On Sun, Feb 8, 2009 at 5:42 PM, Mike Meiser
<[email protected]> wrote:
> Sad to hear. :(
> I'm assuming he was running wordpress?
>
> I've seen way to many wordpress blogs hacked. The problem is just maintence,
> you have to keep wordpress constantly up to date to patch security holes. If
> you don't it will inevitably get hacked. Same goes for all server side open
> source.

You are being naive, Mike. It has nothing to do with the software
being open or closed source.

Maintenance is not a problem, it is what you have to do.

Maintenance and backups. Make sure you backup your site every time you
post a new episode of your show. Here's a good piece of information on
how to make backups of your MySQL database via phpMyAdmin.

http://www.siteground.com/tutorials/php-mysql/mysql_export.htm

> Many times I've wanted to redo my blogger.com blog in wordpress, indeed
> wordpress is simply better, but the truth is blogger.com is virtually hack
> proof since there's absolutely no server side code running. It's all handled

Oh, boy. Where do we begin?

blogger.com does run server-side code. A weak password is
platform-independent. Sftp does not prevent hackers from getting at
your blog, because there are other ways.

Passwords: sftp protects them in transit, but there are other ways of
getting in, like dictionary attacks. A weak password will let the bad
guys in no matter what tools you use. A colleague of mine had her
Google account hacked a couple of weeks ago. The reason was a weak
password. Google account are used to authenticate the users of
Blogger. Here's another story of a password being hijacked using
another method:

http://www.davidairey.com/google-gmail-security-hijack/

Buffer overflows: will help the hackers get at a site without breaking
in via FTP. Sometimes posting a carefully crafted piece of code in a
comment form will be all that's required to pull the pants off your
site's butt.

XSS: can be used to hijack passwords/user information.

SQL injection: a skilled hacker can delete your database without
breaking into your account, if the code does not do extensive checks.
All he/she has to do is send SQL commands to delete your database.
They don't need to know the username/password, because the blogging
software that communicates with the database behind your blog already
knows both... the database trusts the software and deletes your data.
It's beautifully simple if the blogging software doesn't clean the
data it passes to the database.

And let's not forget those nice Web 2.0/Java things and plug-ins. The
more of that crap you put on your site, the higher the likelihood of
someone finding a way to break into it.

> by blogger.com and written to the server via sftp. I've really come to
> appreciate this rock solid security and ZERO maintenance, and to be honest
> it's the primary reason I simply recommend blogger over wordpress to anyone
> who wants to self host on their own domain. The exception being if they're a
> developer and already running code on their server, in which case they're
> probably aware enough of the maintenance issues to run wordpress.
>
> Lately I've been doing a lot of work in the bike industry and it seems the
> entire industry from shop owners, to racers to bike makers runs almost
> exclusively on a blogspot hosted ecosystem. It simply works.

I'm sorry Mike, but I wouldn't go to the bike industry for security advice.

Using SFTP is good higene, but it is not a replacement for a vaccine.

> P.S. a good auto-backup system or version control system for your blog is a
> MUST if you run wordpress. A lot of hosting providers include this stock.

Off-site backup is a better solution. If it means burning a DVD with a
backup of your database and all files and taking it to a safe place,
so be it.

-- 
Jacek Artymiak
http://devGuide.net
Facebook:
http://www.facebook.com/group.php?gid=50168432081
Twitter:
http://twitter.com/devguide
RSS Feed: http://feeds.feedburner.com/devguide-net
Our latest book:
Mastering OpenOffice.org Calc
http://www.devguide.net/books/moooc1
vi(1) Tips: Essential vi/vim Editor Skills, 1st ed.
http://www.devguide.net/books/vitips1

[ sent from my MacBook Wheel ]

Reply via email to