(W)hacked Again

Getting hacked has become tiresome, and as part of my strategy to avoid stress, I’m moving my site. You won’t see any big changes, other than the WordPress Theme of the blog, which I’ll probably change from time to time anyway, just to keep it fresh.

The world has changed a lot since the cowboy Internet days when I started doing all this. One of the biggest changes is that all the stuff I needed to code, myself, is now done by others.

I wrote the Treehenge site from the ground up. All the PHP scripts. The databases. The HTML and the JavaScript for buttons. E-mail forwarders that are both hack- and spam-resistant. No one really needs to do that any more, and I no longer enjoy it. So I’m simplifying.

As it turns out, in the process of making this shift, I found the hole the hackers were crawling through, and — though it pains me deeply to admit to such a rookie mistake — it was entirely my fault.

Back in the day, the way you maintained web sites was through FTP, and I used that heavily. It was only later that I became conversant with SCP and RSYNC, which are more secure, and easier to script with. My FTP use fell into gradual neglect. At some point, I developed the strange idea that I had already shut down all my FTP portals — but, in point of fact, I had not. The passwords I was using were (probably) fine by 2005 standards, but in the shark-infested, hacker-polluted world of 2016 — well, my site was wide-open. I’m surprised they didn’t do more damage.

So, having closed the swinging-wide-on-its-hinges back door, I could have continued to use my site. I decided to move it, anyway.

You see, there is WordPress, and there is WordPress.

WordPress.org code is what I was previously using, and this is the non-commercial, OpenSource version of WordPress that is used by all of the hosting sites, like BlueHost. The core WordPress.org code is extremely limited, and the way you supercharge it is to add plug-ins, which are also OpenSource. Every plug-in is a potential security hole, because they’re often put together by rookie coders, or even by folks working for hacking organizations. There’s no way to know, without reading the code yourself. Every plug-in risks hacking.

The WordPress.com (commercial) site also uses WordPress.org code, but the difference is that they have chosen all of the plug-ins for you. It’s not the most complete set of plug-ins, and there are some things it just can’t do. But here’s the overriding advantage: WordPress.com has vetted all of these plug-ins for security, and they have a development staff to detect, find, and fix holes. They have to, because if someone hacks my WordPress.com site, they can hack any WordPress.com site.

It’s just less overall stress for me.

One change you’ll notice is that the music page now links to SoundCloud, which is where I will be hosting my music. This turned out to be an unexpected blessing. Since I started posting music to SoundCloud earlier this week, I’ve already picked up fifty-three listens, and twenty-one in the last twenty-four hours. I was lucky to get twenty-one listens in six months, before. Yay!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s