Webhosting Companies And Security Related Attacks

[chipbennett]

Trainwreck still going on. Anyone successfully fixed his own installation?

It seems like Woorkup.com is using WordPress 3.0. I sincerely hope it was upgraded after the attack, because otherwise it would mean that WordPress 3.0's not secure too.

I'm not sure how many times this point has to be made clear:

WordPress is not at fault. No inherent WordPress security flaw is being exploited.

The exploit involves either file-level access to the server or acquiring specific accounts' FTP credentials. WordPress is merely being targeted by those exploiting the server, due to WordPress' popularity/wide install base.

[Nick]

My bad. I've been misunderstood with the phrase "it would mean that WordPress 3.0's not secure too".

Let's try with the bullet points.

1. WordPress is secure (given you set it up the right way, hardening your installation)
2. With an FTP password, one is able to read the config, edit files and eventually access the database
3. WordPress gets targeted because it's popular (take that Habari!)
4. WordPress 3.0 may be targeted too because of its similarities with the previous version (no substantial business logic changes there, things work like they used to)
5. We've got no culpable subject. Hosting providers, coders, angry wives... nothing.

Am I missing something?

[andrea_r]

We've got no culpable subject. Hosting providers, coders, angry wives... nothing.

Actually we do. (I just didn't save all the links.)

In some cases, ftp passwords were lifted.
On one host, it was suggested an outdated version of phpmyadmin was to blame (and given it was all in the db's themselves on this host...)
On another, the boxes weren't secured. If I got in to one person's account, i had access to the box.

So, it's not that no one knows, it more there's no big huge blog post stating "this si the reason". And if there was, that doesn't draw headlines like "OMGBBQ WORDPRESS IS AT FAULT!" ;)

[C3MDigital]

"OMGBBQ WORDPRESS IS AT FAULT!" ;)

It's like everyone is blaming the WORDPRESS BBQ because they got food poisoning when it is really the restaurant who served the BBQ's fault because they let it sit out all night marinating in a big bucket of raw chicken. Of course the restaurant is trying to blame the BBQ provider to cover up their shoddy BBQ food safety practices.

Ever notice how much easier it is to understand things when you put them in a BBQ perspective.

[Nick]

Let's put aside the blaming and the BBQ thing. WordPress is secure. Fine.

There's not a single, unique failure point. Multiple causes on multiple hosts.

Now let's focus on fixing the issues and preventing it from happening again.

Fixing is a mess because apparently we're not talking about a single hack. Giving out the FTP password could mean being infected with all sorts of things.
Leaving the whole box unsecured caused a similar mess too.

Same goes with preventing this stuff from happening again. It seems impossible as long as there's this sort of unreliability from the host providers. And we're talking about quite big players.

Is a VPS (given it's on a secure box/configuration/network) a viable answer? Does it even make sense?

[C3MDigital]

Same goes with preventing this stuff from happening again. It seems impossible as long as there's this sort of unreliability from the host providers. And we're talking about quite big players.

I am completely baffled by the latest Rackspace Cloud issues.

Is a VPS (given it's on a secure box/configuration/network) a viable answer? Does it even make sense?

I think a VPS is probably your best bet and given that the cost is not much more than a shared or reseller account it makes a lot of sense. You will still have to know how to properly secure your VPS and protect your passwords by only using ssh and ftps. Unless you are paying for a managed VPS you will be responsible for configuring Apache, PHP and MySQL, mod_security, SuPHP etc.

[Nick]

I'm on EC2 + rackspace cloud servers. No problems for me. Luckily enough the only blog I'm hosting with (mt)gs has not been hacked (yet).
Let's see how this evolves (mainly interested in new cases and how the hosting providers react).

[Jeffro]

Sorry to hear that after 24 pages of this thread, you're still dealing with issues. Keep us updated on what you decide to do and what happens.

[Nick]

Sorry to hear that after 24 pages of this thread, you're still dealing with issues. Keep us updated on what you decide to do and what happens.

Not (yet) dealing with issues.
Since Woorkup's been hacked I just got my attention level raised once again. Wanted to check the whole situation and have some clarifications. I'm going VPS all the way and trying to lock down all of my systems. I'll surely keep you updated.
Thanks all.

[hakre]

BTW this discussion is about the software version 2.9.2.