Blog software security redux
Carrie's blog gets infected at the cPanel level, and we dump that hosting provider.
The same thing that happened to me with old self-hosted MT install just happened to my wife's hosted cPanel/wordpress install. With someone trashing the stack for their own phishing.
It started innocently enough. Deluxe Hosting had bought out our previous provider. Their support staff got a complaint that their server (our server!) was dishing up phishing links. The staff did some cleanup on our behalf, and then suggested we run some steps to secure the cPanel and wordpress install.
But they didn't prevent the original security loophole - just reset some passwords - so the adversary was able to re-root the cPanel and/or wordpress install and destroy our login details over and over again.
I was able to sneak a cycle in where I reset the WP login, setup ssh in cPanel, and rsync'd down files / generated a site export. Then I trashed the installed app folder so there wasn't any software there.
It's nice when the hosting provider can alert you to trouble, but security is hard. Hosting the application with the vendor itself is one way to make sure you're not playing catchup constantly. It's disappointing when this strategy falls over.
I plan to do the import and fixups soon*, but I'm disappointed again. It seems like blogging via nice software is just the worst for security for everyone; might as well go back to generating static files on the host and pushing them up.
* (Edit 2025) I did end up dumping everything, I don't remember how or when. Carrie's travel blog is on wordpress for now.
