Monday, December 5, 2011

Being Hacked Sucks

Tags: hacking, wordpress

So starting today, all Squirrelinabox websites that were previously using Wordpress and being hosted at Dreamhost are now moved to my own dedicated server using a custom built content management system that I built from the ground up.  Why?  Because being hacked sucks.

Those that follow any of my blogs, such as Office Humor Blog and Falling Skies Fansite have probably noticed a lack of posts during the last few months.  While some of that is because I've been incredibly busy working on new projects (namely some Windows Phone 7 apps) a big reason I've stopped posting is because pretty much all my blogs that were using Wordpress were being consistently hacked.  For quite some time, the hackers were dropping hidden web pages and html links that were likely an attempt to leverage my websites' "link juice" to try and improve their rankings.  Even worse, most of those pages and links were for things like porn, viagra, illegal software, etc.  which likely hurt my site's rankings in search engines for the keywords they were designed for.

For awhile I did what I could to keep logging in and removing the pages and the links about once a week.  Since I had almost a dozen different sites, this process took quite awhile.  The breaking point came when the hackers (probably different ones) decided that seceretly hiding pages and links wasn't good enough as they started taking down the sites completely and replacing them with web pages that explained that the sites were hacked and gone.

How were my sites being hacked?  I'm not sure entirely.  I basically had two issues, one being Wordpress and the other being Dreamhost.  First off, let me say that I love Wordpress.  It's a fantastic piece of software that lets you get your sites up and running incredibly fast while also allows for significant customization.  The problem is, with it being so incredibly popular, it also attracts quite a few hackers.  The Wordpress team seems to be constantly pushing out updates, many of them being security patches, and while I definitely should have stayed on top of those updates better, the truth is, having nearly a dozen sites that need to be updated each time makes it quite a lengthy process for me.  As such, my sites were likely vulnerable due to not being constantly up-to-date on the latest versions of Wordpress.

The second issue was that my blogs were all hosted on a shared server at Dreamhost.  Because they were on a shared server, this meant I had very little control over the server itself.  It also meant that other users with their own sites and potential vulerabilities also resided on the same server.  While I'm sure Dreamhost does its best to make it so users can't "infect" each other's sites, there is no way of knowing since I don't have full control of the server myself.

Since either of those two pieces to the puzzle could have been the way the hackers were able to attack my sites, I decided that it was best for me to get rid of both of them.  Ditching Dreamhost was simple since I've already been hosting all of my non Wordpress sites on a dedicated server for years.  Ditching Wordpress was a bit more difficult since I had to either find a new third party CMS or build one myself.  Because I wanted full control over everything, I decided to just build a Wordpress replacement myself.  This took some time, but I finally finished it (along with a conversion process to convert my old Wordpress sites to the new system).  Certain features aren't quite fully implemented yet, but everything should be solid enough for me to start posting again regularly on my sites.


No comments have been posted.

Leave a Reply

Submit Comment