Well This Is Embarrassing (I Got Hacked)
I suppose it happens to everyone eventually. My blog got hacked. :-/
So, three days ago, I woke up to an email from my host saying the following:
We have recently scanned one or more users on your DreamHost account for potential security threats. Unfortunately, we found some potential indications that your website(s) may be compromised.
We understand that this may not be the best news you can get. This notification is intended to help you through the process and serve as a starting point to assist you in getting your account cleaned and secured. While we won't be able to complete > these processes for you, if you have any questions about the items that follow please don't hesitate to reply to this email and we will be happy to clarify any points or offer any further guidance to help you through getting your account back to normal.
We have identified malicious content on your account, added by an outside entity, which may include malware such as backdoor shells, adware, botnet, and spammer scripts.
Looking at the logs, it looks like they were able to somehow get new PHP code into WordPress and use it as a SPAM relay. I don't know how they got it, but they littered my directories with PHP files that were doing who knows what.
A few things worth noting:
- Good job DreamHost! I am not sure that I ever would have noticed this on my own.
- They handled it really well, all of the trojaned scripts had their permissions changed to something harmless, and they didn't destroy my files.
- WordPress has lost all credibility from me. Throughout the years, I have routinely received notices that there was a new vulnerability or flaw discovered that I needed to upgrade. And I did every single time; even that wasn't enough. So I have concluded that the code base is just too complex to not have bugs.
- I decided to just roll my own simple blogging framework.
So here we have it, my new blogging framework has been deployed. It isn't quite nearly as complex as WordPress, but you know what... that's a good thing; there is less attack surface now. I write my entries in Markdown, I manually upload static content like images, and it just works
As a bonus, now the look of my blog is consistent with my main site. I'm sure I could have made a WordPress theme, but really, who has time for that!
I've chosen to use disqus to deal with comments with has some pros and cons.
Pro: I don't have to implement comments at all. No SPAM filtering, no database storage, no user management. Nothing. It's their problem :-)
Con: I have no meaningful way of importing the old comment threads. I have them, my old DB is intact. So I could statically render them, but I don't think it's worth the effort.
So here's hoping that my "simple, yet effective" blogging framework isn't riddled with security holes... I'm optimistic :-)