Comments on: Who’s Right? Network Solutions Or Matt

By: Wizwill

Wizwill — Wed, 21 Apr 2010 17:56:03 +0000

I’m a relative newcomer to the world of decent website building. I’ve been involved computers for a long time but mostly as a consultant dealing with speech recognition.

I just spent the last 2-1/2 days trying to get , first, a MySQL database set up and then installing WordPress on a new website that a painfully slow developer had been unable to complete.

What an education! Thank you folks for having enough detail in your replies to guide me in the right direction. Still don’t have WordPress implemented and probably won’t until I’ve dumped my Network Solutions shared hosting and found a local ISP who’s hosting setup conforms to the suggested security guidelines that the experts on this forum have outlined.

Thanks again and consider me the newbie who is being educated.

By: Amy

Amy — Sun, 18 Apr 2010 18:56:30 +0000

@Chris Olbekson -

The could call them “Canonical” hosts…

LOL

By: geomark

geomark — Sun, 18 Apr 2010 14:56:24 +0000

I had the unfortunate experience of using Network Solutions for hosting. It wasn’t my choice. I came into a project that was already underway. We had a Drupal site hosted there. It was terrible. The server would hang for hours at a time. Support was clueless, they would get around to the ticket around 20 hours after submission, usually just closed it without comment, some responses said there was something wrong with our Drupal install (finger pointing their best skill). This went on for more than a week. Moved the site to another host and never had downtime since. I demanded a refund and eventually got it.

In my experience Network Solutions is incompetent as a hosting service. I’m not surprised at they tried to blame this issue on WordPress.

By: Chris Olbekson

Chris Olbekson — Fri, 16 Apr 2010 20:33:41 +0000

@Martin -It could be a host or version issue. Because right before I made that comment I also did a fresh install with Fantastico Deluxe just to see the results. I also checked some other installs that were done with the same results. This is on a host with a good security record and SuExec configured.

By: CS Design

CS Design — Fri, 16 Apr 2010 16:16:37 +0000

@Dougal Campbell I was actually thinking more about the way that WordPress or Drupal allow permissions on directories, etc. For example, you cannot install or update modules remotely in Drupal as you can in WordPress — Drupal requires SSH or FTP access to do this. Certainly the problem of having to store the database credentials in plain text is universal (to a large extent, at least) and has a certain catch 22 aspect about it… There are some interesting solutions to this, as you and others have pointed out.

I had a terrible experience with a very large hosting company, that I feel it would be unethical to name, in which I got a new shared hosting account and after connecting via SSH (FTP did not do this) I was able to change dir’s lower and lower — I could get to the / of the server. Although I could not view most files and could not modify much outside of the shared_hosts directory (or w/e it was really called), I could still view the directories of nearly all of the websites on this server and could definitely modify users who has poor permissions on their directories. I was also able to view nearly all wp-config files, for example, and see their db info. I filed a complaint and was ignored multiple times. Eventually I demanded a refund — and I got it — but they seemed to completely ignore this huge vulnerability.

By: Martin

Martin — Fri, 16 Apr 2010 16:04:12 +0000

@Chris Olbekson - Fantastico Deluxe leaves the config file at 755

You sure about that? I did a auto-install with Fantastico Deluxe (latest version) just then and the wp-config.php was 644 like all other files. Maybe it depends on the hosting, or older install of Fantastico?

By: Chip Bennett

Chip Bennett — Thu, 15 Apr 2010 19:14:59 +0000

@Steven - All that security is going to do little good for anyone who has both nefarious intent and access inside the server, especially if that server is mis-configured (as with the Network Solutions hack). WordPress, out of the box, is pretty darn secure. There are other things that can be done to harden a WordPress install, but they are hard to build in or to automate during/after install, because they are things that are outside the control of the application. Other things (.htaccess rules that block web access to wp-config, wp- files and folders, etc.) could be implemented (e.g. in the same way that pretty permalink .htaccess rules are added), provided that servers are configured properly. Some things, though, just require an awareness and understanding that running one's own web server and web applications requires a certain level of knowledge and effort to safeguard against attacks.

By: Steven

Steven — Thu, 15 Apr 2010 16:11:55 +0000

WordPress needs to be more proactive. It’s a fine product but it’s obvious hackers are now targeting this platfom and some strict security is going to need to be implemented. Personally at this point I would pay a couple hundred dollars for a WordPress Software Package that included some kind of WordPress designed built in Firewall and Anti Virus and patch-update package. Open source is great but it does have a lot of disadvantages in some ways.

By: Chip Bennett

Chip Bennett — Thu, 15 Apr 2010 13:59:35 +0000

@Viper007Bond - It is certainly not the responsibility of WordPress, but it most definitely is to WordPress' advantage to do so. It would circumvent a lot of the initial, ignorant finger-pointing at WordPress - and the attendant hyperventilating in the press about alleged WordPress "security vulnerabilities".

By: donnacha | WordSkill

donnacha | WordSkill — Thu, 15 Apr 2010 03:50:56 +0000

@Chris Olbekson -

The could call them “Canonical” hosts…

LOL