I”d say pointing the finger at WordPress is pointless. The only way WordPress can operate is by knowing what the db credentials are. Storing these in a clear (unencrypted) file is standard practice among almost all CMS. For a good reason: the alternative is storing them in an encrypted file, but then you’d have to decrypt that file, so you’d have to store the decryption credential somewhere…in clear text. Of course, this is an inherent security risk, but can be mitigated with good sysadmin and security practices. These take into account not only file permissions (who has access to read the file) but also database permissions.
Next, NetSol…they may be to blame only if they provided a script to install WordPress “automatically”, and this script installed file insecurely. We could also make a case that NetSol is to blame for allowing default upload file permissions (via ftp) to be world-readable, along with some other technical bits they may or may not have done right or wrong. I do not know enough about the Network Solutions network to be sure.
Last, but not least: you. It’s your blog, after all. And you decided that you don’t need a system administrator, after all. Your money was better spent getting a snazzier design than making your site secure. Plus you and your designer’s mad ftp skillz, along with the Network Solutions “easy as do-re-mi” hype…what could go wrong?
But that lowly, unappreciated systems talent is what distinguishes the men from the boys online: that is the difference between a website, and an enterprise-grade web _project_.
wordpress
Lots of talk lately about the Network Solutions / WordPress breach; Network Solutions so far doing a good job responding to the issue, and WordPress reiterating that their system is secure if installed securely. But who’s really to blame? You are!
The first criticism I heard is that WordPress should have stored database credentials in a secure file. The only way WordPress can operate is by knowing what the database credentials are. Storing these in a clear (unencrypted) file is standard practice among almost all CMS. And for good reason: the alternative is storing them in an encrypted file, but then you’d have to decrypt that file; so you’d have to store the decryption credential somewhere…in clear text. Of course, this is an inherent security risk, but can be mitigated with good sysadmin and security practices. These practices take into account not only file permissions (who has access to read the file) but also database permissions.
Next, Network Solutions: they may be to blame if they provided a script to install WordPress “automatically”, and this script installed sensitive files insecurely. We could also make a case that NetSol is to blame for allowing default upload file permissions (via ftp) to be world-readable, along with some other technical bits they may or may not have done right or wrong. I do not know enough about the Network Solutions network to be sure.
But it’s also time to face the music: It’s your blog, after all. You decided that you don’t need a system administrator. You decided money was better spent getting a snazzier design than making your site secure. You decided to opt for the cachet of a self-hosted blog instead of using the perfectly usable wordpress.com platform. Plus you and your designer have got mad ftp skillz…what could go wrong? Of course, Network Solutions, and every other $5 hosting company out there run a big marketing campaign to convince you that you can do it yourself; that really, nothing can go wrong; and I’ll wager in a few weeks this will go away and if anyone asks they’ll say it’s a one-off. So, really, you’re not to blame, right? It’s hard to keep a level mind with all the buzz and hype telling you how simple and easy everything is, how you can do it yourself, how even a monkey can do it.
But you know. You really always knew, didn’t you? Yeah, you did. There is no substitute for knowledge, and there are no shortcuts. I’ve been harping about the need for better systems architecture on this forum on and off. That lowly, unappreciated systems talent you decided to skimp on is what distinguishes the men from the boys online: that is one big difference between a pretty website, and an enterprise-grade web project.
Incidentally, web projects is what we do. So when you’re ready to graduate from just pretty pictures and skin-deep designs, give us a call.
Have you heard of the campaign to send 1 million shirts to Africa? Probably. And you might not think that it was a very savvy idea. I think it was brilliant.
