I just had a very interesting discussion with my husband, Tom Vilot, who used to host Contentious on his server.
Last December he started having some mysterious problems with his server. Random files (including most of my stored e-mail) were disappearing. Because of this, I moved Contentious to a new host, and also started using Gmail for my primary e-mail access and storage.
This weekend, as he worked to sort out a difficult upgrade to WordPress on my new host, he figured out what went so awry in December.
In a nutshell, WordPress made his server vulnerable to an attack by a cracker…
I won’t attempt to explain all the geeky details, but here’s the basic issue. My blogging software, WordPress , is based on a popular scripting language called PHP – which, although powerful and useful, also is prone to many security flaws.
WordPress was the only PHP-based program running on my husband’s server, and he had installed it only to support this weblog. A sleazeball cracker broke into my husband’s server via my weblog and proceeded to install some sneaky programs and copy and delete files.
I mention this because, if you are running WordPress on your own server (or if a friend is hosting it for you rather than a regular web host) please mention to them that there are significant security risks associated with supporting PHP on your server.
If you don’t want to put at risk people who supply you with server space, then the best idea is to move your blog to a web host and let them worry about security. But do make sure they’re backing up all your blog files daily.
…Tom adds: Note that the PHP exploit which permits a cracker to install nasty little programs like these does not limit exploitation of the directories where your weblog is hosted. It potentially exposes the entire server if directory and file permissions are not set correctly. Thus, if your home directory is readable by “world,” your e-mail and private files in there are readable and may be deleted by the cracker.
I use the term “cracker” because the word “hacker” rightfully refers to “a person who enjoys exploring the details of computers and how to stretch their capabilities.” It was, unfortunately, hijacked by the media to mean “Unauthorized user who attempts to or gains access to an information system.”
If you liked my post, feel free to subscribe to my rss feeds
BlogoSquare