

How To Not Get Your Blog Hacked - baha_man
http://idlewords.com/2009/09/how_to_not_get_your_blog_hacked.htm

======
chaosprophet
_> If you listen to the WordPress people, the answer to this is 'be extremely
zealous about updating your software', which is the same as saying, devote
half your life to learning and understanding WordPress administration._

Apparently this person has not used a recent build of Wordpress.

~~~
goodkarma
But they've got a point. Even if it takes "only 10 minutes" to upgrade, there
have been so many new versions and so many security issues that it gets kind
of old after a while. Especially if you have multiple sites all running it.

~~~
ionfish

      svn update
    

Not a complex command to run! I hear there are these things called cronjobs
too, so you don't even have to run it yourself. Just pick the latest stable
branch and svn switch when a new major version comes out.

~~~
goodkarma
That makes sense in theory, but our company has dozens of WordPress sites.
Once you have more than a few, managing software and plugin versions becomes
exponentially more challenging.

I'm in the process of upgrading all of them to 2.8.4 and installing the
necessary plugins and params in the config file so they can all be "auto
updated" in the future. I plan on having my VA manage them from there.

However sometimes strange things happen - for example, I auto upgraded one of
our sites the other day and the whole thing broke and only rendered a blank
page, so it's entirely possible my VA will break one or more sites even using
the auto upgrade functionality.

------
bcl
This advice is just silly. In other words throw out all of the advances of
using php, python, ruby, etc. server side because software has bugs. Or rely
on a centralized managed blog host that is also susceptible to bugs, except
that when they are exploited there they can effect many more people at once.

My advice? If you host your own web apps at least take the responsibility to
administer them. Wordpress has made huge improvements in their update process.

My upgrade process is this: * dump a copy of the database * disable plugins *
copy the current public_html directory to a backup (just in case) * untar new
release over the top of the old * run /wp-admin/upgrade.php * reenable plugins

~~~
idlewords
What great advances is this approach throwing out?

Most bloggers have a very simple use case: publish stuff that looks nice,
generates an RSS feed, and maybe allows a comment thread. Most bloggers are
not, and have no interest in becoming, sysadmins or DBAs.

My contention is that it is easy to set things up so you can blog with
whatever app you want without leaving your data at the mercy of the next
person to find an exploit.

------
AdamGibbins
A static version of your blog? That would be all well and good if it were not
for comments...

~~~
nirmal
I have a static blog and used to have Disqus for comments. I've since disabled
Disqus, no fault of theirs, I just decided that I didn't want comments.

~~~
unalone
So can you put Disqus up on HTML pages?

~~~
nirmal
Yep, Disqus can be added to a website by putting a Div that Disqus will fill
from a piece of javascript.

