Last night I moved the Blog Bash, The Bitch Girls, PAGunRights and soon to be Countertop’s blog off of Dreamhost and onto my server. I am unimpressed by Dreamhost’s lack of concern about a security breech on one of their systems. They were unable to help me track down how the hackers got in, because they only keep logs going back five days, and they dumped their shell kit in there a week and a half ago. Was it a weakness in WordPress? One of the plugins? A PHP weakness? Apache vulnerability? I’ll never know.
Dreamhost only charges like ten dollars a month, which means if they have to spend a few hours to help you with a security problem or a technical problem, they aren’t making any money off you. Bad incentives. One reason I’ve been self-hosted from the beginning is that I have total control over my server and security environment. I can make sure everything is set up securely, that the versions are all current, that mod-security is running on Apache, and that my logs go back a month instead of five days.
Quality hosting is expensive, and it you want to have an environment that’s difficult for hackers, you either have to do it yourself, or pay good money for someone who knows what they are doing to do it for you.
It probably was either WordPress or PHP. Apache is locked down pretty tight normally but WordPress had SO many CVE’s issued last year it wouldn’t surprise me if Dreamhost was a little show on fixing them.
That would be my guess too, but without logs, it’s just a guess.
If you check out the National Vulnerability Database, do a search and type in “wordpress”, you’ll laugh. Harder so with “Quicktime”. Theres so many advisories on those two it ceases to be even real.
In fact it’s been said that “Quicktime” doesn’t mean how quickly it will play a video, but how quick an attacker will find a exploit and use it.
Wow DH keeps logs for only 5 days? Have you looked into Servage? I use them (but not for blogging) and they keep logs a lot longer. Email them they have good service and don’t get owned all the time.
*I do not work for Servage and certainly not DH or WordPress.
I just talked to a friend and he uses Squarespace. They seem pretty nice.
Good luck with your hacking issues.
Most of the vulnerabilities in WordPress these days are coming from plugins. I think they’ve done a pretty good job with WordPress 2.7. I worry about some of the plugins I’m hosting on these sites, but I think with the mod_security setup, I should be pretty good.
I haven’t been let down by AYK Solutions yet. Their main tech guy, or was when I was using them, was a very nice fellow who knew what he was doing and was happy to do it. It’s alos not ungodly expensive, but their larger packages can get a bit more expensive. Shared hosting is cheap, and reseller is alright. It’s renting full servers that can get expensive, though they did have a deal for a server at $89 a month with lots of monitoring and security hardening.
I help run a rather large video game site with a few dedicated servers, and the last time we disabled the file size cap on logs, our disk was full in a matter of hours. If one is hosting a bunch of sites with varying levels of traffic, it probably makes sense to set the time limit to a few days.
We get attacked by Russians from time to time as well, so I know how much it sucks.
*Ahem.* That would be “hordes”, not “hoards”.
Ooops… fixed. Hoards is a verb isn’t it? :)
Heh. Yeah, it is. That’s what a lot of us are doing with ammo in anticipation of the Blightworker’s attacks. “Horde”, of course, is a great number, usually of an advancing or raiding enemy.