band together to do pro bono work. Local web dev bootcamps may also be a resource. Bootcampers are always looking for solid work to add to their portfolios, and non-traditional students going through these programs tend to bring a lot ancillary experience and knowledge to the table that you might benefit from on ways you’ll certainly never experience being held hostage

  72. BobX Flashbacks*

    LW1’s Fergus situation really reminds me of a classic post on thedailywtf, “We Use BobX” – a web developer claims to have invented the programming language underpinning an organisation’s webservers, but a new developer’s curiosity reveals that BobX is just obfuscated PHP (a language in common use throughout the Internet).

    I wonder if Fergus is also a reader of thedailywtf & was inspired by Bob (despite the fact that Bob is very clearly the villain of the piece)? It seems really unlikely that he’s actually developed his own language from scratch…

    The article’s a good read (although perhaps moreso for developers)!

    As others have suggested, crawling the website in question & right click > View Page Source are likely to be useful tools for exfiltrating as much as you can without Fergus noticing.

  73. SB*

    LW4 – can we please have a thread on the stupid nick names we have given to managers & collegues over the years & the reason for these nick names? I need a laugh!!!!

  74. Bruce*

    The question about nick-names for managers and how they may react to perceived disrespect reminds me of a story: in the early 90s I was hired into a small group at a big company… I found out that the manager was considered a “maverick” and our project was his chance to prove himself. Part of his schtick was he’d programmed his workstation to play a sound clip when he got emails, depending on who it came from. Most were clips from The Simpsons… For some people it would be Bart uttering a rude word, for others it would be neutral or friendly. For his boss, it would be Homer saying “Gee… Bart”. He went on vacation and left his workstation on, for the whole week I was hearing and “Gee, Bart” sounding from his office. Shortly later he moved on, apparently his maverickyness had worn out the welcome, and we got a much saner manager who didn’t have his work station mocking the grand-boss. To be clear, we were doing a good job with the resources we had and we’d had some success, but after a year I’d seen how bad things were overall and I made that the shortest time I’ve ever spent in one place.

  75. Hillary*

    #1 – get your financials – print them, download into a spreadsheet, screen shot, download into a plain text format, all of the above and any other way you can. Get your reports – audit reports especially, agenda reports, agendas and minutes, annual reports. Get your domain names – does this volunteer have control of your domain names? your email addresses? Those can do a lot of damage, so get them under your control if at all possible. If not, set up new ones and be ready to do a full court press and point “we have moved to…” immediately. Also grab the domains of anything related to your organization now.
    I would do this all before I even approached your volunteer about moving products or sharing responsibilities. If it goes haywire, you at least have critical info to retype into a new software if you have to. If you are ready with a massive “point to new website” campaign the damage he can do with a domain he controls can be dampened down a little bit.
    You can and should also point out – cybersecurity (is this homemade software up to snuff for dealing with a hacker/infohostage situation?) Board liability (do you have Board insurance if you lose all your financials, don’t pass an audit, and a donor sues you?) All good reasons to act, but I would button up my info as best as I could before I did just in case you create further chaos. Then, down the road, Board policy about redundancy, selection of software and platforms, security, and insurance.

  76. judyjudyjudy*

    Just to add to the nickname thing, even if the nickname you have in mind is not offensive, some people at work like to use their full name as part of their work persona — Margaret at work, Molly at home, for example. In particular, I’ve known a few women who do this, perhaps in an effort to emphasize “I’m a working professional, not a child.” So there might be a gender dynamic here.

    I know it’s been said 1000 times already, but for any person, if you try to give them a nickname and they ask to be called something else, please respect that request.

    1. Rick Tq*

      Continuing to address your manager by the nickname you made up for them after being told to stop and address them by their real name looks a lot like insubordination to me.

      Do it enough times and it isn’t a joke but a serious discipline issue, enough I think the offender should be terminated. Defying directions from managers can get someone killed if they ignore safety warnings.

  77. Wintermute*

    Way late to the party to add for the website situation– Fergus’ system is NOT good and is a disaster waiting to happen, potentially a very expensive one. it may look impressive but it’s a house of cards waiting to come down at any moment in ways that may not be survivable (e.g. if you end up being sued or lose all your data).

    Internet security is hard, even people using best-in-class solutions get things wrong and leave vulnerabilities. When people “roll their own” ESPECIALLY if they’re doing so from top to bottom (“full stack” as they say in the industry) they often don’t even know enough to know when they are making a huge mistake.

    Is the backend secure? Does he sanitize input properly to avoid injection attacks? Would he even know enough to know if he had? Do his password stores have vulnerabilities common among those who are going on their own know-best like unsalted password hashes or shared salts? Does he even know what that means or does he think “salted hash” is something you get at an all-night diner? Can you munge the URL string to give yourself access to secured data or elevate your access level or privileges? can you perform a URL-field buffer overrun?

    What about the site front-end? Does he use insecure methods of hiding input fields from unprivileged users like simply not having the CSS sheet or HTML display them, leaving you vulnerable to anyone who can right-click “inspect element” or to use of the chrome console to directly access page elements? Are things that should not be cached stored in cache or data loaded into memory that is sensitive even when not required?

    Beyond that there’s things like, is his custom tech stack poorly performant, leading you to lose google page rank needlessly? Are you vulnerable to a catastrophic data loss because the database has failure points and can’t be backed up by off-the-shelf disaster recovery software?

  78. Sandra*

    to the writer with the monster volunteer website developer- have you considered finding a younger volunteer that could white hat hack into the existing site and gather all the information you need?

  79. Nanny Ogg In Training*

    Letter1 was eerily similar to the situation my own group found itself in. Our Fergus kept all the web development and updating to himself, while sulking and tantruming when asked to do his job. Eventually he threw HIMSELF under a bus when some of the members, sick of his obsessive gatekeeping, set up a social media account without his permission! After much screaming and ranting, he took his toys and stomped off (he owned the domain and the server).
    So, what happened was: one of our members taught himself to code and built us a whole new website. It’s not perfect (credit where it’s due, Fergus was a good developer) but it works well enough and we can update it without having to placate a ranting man-child.
    This may not be appropriate for LW1’s organisation, but it proves that work-arounds do exist, and can even work quite well!

Comments are closed.