WordPress hole – number of big blogs hit – original post September 6, 2009

Well, it looks like anything with less than a 2.8.4 version of WordPress got itself busted up if it was a searched target. That’s not overly huge news. The latest version that has been out for a while (August 12, 2009 according to the WP blog over here.

Not news until one of the “big names” on the blogger lists decides to blame WordPress for him being quite careless about his blog. Honestly I think at this point you’ve got to take Robert Scoble’s musings with a larger grain of salt. Perhaps it’s “Do as I say, not as I do.” I don’t read the guy regularly as he gained notoriety as a blogger from within Microsoft, and since he’s left, he seems more like a CNet blowhard, more inflammatory adjectives than substance. Probably why his post is getting so much attention. Yes, even from me. I’m making a bigger point than him needing to blame software for his poor system administration practices.

Scoble is a writer. First and foremost. The guys’ knowledge and experience probably lend him to a lot of advisory and strategic roles at Rackspace, but basically, his core value since he was an evangelist in the Redmond juggernaut is writing. Blogging. It’s his bread and butter.

Not keeping his software even remotely up to date (2.7.x) and having no backup says he really doesn’t value his work or his paycheque. That’s up there with a software developer not backing up his code, and not having version control, or any other historic copy or archive of many thousands of hours of work.

Robert Scoble is building an online social community or some such thing at Rackspace. This is now an evangelist for the cloud, and for online web properties and public participation (Web 2.0 if you still tolerate that moniker) systems. The example he sets is that it’s not important to protect the data. It’s all good. Software is perfect. Happy days and butterflys flitting through the pastures. And now he’s probably done a nice bit of damage to his own properties and to online computing. At least he’s serving as an example.

There’s no shortage of WP advice on securing, backing up and protecting your blog. JCS Hosting (yes, I’m less masochistic than Scoble on this. I’ve done sysadmin many times before, and I know to do it right, you better be adding value. Managing a single or few WordPress blogs is *not* adding value. Leave it to the experts) has it all set up nicely, and you can add WordPress plugins very easily. The system at JCS notifies me via email as soon as any of the software is out of date, letting me know I should update it ASAP.

I was getting the emails on 2.8.4 for a few weeks before I bothered clicking a single link (after backing the content up) to update the software. It’s hard to get easier than that unless you have a sysadmin doing it for you. Seems Robert Scoble had neither, as he’s his own sysadmin, and he wasn’t doing his job.

Software has bugs. Even with the excellent internal practices and courses Microsoft has in their campus classrooms, and even with all the research and people digging in looking for flaws, there’s always a few more it seems. Thinking WordPress was secure was pure naivety on Scoble’s part, and he most definitely should know better.

These blogs of mine are not core properties. But I do care about my time, and if I ever get enough readers to start leaving comments, I will value those all the more (those that Akismet doesn’t kill off first of course 😉 ). Each post, mine or others, equates to time. One of our most precious resources. They are worth of protection, and respect. The more people involved in your blog, the more value is being contributed and accrued, to say nothing of the content’s value to others.

There’s a plugin for WordPress that will email you a backup of either the content (postings and comments) or the whole database regularly from the site. Automatic staged backups. Add in a personal backup for your laptop or desktop (and with all the automated solutions, there’s no excuse not to have one of those either, at least onsite, if not offsite automated) and you have solidly protected your property and the value it represents. You are caring about the readers and posters’ time committed to your site.

Robert Scoble, and many, many others are probably doing a much better job now (RS notes he’s doing backups and locked it down), but the point is you need to consider the value of what you create as you’re creating it, not after somebody takes and puts graffiti all over it. Balance the risk. More value should equal bigger protection. Try and come up with the post you would write explaining how you lost all the posts your users contributed to your site due to negligence on your part and you should have a very clear idea of just how valuable it is and how much protection it requires.

Leave a Reply

Your email address will not be published. Required fields are marked *