Home › Forums › Webmaster Discussion › Thousands Of WordPress Sites Hacked Recently
- This topic is empty.
-
AuthorPosts
-
RubbitGuest
“One estimate suggests more than 1.5 million pages on blogs have been defaced.”
If you’re not on auto-update, check your adult sites. I had a three WordPress installs that wouldn’t update via the dashboard update and upon closer inspection two of them had been hacked. They managed to change the latest blog post apparently without logging into the the admin area.
DOCGuestSorry to hear that Rubbit.
I have to say though, I will never understand why people still use WordPress, knowing it’s one of the most hacked scripts on the net. I’ve never had one of my scripts hacked. Not one. And I ask my clients on a regular basis if they’re having any issues. Minor glitches here and there, which is usual, but never anything to do with hacking.
Anyway, just saying. I will never touch WordPress again with a 10 foot pole.
RubbitGuestGetting off WordPress has been on my to-do list for a while now. But even when that’s done I’ll still have some WordPress sites. My Spanish language blog doesn’t really fit into what else I’m doing, and I’ve got some small mainstream blogs.
smartapeGuestWordpress can be safe if set up properly, however, even that is difficult. We have recently started setting up WP to update via an FTP user so that folder and file permissions can be locked down so as not to allow the web server to write to the folders. Unfortunately, too many plugins and themes ignore that FTP setting and complain about folder permissions anyway so it still requires changing the permissions to update these plugins/themes. If you set them open to update, you need to lock them down after the updates. Hackers look for exploits in WP and then use those exploits (giant holes is more like it) to write backdoors to any open folders and they can only do it if a folder is writable by the web server. If folders are locked down so that the web server cannot write to them, then while you may still have an exploitable WP, they cannot write to any folders or files. Of course, if your WP is out of date, they may still be able to write to your WP database due to the exploit they may have found in an outdated version of WP.
This is because these plugins/themes were written by programmers that just look for wide open folder permissions instead of an FTP user. WP is not the only program out there. You’ll see many scripts etc where the instructions say to “set this folder to 777” or “set this file to 666” because they don’t want to deal with support questions and 777 is the most wide open permissions you can have.
We will update any WP upon request and have scripts that can backup the DB and update the WP site in about 2 minutes so it’s easy for us to do that for our customers.
RubbitGuest“I will never understand why people still use WordPress”
What are the viable alternatives, something that is as easy to use as WP?
smartapeGuestYour question is a good one. The answer? To be honest, relatively speaking, WP is probably the most robust and viable free blogging (pseudo-content management) script out there. So in that aspect, it actually is a good platform.
The main issue, as I see it, is that there are many coders involved in it’s development. Like any other workplace environment, when you have too many bosses, things go to hell. I was involved in some of the earlier development of WordPress – when there were a lot less developers involved. Going back to versions 1 and just before v2 was released. I still pump out the odd free plugin here and there. Whenever I have extra time.
While working on the project I saw that things would quickly fall apart as far as security and coding glitches are concerned. Every human being speaks differently than another. This holds true with coding languages as well. Mistakes are made, sometimes overlooked, and shit starts to happen. As time goes on, the pile gets bigger. Equate WP issues with Microsoft and you can probably see where I’m coming from.
Let’s not forget the fact that WP is the most popular and widely used blogging platform on the internet. Due to this, hackers target WP websites more frequently than most others. It’s a given.
Ok, as for alternatives. Your actual question.
Here are some of the free scripts I’ve worked with:
Drupal – I actually like it. Albeit, there are a lot of modules to mess with and it can be a bit confusing sometimes.
Joomla – I never could figure it out the way I wanted to. Installation isn’t as simple as WordPress or Drupal.
CMS Made Simple – I’ve picked it apart and it’s fairly well-written code-wise. It isn’t as powerful as most CMS’s though. But, you get what you pay for.
Paid scripts:
I haven’t used many, but I did buy a license for Movable Type at one time. I don’t know if Bjorn still uses it, but after seeing how it worked for him I gave it a try. It isn’t cheap, but is definitely a good CMS. That being said though, honestly, I can put together just as good a CMS for less than $1000. I do it regularly. Custom scripts, as well.
Other Alternatives:
Learn to code PHP or other web development languages – This is what I did. I got sick and tired of being hacked (WP and a few other cheap scripts I had been using) and after a while I realized I could code out scripts that fit my needs and ran much faster than the more well-known and used CMS’s on the market. Free or otherwise.
Hire a developer – Now of course this is a last resort and for those who have the extra resources to do so. Before I was adept at coding I hired a few myself. Usually I got whatever I wanted. I’m very picky though, so again, I learned what the code they gave me meant and went in and amended it to my liking.
Ways of making WP a bit more secure – This is a good alternative for those who are willing to learn a bit of PHP and don’t have a lot of extra money. I hope people don’t mind a plug to my site, but here’s a small (free and explained in a blog post), script for blocking all IP’s except your own from accessing your administration login page. php-scripting.com/protect…-an-ip-blocker Together with a restriction file inside your admin directory, it can work great.
That script works quite well and while very sophisticated hackers and/or bots may be able to get past it, the chances are rather slim. It’s quite difficult for anyone or anything to access an IP address if their’s isn’t in the array list.
Now, this doesn’t make WP totally secure. Hackers know to go after directories using the ‘wp’ prefix. If one wanted to get more adventurous, re-coding and renaming the directories would add some extra security. That’s a huge job though. Probably not even worth the effort. However, you asked for alternatives.
Sorry for the long reply, but I do like to help people in this regard.
DreamerGuestI remember when I first started blogging I used the old Blogs Organizer script (anyone remember that?). Then I dabbled in Joomla but eventually settled on WordPress which is what I use exclusively now. I know its not perfect but with Wordfence I feel a little safer. As I wrote in another post I think I’m just going to start blocking countries where most of the security threats come from.
-
AuthorPosts