I don’t mean to single out WordPress… but for all the joy of these free open source applications we have — there’s an distinct element of “pain in the ass” that accompanies it.
For some background, MacRumors.com was started with an open source version of Slashcode called PHPSlash. It lacked a few features, but it was easy enough to install and free. MacRumors ran on PHPSlash for probably a year or so… until one day, we got hacked. So, I took the site down, changed all my passwords, and looked into the problem. I hadn’t kept my version of PHPSlash up to date, and there was some known exploit that someone had used to get into the site.
The problem was that there were known exploits in every version… and it was like holding up a sign to anyone out there to “Please Hack Me”. Sure, I could have kept up with every single update… but I have other things I want to do with my day than upgrade server software regularly and hope things don’t break.
So, my decision that night was to rewrite MacRumors’ front end on my own. Do I write perfect PHP code devoid of exploits? Of course not… but I don’t care what people say, there is some degree of security through obscurity. So, the initial rewrite took that weekend, and I’ve built on it ever since. Now, this isn’t necessarily the best time-saving technique, but it worked for me at the time.
Not long after, I started looking for forum software to use as a comment system for the site, since I didn’t want to reinvent that wheel. I started with PhpBB. I had heard good things about it, and I even installed it. Of course, I ran across a strange installation error. I asked around on the PhpBB forums, and searched for help… in the end I got versions of “what do you expect, it’s free” answers.
As a result, I decided, I wanted to pay someone to take some responsibility for their software. In the end, I settled on vBulletin — a decision I’ve been happy with. For whatever reason, their security updates are far less frequent, and yet have seemed quite secure over the years.
So, that brings us to today. On November 18th, someone hacked this blog and inserted hidden spam links into the template and a couple of stories. Based on my research, I think it was a non-shell exploit. I swept my directories to make sure there was no residual scripts left behind. I did have a couple of plug ins and was using an old theme (lowstream) which had not been updated to the latest WordPress.
So I wiped my install and have gone 100% default (and latest) for now. I don’t have the time to customize another theme, and I certainly don’t have time to track down any more hacks.