Recent posts on news sites and famous blogs are starting to question the safety of WordPress.
The first thing that struck me about these posts. Here is a quote from Robert Scoble.
“A few weeks ago some hackers broke into my blog here (this was before 2.8.4 was released). At first I thought they just left some porn sites in a couple of blog entries. So we upgraded WordPress (I was on 2.7x back then). Deleted a fake admin account. Deleted the porn sites. And thought we had solved the problem. We didn’t.”
I will be reading more of his articles shortly, but my first thought was “This is a tech blogger????”. First of all he was on 2.7x a couple of weeks ago. Doesn’t he read the security notes? Doesn’t he know the importance of updating software especially internet facing software?
Have a look here http://codex.wordpress.org/WordPress_Versions The last version of the 2.7.x was 2.7.1 released on 10th Feb 2009. This was superseded by 2.8.0 on June 10th, this is almost 3 months ago and since then he has not upgraded? Ok, I know the unspoken rule about not upgrading to Ver X.0 updates. But 2 months and 4 updates come on. There are enough reports and reviews around to know that it was safe to do this. It’s not even hard work to do this. The automated update feature takes all the work out of it and is not even onerous.
Ok, the above point to one side. No backups? This is a commercial site? No Backups? I have to ask again No Backups? Bearing in mind he had just been hacked a few weeks ago, I would have created a back up immediately. checked for software updates, deleted the old version off the server totally and reinstalled the latest version from scratch then restored articles and comments.
Don’t they have any additional security in place such as ModSecurity? This may have prevented the hacks?
I am sorry Mr Scoble but the fault here lies totally with you and was totally under your control to prevent. Blaming WordPress for your failing to update in a timely manner and not keeping updates is disingenuous. How many people on the hosted version of wordpress at http://www.wordpress.com were hit exactly?
Ok, I was starting to Rant there. I apologise to Mr Scoble for singling him out on this issue but he is known as a Tech “Evangelist” which is a word certain to get my back up. He also works for the company that offers “Fanatical Support” He painted a target not only on his chest but his back with that combination.
Will my WordPress install get hacked? I hope not but I don’t count on it. I therefore install additional security measures, I keep regular backups not just of this software but of everything on the server. I am on security mailing lists for every bit of software I use and for the operating system I use. I estimate it costs me less than 20 minutes a month to do this but the hours it saves in the long run cannot have a value placed on it for me. I do this even though this site is just a bit of fun for me and generates no income either directly or indirectly. I am not even sure that it is read to be honest.
Again, my Apologies to Robert Scoble for singling him out and you have my sympathies for the damage this has caused to you. I hope you get this resolved quickly.