WordPress Sites Hacked Again; Hosted CMS the Answer?
During the past few days, there has been another batch of WordPress sites getting hacked, this time with malicious code that redirects visitors to the site to a fake virus scan page, which then tries to get the user to download an ‘anti-virus’ program that is, in fact, a virus. (See Widespread attacks continue against WordPress sites for details.)
This attack has modified every single PHP file on tens of thousands of WordPress blogs, creating a massive clean-up problem. The attack apparently affected some other PHP-based sites as well. (If you’re one of the victims, here’s some instructions for cleaning up your site.)
Previous attacks, which have affected sites as well-known as Robert Scoble’s blog and TechCrunch, typically added spam links to boost the SEO rankings of illicit sites. Once a hacker gains control, they can do whatever they want to your site.
The Nature of Web Security
Security on the web is a difficult challenge. The worldwide nature of the web means that attacks can come from everywhere, and a multitude of spam and malware scams presents ample opportunities for profit from being able to modify large numbers of web sites. It takes a diligent team and frequent updates to keep hackers at bay.
The WordPress team does an excellent job keeping up with the latest hacks and providing updated software. But if you host your own WordPress blog, then you are responsible for performing the update. And if your site is hacked, you are responsible for removing every last trace of hacked code.
There are several reasons why the WordPress situation is inherently difficult:
- Because there are millions of WordPress sites, it makes a very attractive target.
- Because it is open-source, hackers have full access to all the internal details of how WordPress works.
- Each person who maintains a WordPress site is responsible for keeping their own code updated.
- Every WordPress plug-in provides a potential path for an attack, and many plug-ins are not updated frequently.
- If you’re using low-cost shared hosting, your site may be compromised through another site on the same server.
Other platforms built in PHP, such as Joomla! and Drupal, with hosting managed by site owners, face similar challenges.
A Hosted CMS is More Secure
Note that there has never, to our knowledge, been a security breach at WordPress.com, which is the hosted (or SaaS, software as a service) version of WordPress.
A hosted content management system, assuming it well managed, is much more secure for a variety of reasons:
- The code that runs on the server is tightly controlled.
- There is no direct file access, which often allows a single compromise to affect many sites on a shared server.
- There is a team of experts responsible for running the service, and it is their job (not yours) to stay on top of security patches.
- Since all sites share a single code installation, a single update immediately applies to all sites.
- If a hack does succeed, there’s a professional team in place to fix things up.
In addition, systems built with Ruby on Rails, such as Webvanta, have the benefit of the extensive security infrastructure that is built into Rails. This makes them inherently more secure than most PHP sites, as long as they are running on the latest version of the Ruby on Rails code.
What Business Are You In?
Are you in the web technology business? If not, we believe you’re better off using a hosted service, so someone else is responsible for maintaining your back-end software and security.
Webvanta was founded on the belief that hosted solutions are better for designers and for business owners, and that — unlike most other hosted content management systems — you don’t need to give up flexibility and power to use a SaaS CMS.