I think I now understand how Windows partisans feel when people like me get all smug about how viruses just seem to like that particular operating system.
Because I’m in a similar sitch at the moment with WordPress. As you may have heard, all hell broke loose this weekend as a worm had its way with WordPress installations that were neither updated to the latest version nor hardened. All of my sites fared well, but not everyone was so lucky, from uber-blogger Robert Scoble to countless tiny sites scattered across the net.
Andy Inhatko has an informative and, well, entertaining wrap-up of what it took for him to get back to normal.
John Gruber casts a much more gimlety-eye at the whole mess, saying, finally, that WP is not for absentee-admins. I’m with him on that.
As with OS X updates, I’m very bullish on WP updates, especially of the security-enhancement variety, as 2.8.3 and 2.8.4 were. I also believe that, if you really, really care about the sites you build (or, especially, build for people who hand you a paycheck on a regular basis), you should go even further in ensuring security by:
- Nuking the “admin” named account as your second order of business, after creating a new admin-level account with a non-obvious name.
- Requiring long, difficult passwords from all users above “contributor” level.
- Renaming your database tables from the standard wp_
- Putting server-level access rules in front of your admin dashboard.
- Backing up your databases regularly. There’s even a simple plugin that will do that for you at a set interval.
Is all of this worth what you get from a self-hosted WordPress site? I still say yes, but if you’re not willing to take the minimal steps to guarantee the security of your site, then you will probably be happier in the long run with a hosted wordpress.com site or any of the many alternatives out there.
Deb saysSeptember 6, 2009 at 4:18 pm
Interesting article Tim, it goes to show that if you don’t keep sofware (and I am not just talking about wordpress) updated that there are people out there that will take advantage of that. What is the world coming to? (I ask myself)
Derek Dorian saysSeptember 10, 2009 at 6:21 am
almost every known blog using the bugged verison went down on the same day 🙂
Mike B. Fisher saysSeptember 13, 2009 at 1:19 pm
Good points. It’s easy to take security for granted especially if you do keep on top of the upgrades. But hardening other aspects like the database name and account names is sensible too. I think I’d better go do that right now 🙂