On Sun, Feb 8, 2009 at 5:42 PM, Mike Meiser <[email protected]> wrote: > Sad to hear. :( > I'm assuming he was running wordpress? > > I've seen way to many wordpress blogs hacked. The problem is just maintence, > you have to keep wordpress constantly up to date to patch security holes. If > you don't it will inevitably get hacked. Same goes for all server side open > source.
You are being naive, Mike. It has nothing to do with the software being open or closed source. Maintenance is not a problem, it is what you have to do. Maintenance and backups. Make sure you backup your site every time you post a new episode of your show. Here's a good piece of information on how to make backups of your MySQL database via phpMyAdmin. http://www.siteground.com/tutorials/php-mysql/mysql_export.htm > Many times I've wanted to redo my blogger.com blog in wordpress, indeed > wordpress is simply better, but the truth is blogger.com is virtually hack > proof since there's absolutely no server side code running. It's all handled Oh, boy. Where do we begin? blogger.com does run server-side code. A weak password is platform-independent. Sftp does not prevent hackers from getting at your blog, because there are other ways. Passwords: sftp protects them in transit, but there are other ways of getting in, like dictionary attacks. A weak password will let the bad guys in no matter what tools you use. A colleague of mine had her Google account hacked a couple of weeks ago. The reason was a weak password. Google account are used to authenticate the users of Blogger. Here's another story of a password being hijacked using another method: http://www.davidairey.com/google-gmail-security-hijack/ Buffer overflows: will help the hackers get at a site without breaking in via FTP. Sometimes posting a carefully crafted piece of code in a comment form will be all that's required to pull the pants off your site's butt. XSS: can be used to hijack passwords/user information. SQL injection: a skilled hacker can delete your database without breaking into your account, if the code does not do extensive checks. All he/she has to do is send SQL commands to delete your database. They don't need to know the username/password, because the blogging software that communicates with the database behind your blog already knows both... the database trusts the software and deletes your data. It's beautifully simple if the blogging software doesn't clean the data it passes to the database. And let's not forget those nice Web 2.0/Java things and plug-ins. The more of that crap you put on your site, the higher the likelihood of someone finding a way to break into it. > by blogger.com and written to the server via sftp. I've really come to > appreciate this rock solid security and ZERO maintenance, and to be honest > it's the primary reason I simply recommend blogger over wordpress to anyone > who wants to self host on their own domain. The exception being if they're a > developer and already running code on their server, in which case they're > probably aware enough of the maintenance issues to run wordpress. > > Lately I've been doing a lot of work in the bike industry and it seems the > entire industry from shop owners, to racers to bike makers runs almost > exclusively on a blogspot hosted ecosystem. It simply works. I'm sorry Mike, but I wouldn't go to the bike industry for security advice. Using SFTP is good higene, but it is not a replacement for a vaccine. > P.S. a good auto-backup system or version control system for your blog is a > MUST if you run wordpress. A lot of hosting providers include this stock. Off-site backup is a better solution. If it means burning a DVD with a backup of your database and all files and taking it to a safe place, so be it. -- Jacek Artymiak http://devGuide.net Facebook: http://www.facebook.com/group.php?gid=50168432081 Twitter: http://twitter.com/devguide RSS Feed: http://feeds.feedburner.com/devguide-net Our latest book: Mastering OpenOffice.org Calc http://www.devguide.net/books/moooc1 vi(1) Tips: Essential vi/vim Editor Skills, 1st ed. http://www.devguide.net/books/vitips1 [ sent from my MacBook Wheel ]
