The Great WordPress Attack of 2009: My Thoughts
On Friday reports began surfacing around the Internet that a new worm was attacking a large number of WordPress installations. It was soon discovered that the problem is a cross-script attacking vulnerability that was patched in version 2.8.3. Any site running an earlier version can be attacked. Several high profiles sites have been affected including TechCrunch, Andy Inhatko’s blog and Robert Scoble’s blog. Power blogger John Grubber quickly jumped to the occasion and began slamming WordPress. Robert Scoble is another to begin pointing blame. It’s somewhat ironic that Scoble is an employee of the hosting powerhouse Rackspace and had not updated his instalation and also did not have a good backup. Andy Inhatko took the blame and wrote a good article on his effort to rebuild. This attack was PREVENTABLE! The vulnerability had been identified and a fix deployed but it is up to the site owner to apply it.
What can we glean from these attacks?
WordPress.com hosted blogs were not affected. For most people the service provided by WordPress.com is sufficient for their blogging needs. Others want more control and the ability to use custom themes and plugins. This is why many people choose to host their WordPress blog on their own services but with extra flexibilty come extra responsibility. One of the greatest strenghts of WordPress is the easy 5 minute install, in my opinion this could be one of it’s weakness. Just about anyone can get it up and running but many are not prepared to maintain it. This includes installing patches and updates and making backups.
Backups: Why do today what you can put off until tomorrow?
I personally make daily backups of files and the database and keep about 1 months worth at anytime. Also I should define “backup”, a backup should be geographically separated from the server from whence it came and periodically tested. DO NOT just trust the hosting companies that claim they make nightly backups I have been burned twice by this claim. If you didn’t make the backup assume it does not exist! If you feel the reponsibilty of managing and testing backups is too much then you should probably not be running your own install.
Updates: Not just a good idea, it’s the law!
The other key to sucessfully running your own WordPresss blog is staying up to date. The automatic upgrade feature makes this incredibly easy. I normally test the update by restoring my backup to my local server. This allows me to test my backups and find any upgrade problems before they go into production. You can easily get a copy of your bog running on your desktop with tools such as WAMP or XLAMP on Windows or MAMP on Mac.
Themes and Plugins
One of the excus…arguments that has been put forth about why an attacked blog was not up-to-date is problems with legacy themes and plugins. Ultimately no plugin or theme is so important that you should compromise your sites security for it. When I am deciding on a new plugin or theme I have to evaluate several items.
- When was the plugin last updated? This one is easy. If the plugin hasn’t been updated in 4 years chances are you’ll have problems upgrading later
- How many updates have been made? Is the plugin developer actively keeping his code up to date. WordPress, like any good software platform is constantly growing and changing. API’sWordPress get deprecated and a good plugin developer will keep his plugin up-to-date.
- What does the code look like? This one is a little tricky, while I am not an expert PHP developer I am a C# developer and I can stumble my way through PHP. I’m really looking for obvious signs that there may be problems.
- Is there an active forum? A forum allows other users to share solutions to problems even when a plugin’s development has slowed.
Running your own WordPress server is a fun and fulfilling activity, just remember it’s open to the Internet so you have to take every precaution.
Links
