I’ve worked in the digital marketing agency as a web/app developer for over a decade and I can tell you that every single agency I’ve worked for (and with) has a problem that’s been growing and that Generative Artificial Intelligence (G-AI) is going to make it worse.
Slow Self-Destruction
Over the years, our technology has become awesome. From desktop computers to tiny little smartphones in our pockets, people have been spoiled with expecting (and receiving) very pretty websites. Behind the scenes at digital agencies in particular, it’s always been the designer that works with the client to design something beautiful. In most cases, this designer was very good at design, but did not have any technical background. In a lot of cases, they also didn’t have a lot of UX skills either, since many of these designers pivoted from print design to digital design. They went from creating a story from a single, static page (like a billboard, magazine, pamphlet, etc.) to having to create an interactive story that included user interaction. I’ll tell you it’s a completely different skillset so it will have a learning curve for anyone making the evolution. Let me be clear, I am not blaming designers for what I’m about to say next—they are just as much of a victim to this trend as the developers are.
Beautiful websites were the demand from our B2B clients. When project managers created timelines, the design phase would take nearly 3x as long as the development phase. If the design phase took longer than expected, deadlines did not shift. Instead, it just forced the developers to develop quickly. A lot of the time, the phrase “just make it work,” was used to make a website good enough. So long as the finished product looked like what the designer made in Illustrator or Figma and all the buttons did what they were supposed to, nothing else mattered to the client, to the project manager, to the designer, to literally anyone else.
Tangent: At the first digital design agency I worked at, I was given an Addy Award [an award given at the annual American Advertising Awards competition hosted by the American Advertising Federation (AAF)] to take home because the website I worked on won the Gold Addy in its category. The only reason why they gave me the award and allowed me to walk up on that stage to receive it was because the designer nonchalantly said how they already had so many. I bet you they don’t even remember saying it but the memory of their face and those words are burned into my mind—it’s a reminder of how much power they held and I didn’t—a reminder of how much their role and their contributions were valued by the company and mine were not. I didn’t even want to think what the pay difference was.
If I’m being honest, this process killed me inside little by little. It meant writing code to “Band-Aid” something instead of actually fixing it. It meant adding yet another CSS file to overwrite styles because you didn’t have the time to parse through what already existed to actually change it. Websites became bloated because code and assets were always being added onto instead of modified. Site performance wasn’t even considered until Google made it a factor for ranking higher in search engine results. Security vulnerabilities were being unknowingly created because we didn’t have the time to go back and review for them. Despite being on a team of developers, I rarely ever saw anyone else’s code because our job was just to output a designer’s vision as fast as possible, not consider the quality of the code itself.
The Nail in your Coffin
With the introduction of G-AI as a product for businesses skip the web developer (and the meager wage associated with us) to generate their own website’s code, this is only going to amplify the self-destruction of businesses that use it.
Why? Well, can you guess what code trained these Large Language Models (LLM) that the G-AI is using to build your website?
You got it. It’s the shoddy work of undervalued and underpaid web developers that was written to “just make it work.” So yeah, you saved some money, but… did you? What is going to happen next? What’s the problem since you got your beautiful website without having to pay a web dev? Let me tell you.
The Consequences
You are going to get hacked and you’ll spend hundreds, if not thousands, of dollars trying to clean it.
Your site’s performance is going to bloat which will mean your search engine rankings are going to drop which affects your bottom line since conversions will drop too.
Users are going to bounce because your site won’t load in 2 seconds or less on their phone which, again, will affect your bottom line since that’s a lost potential lead or conversion.
You thought G-AI was the solution since things like this might’ve already happened with the web devs you were paying but didn’t value. Sorry, but the joke’s on you. We saw it coming but had no power to stop it because you never valued our expertise.
AI Can’t Innovate; Humans Can
I recently worked with a client to clean their website riddled with malware, the backdoor-dropper kind. Neither Wordfence’s paid plan nor Sucuri found these files. Not even WP Engine found them in their “malware cleanup” service until I handed them a list of files I deleted and said they could verify their malicious contents/code in the backup.
So how did I find them? Well, I know WordPress’ file structure quite intimately and I know what files are supposed to be there and what files aren’t. I saw some files with unexpected names and/or file extensions and opened them up in my IDE and guess what! They were mostly shell scripts with comments written in Russian.
This is the part where I used G-AI: I copied the code from the file (CTRL + A, CTRL + C), pasted it (CTRL + V) into my platform of choice and asked in the prompt what does this code do? Here’s what it said:
⚠️ Caution: This is a highly suspicious and potentially malicious script.
On the surface, it claims to be a “System Update Configuration” from the “Linux Foundation,” but its behavior is classic obfuscated malware.
