WordPress + Network Solutions: who’s to blame? (you are!)
April 13th, 2010 by Mickey Panayiotakis
wordpress
Lots of talk lately about the Network Solutions / WordPress breach; Network Solutions so far doing a good job responding to the issue, and WordPress reiterating that their system is secure if installed securely. But who’s really to blame? You are!
The first criticism I heard is that WordPress should have stored database credentials in a secure file. The only way WordPress can operate is by knowing what the database credentials are. Storing these in a clear (unencrypted) file is standard practice among almost all CMS. And for good reason: the alternative is storing them in an encrypted file, but then you’d have to decrypt that file; so you’d have to store the decryption credential somewhere…in clear text. Of course, this is an inherent security risk, but can be mitigated with good sysadmin and security practices. These practices take into account not only file permissions (who has access to read the file) but also database permissions.
Next, Network Solutions: they may be to blame if they provided a script to install WordPress “automatically”, and this script installed sensitive files insecurely. We could also make a case that NetSol is to blame for allowing default upload file permissions (via ftp) to be world-readable, along with some other technical bits they may or may not have done right or wrong. I do not know enough about the Network Solutions network to be sure.
But it’s also time to face the music: It’s your blog, after all. You decided that you don’t need a system administrator. You decided money was better spent getting a snazzier design than making your site secure. You decided to opt for the cachet of a self-hosted blog instead of using the perfectly usable wordpress.com platform. Plus you and your designer have got mad ftp skillz…what could go wrong? Of course, Network Solutions, and every other $5 hosting company out there run a big marketing campaign to convince you that you can do it yourself; that really, nothing can go wrong; and I’ll wager in a few weeks this will go away and if anyone asks they’ll say it’s a one-off. So, really, you’re not to blame, right? It’s hard to keep a level mind with all the buzz and hype telling you how simple and easy everything is, how you can do it yourself, how even a monkey can do it.
But you know. You really always knew, didn’t you? Yeah, you did. There is no substitute for knowledge, and there are no shortcuts. I’ve been harping about the need for better systems architecture on this forum on and off. That lowly, unappreciated systems talent you decided to skimp on is what distinguishes the men from the boys online: that is one big difference between a pretty website, and an enterprise-grade web project.
Incidentally, web projects is what we do. So when you’re ready to graduate from just pretty pictures and skin-deep designs, give us a call.
Tags: Content management system, NetSol, Network Solutions, Security, Wordpress
April 19th, 2010 at 7:22 am
Hey, You say to give you a call and I’d like to, but don’t see anywhere to do so… Please give me your info cuz I’m having an issue with my WP site as I chat!
Thanks,
Naz
May 31st, 2011 at 1:23 pm
[...] and administration until they have to. In April 2010, a number of WordPress sites being hosted by Network Solutions got “mass hacked,” learning first hand what cheap hosting delivers: cheap security. You can (should) read my thoughts [...]
September 8th, 2011 at 6:32 pm
Companies providing internally developed or integrated offerings are the ones responsible to make sure things work right? Security is definitely one of them. So if you create a web solution that is found to have security issues from the default set up, it’s the user’s fault. Right?
“Incidentally, web projects is what we do. So when you’re ready to graduate from just pretty pictures and skin-deep designs, give us a call.”
douche