Monday, September 07, 2009

How To Not Get Your Blog Hacked

Maciej Cegłowski:

Recently an exploit has surfaced in WordPress, a popular kind of blog software. If you run WordPress on a public server, an attacker can get full access to your site and do nasty things, up to and including deleting all your data. If you listen to the WordPress people, the answer to this is 'be extremely zealous about updating your software', which is the same as saying, devote half your life to learning and understanding WordPress administration.

If you listen to me, the answer is much simpler. Do not run this kind of software on a public server. Either host your blog with a competent centralized site (like LiveJournal or Blogger) that takes the burden of upgrading, backing up and patching off your hands, or use whatever personal publishing software you like (WordPress, Movable Type, and so on), but keep it on a local machine.

You can use a program like wget or curl to generate a flat HTML version of your website from this local version, and then upload these files to your public server to share them with the world. Now there is no way you can get hacked, because your server is just serving static files. As a bonus, you don't have to worry about your site ever going down because of database problems or excessive load. And as another bonus, you now have a remote backup of your blog.

No comments: