Monday, October 15, 2012
Using Wordpress? According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day, and Wordpress.com currently hosts over 56 million of those blogs. The odds are likely that you’re expecting the site hosting service to take care of your security issues. If so, the real odds aren’t in your favor.
I routinely upgrade companies who have outgrown Wordpress or have been hacked (to my preferred platform, ExpressionEngine, just so you’re aware of my biases). I really don’t like shifting platforms just because you’ve been hacked, but quite often people and companies take a view that “software is just a solution” without realising that no solution is ever permanent - everything needs to be minded and maintained. Because the promise was “a solution”, the promise seems to have been broken and it poisons any future relationship the software has with the customer. Chalk it up to managing expectations, but for many, many people the promise is often more important than the delivery.
So it’s amazing to discover how many sites don’t even make an effort to do the basics. Tighten permissions, move and rename known resources, mask dangerous accounts. I do think we rely too much on hosting companies, and many of those 58 million affected by those Wordpress and GoDaddy outages might agree, but there is no two ways about it: You need to secure your Wordpress environment, so here are 10 steps to making your installation as secure as possible. (Admittedly the last step has 21 bullet points, but at least it’s thorough…) Let’s keep the script kiddies at bay.
Wednesday, March 07, 2012
My timing was excellent about my last post. Less than a week after I wrote about WordPress’s sloppy security, there’s news of a malware injector that invades WordPress sites and used them to infect site visitors.
From The Verge
A piece of malware that masquerades as antivirus software has been found on 200,000 web pages or almost 30,000 unique sites, says computer security group Websense. The exploit, which mostly affects sites built with WordPress, places a short piece of injected code at the bottom of a page…When a user loads the page, they’re redirected to a page in the .rr.nu top-level domain that mimics a Windows security scan, then asks them to download a malicious program to supposedly clear viruses from their computer. It’s a scam that’s been running in various forms for years, and Websense says it’s been tracking this particular threat for several months.
They’ve got some info on the header and such - if you use that system it’s worth looking at.
PS: We’re on Expression Engine. You’re safe.
Friday, March 02, 2012
“For those who don’t quite understand the title; Automattic is the company behind the world’s favourite blogging engine – WordPress, and EllisLab are creators of fine products such as CodeIgniter – and, the commercial CMS ExpressionEngine. Now that you have the basics, the title will make sense later.” - from a blog post at By Bjorn of his business experience with WordPress. Which, for me, rang a lot of bells.
It appears some larger companies have been cold-called with promises to pull them into the WordPress network, and some Ellis Labs customers (Expression Engine and CodeIgniter clients) have been the recipients. Which makes Wordpress tempting…Sure - the software is free, but the corporate hosting costs and support contracts can be eye-watering. Expression Engine has a nominal up-front cost ($300 for a company license) and free support - the opposite of WP. But because WP appeals to the instinct of getting something for nothing, it’s gaining traction more quickly than any other CMS.
The big trick, it seems, is get the foot in the door, get the software on the customer’s iron and then “blog the hell out of it”. Then they’re hooked into a service system once they realize their business depends on it (and that they’ve outsourced their control). Seriously, “self-hosted starting at $15,000 a year” is never the price - it’s the starting point - and it’ll be far more expensive. Having worked for the #1 and #2 online newspapers in the Netherlands, I’ve experienced this “bait-and-switch” first hand, and I’ve seen many people lose their jobs because of presumed promises.
In a previous work life, in a now-defunct company (an arm of a publish group that was once the defacto leader) we went through the same cycle. It was a classic example of a top-heavy corporate collapse…too many cooks, not enough ingredients…and for the most part fueled by the move to WordPress.
We used a several products, all tuned to the project needs. We started migrating out of an existing, aging standard (if you want a hint, thing 10 minus 4, separated) and started moving to a new, more flexible and powerful platform. Were re-directed and railroaded into using WP via a political choice (eg, it’s wasn’t a technical choice). Development - which required huge customization of the WP software, took months longer than expected. Of course the technical arm was blamed because Corporate were sold something else.
Corporate Project Managers decided to bring in external developers with specific experience in WP (hell, we only had 20+ people with decades of experience with PHP, SQL & Oracle, CodeIgnigter, C++...how could we be trusted?) and the development time only got longer. Unified corporate services (like the portability of user accounts) became fragmented, developers were constantly being redirected by featuritis, and some websites never were finished. From WordPress came service outages that lasted days (we never had more than minutes in the past), constant security patches and updates, and a continual chase where, if you cared to look up, became obvious that for business (who appreciate fixed costs) that the path we took was more expensive than they expected. But clearly it had to be the fault of the developers - management was promised that WP was cheap and easy!
The Architects left, then Development managers. Front-End teams were the first to feel the cut, then a bit later back-end developers. Project websites closed or were sold off, their managers being fired first, then the teams migrated into corporate, then disposed of soon afterwards (Except email marketing - luckily having a 1998 skills set is still required). The site catalog was cut to 1/3 of previous size (we did over-segment the market, but not by 2/3rds) and crown jewels were sold off. In the end, the company management left, unable to steer their own course. The company was closed, remaining assets sold-off and small chunks of the remaining sales groups were absorbed into the publishing parent.
And of the sites? Those few that made it are hardly changed from pre-WP versions 2 years old. Most are gone - ah, but the programming mess remains! Here’s a nice trick - Every site requirers a separate account, and some of them have very interesting logic. Ever heard of a site where you couldn’t recover your password by sending an email? Yeah, me neither, but in these cases you needed your email and your handle - not login name, account handle - to recover the account. Let’s face it…that never happens, so old users just had to sign-on as new users. If you’re a kid from 9-16, what difference does abandoning an account mean? Nothing to the kids - but if you as a company can show constant growth in registrants, even if it doesn’t match the page views even remotely, then you can tell your ad network you’re growing. There’s a word for that.
Yeah, I’ve been holding that in for a while now…
So to keep costs down, they grabbed free software, segmented development, hired externals to start building without clear, unified development goals (which only doubled costs), dropped or sold-off corporate assets, lost or abandoned market share and let the company collapse onto itself from the top-down.
I’m pretty sure that part wasn’t in the cold call.
Wednesday, December 28, 2011
Yep - I’ve been busy, hence no writing.
…not even sure this counts.
Wednesday, March 02, 2011
The most predictable way to make money on the stock market? Buy Apple stock the days before the event…
1) The press wildly inflates speculation on the new Apple (insert your favorite device here) - eg, iPad with stereo speakers, card reader, dueling cameras, supre-hires screen…all kinds of stuff
b) Then the speculators and naysayers come out, and also odd bits of personal bad news - eg, standard ram, no card reader, Steve very sick, Jony Ive possibly leaving Apple. The stock take a significant dip. Larger stock groups buy in.
iii) The products come out, the bad news is debunked, and generally the reception to the (product) is good. The stock jumps back up in a few days. Big groups sell out.
Cynical, repeatable profit.
Posted in: Gadgetry Idle Chatter Malarkey
(0) Trackbacks • Permalink