Update on the site hacking

It turned out to be the config file that was being trashed.
This is a major hole in wordpress security, because it never gets
changed in an update.

There turned out to be two problems — the one that almost
certainly led to the hack was that it was world-readable, which
shouldn’t have happened, and if it did, an update should have
fixed it.

Googling about the problem also led to reading about the secret
keys
which should be included in your config file, but weren’t
in mine because I’ve been automatically upgrading since before
that feature was implemented.

Both of these problems seem to me to be design flaws in the
wordpress system. I am investigating Drupal as an alternative, but
it’s unlikely to become the site’s underlying technology for at
least a few months. I’m still interested in hearing about
people’s experiences moving a wordpress site to something else.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s