

Ask HN: best security aware web hosting? (tired of malware scripts) - wslh

I have a couple of sites on Dreamhost and malware scripts are inserted in our many PHP scripts (i.e: Wordpress) very often. I am thinking in moving our sites to specialized places. For example, move our blogs to wordpress.com, where I assume they pay more attention to security.<p>I don't see the cost/benefit of putting human resources working on this.
======
cd34
Dreamhost runs setuid, which means that any exploit can overwrite any of your
files. Without looking at all of your files, merely installing a new version
of wordpress doesn't remove the exploits that they have uploaded in the
templates/, uploads/ and other directories.

Wordpress.com runs in WPMU mode with a limited sandbox, which makes those
exploits difficult to insert.

Since you're running 3.3.1, and there is only one known remote exploit in the
wild that was reported in early December that still remains unpatched, you're
probably fairly safe. I would suspect more of your problem is remote exploits
that have been installed over time that haven't been removed.

You'd probably be best finding a WordPress consultant to come in there for $50
and clean things up. Most hosting companies aren't equipped to handle securing
sites when you're paying $10/month for hosting. There are dedicated WordPress
hosting companies out there - including WordPress.com, but, short of keeping
WordPress updated, I don't know if they proactively look for security issues.

Cloudflare claims to block these types of requests, but, from what I've
witnessed, you need to start with a clean site.

------
gyardley
Assuming you kept your WordPress installation up-to-date, you probably ran
into trouble thanks to an insecure plugin or theme.

I recently ran into exactly the same exploit because I had a deactivated,
older version of the Thesis theme lying around in my themes folder, which
contained an old, insecure copy of TimThumb. Restoring to a pre-exploit backup
and then removing the offending, no-longer-needed theme seemed to do the
trick.

While WordPress.com offers better security than Dreamhost, they do this by
restricting your choice of plugins and themes - you'll be more secure there,
but you'll have less freedom. I suspect any place that lets you run with
arbitrary themes and plugins will have similar issues as Dreamhost.

------
tnorthcutt
Check out <http://wpengine.com> for WordPress-specific hosting.

I recommend them to clients and have been happy so far. I also have an
affiliate link if you want to use that:
<http://wpengine.com/?a_aid=4f551bd9653ab> (doesn't provide you with a
discount, unfortunately).

------
zoowar
You're the problem
[https://en.wikipedia.org/wiki/Secure_input_and_output_handli...](https://en.wikipedia.org/wiki/Secure_input_and_output_handling)

~~~
wslh
I assume that I have some responsability but at the same time there are ways
to isolate issues on different sites.