Here is a breakdown of what the file actually does:
1. The Encoded Payload (
jeqOdYZA)The large block of gibberish text is a Base64-encoded, Gzip-compressed binary blob. This is a common technique used to hide the true intent of a script from simple text scanners or casual observation.
2. The Execution Mechanism (
vFTvCPfunction)The function at the bottom performs three steps in a “pipeline”:
base64 -d: It decodes the gibberish into raw binary data.gunzip: It decompresses that data (which is a compressed script).bash -s -- "$@": It feeds the resulting decompressed script directly into a new Bash shell to execute it immediately in memory.3. Why is this dangerous?
- Impersonation: The header uses “Linux Foundation” and “System Update” to trick you into giving it root/sudo privileges.
- Evasion: By using
2>/dev/null, the script hides all error messages. If the decompression or execution fails, you won’t see any warnings on your screen.- In-Memory Execution: The script never saves the “real” code to a file on your disk; it runs it straight from memory, making it harder for basic antivirus software to catch.
What is inside the payload?
I decoded the string for you. The hidden script is designed to:
- Check for Root Privileges: It verifies if it’s being run with
sudo.- Information Gathering: It collects system info (OS version, CPU, IP address).
- Persistence/Backdoor: In many versions of this specific “template,” it attempts to download a secondary payload or add a line to your
~/.bashrcorcrontabto maintain access to your machine.Recommendation
Do not run this script. * If you have already run it, assume the system is compromised.
- Check your outgoing network connections and look for unfamiliar processes.
- Check your
~/.ssh/authorized_keysfor any keys you didn’t add yourself.Would you like me to help you check your system for signs of a breach or explain how to safely analyze suspicious scripts in the future?
Even though I’m a pretty awesome Senior Web Developer and WordPress expert, finding the 30+ files in their source code did not require that level of expertise—but it did require eyes and a human brain.
So What Now?
Stop killing your business and start valuing your human web developers. I’m sure you’ve heard the phrase, “AI won’t replace people, people using AI will replace people,” and that’s true. G-AI won’t replace us web devs, but the PM’s and designers that prompt G-AI to generate websites will gain that workload instead. These non-tech people are, as I said earlier, are aiming for something to “just make it work,” so once they get a generated result that does that, their job is done. Unfortunately, your newly generated code is likely to:
- introduce security vulnerabilities (a good dev will sanitize and escape output)
- not be flexible enough to handle multiple scenarios (a good dev will always validate input before manipulation)
- not include error handling (a good dev will set up some kind of notice or alert if went wrong instead of crashing with a white screen of death)
- timeout on production when handling large datasets or high-volume traffic (a good dev knows how to perform a load test and why it should be performed)
- use deprecated functions (a good dev will use current best practices to “future-proof” their code)
- use unnecessary libraries (a good dev will consider if loading a full library is worth the amount of functionality they’re looking for to avoid decreased performance)
- use code snippets from the “Accepted” answer on Stack Overflow instead of the one with the highest votes (a good dev can differentiate which answer is better for their current needs regardless of what the question-asker chose X number of years ago)
You know, things us programmers think about without being prompted 🤷
Looking to hire an Experienced Web Developer?
Consider me. I offer a few different types of site audits to help your website be the best it could, because it’s your digital storefront after all.
| Accessibility Audit (aka SEO audit) | Accessibility shouldn’t be an afterthought. I review websites and web applications for how accessible they are for both humans and machines. For humans, I look to follow guidelines set by the A11Y Project and compliant with the Americans with Disabilities Act (ADA). For machines, I look at standards set by Web Content Accessibility Guidelines (WCAG), World Wide Web Consortium (W3C), and that metadata and content are optimized for search engine consumption (SEO). |
| Performance Audit (aka UX audit) | With this audit, I check every page to make sure it loads within a reasonable amount of time both on a mobile device and a desktop experience. I also go through each and every UX process your website or web application has for its users such as a product checkout experience or password reset to identify any “pain points” that would lead someone to abandon the process. It shouldn’t be hard for them to give you money! |
| Safety Audit (aka Privacy Audit) | Human safety and privacy is an important value of mine, so this audit checks that the website or web application meets current standards for internet safety, data privacy, and technical safeguards regarding any legal regulations that you may be required to comply with such as the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), and/or General Data Protection Regulation (GDPR). |
| Vulnerability Audit (aka Security Audit) | I check that the website or web application is clean of malware and other unwanted data as well as having reasonable security measures in place against bots, hackers, and preventing online content from being scraped for unauthorized use in training Large Language Models (LLM) and other generative AI. |
If the audit reveals areas of improvement, I’m happy to give you a 10% discount off my hourly rate to implement the solutions.
