Seth Godin wrote a post today about “managing urgencies.” In ContentRobot’s world, if a client site goes down, it’s our urgent responsibility to stop whatever we are doing to get their site fixed and back online.
Yesterday, a highly trafficked, highly customized blog-powered website, was hacked. We tracked it down to a malicious script that has been making its way across the Internet and exploiting holes in older WordPress installs.
This talented fellow has made a short career of being able to silently penetrate deeply into the server to leave the site with blank home pages, turn off critical plugins, and not allow posts to be written and/or saved.
Thank you, hacker, for diverting the energies of three companies from being able to do what they had planned for that day.
But one of the things Godin asked was: Do you have a plan? Determined to learn from this frustrating event, ContentRobot has actually developed a plan to combat hacks along. This three-pronged approach encompasses:
- Keep WordPress updated to the latest software release as feasible.
- Be aware of what theme customizations / plugins might be affected.
- Lock down the install.
When sites are compromised, Automattic automatically recommends that you update your software to the latest version. This is because these days a lot of upgrades consist of security patches, not necessarily functionality enhancements.
Upgrading WordPress, in and of itself, is not always that difficult because we are religious with backups and have a robust development environment. What is challenging for us, however, is that we manage multiple sites, each with its own set of customizations.
Also, we also don’t always like to jump to the newest version before all the bugs are sorted out. Therefore, migrating to the upcoming 2.5 release may not get implemented as quickly as moving from ver 2.3.2 to ver 2.3.3.
Theme Customizations / Plugins
Because most of our clients have different content features and needs, so each theme is often fairly customized. As the WordPress core evolves, we need to be aware that that a particular code chunk we relied on for one release, may now not be usable in the next.
One of the many reasons we embraced WordPress was the large and talented community of developers, who write creative plugins that allow us to implement many of the enhancements our clients need. But not everyone is going to be in a position to release an update to their plugins as new versions of WordPress are launched. (Even we can’t guarantee that our plugins are going to be 2.5 ready on Day One.)
When researching the possibilities of locking down WordPress installs, we were disappointed to learn that many approaches seem to work well for a straightforward blog with one author (particularly with the recommendations that for adding another password layer or restricting administrative access by a particular IP range.)
Because we often develop multi-author, multi-geographic blogs, we needed to dig further. Still, our plans were inspired by the work laid before us by those who have successfully locked their blogs.
The Right Things Became Urgent
We are pleased that our fires are currently out and that the client was offline for only a few hours. While we can’t guarantee that a client site couldn’t get hacked, we are taking steps to tighten the reins so it isn’t so easy for hackers to unceremoniously make them inoperable.
Yes, Seth, we have a plan. We are no longer naïve to think that no one would want to touch our piece of the WordPress universe. And we are ready to manage and maintain the software needs of our clients as never before.