Wordpress plus Dreamhost = hacked Wordpress blog

[almostwitty]

I host my main blog on Dreamhost, using Wordpress. This may have been a fatal mistake.

A while ago, someone emailed me to kindly point out that my site had somehow been hacked, and spam links injected into my HTML code. It wouldn’t appear on the site to human eyes, but it’s all there in the HTML code and picked up by Google et. al.

I changed all my passwords (Dreamhost, Wordpress, FTP), removed the hacked code and thought the problem was over.

Oh no. It’s just come back. Only this time, I can’t figure out where the code is. And since I changed all the passwords to begin with, it means that either Dreamhost or Wordpress has become seriously compromised. Although naturally my Google-fu is failing me and I can’t figure out where the problem’s come from. Although this post gives one indication.

Now I’m debating whether to carry on with this blog or move to yet another blogging platform like LiveJournal or something… bah… Or I could give up. It’s been six years, after all…

Originally published at almost witty. You can comment here or there.

Comments

[hellmutt.livejournal.com]

Oh eff.

I have Dreamwidth invites if you want one. It's a new LJ clone just getting off the ground.

A friend of mine also swears by Tabulas, which has some crossposting functionality.

But to be honest, I personally wouldn't go back to using LJ or similar as my main blog. I like my WordPress. I use LJXP to crosspost, as you do, and there's a new extension in the works that will cross-post to several LiveJournal-running services at once.

My personal site is with UnitedHosting's UK service. I can't praise their support highly enough - I've always had instantaneous response from knowledgeable humans to even my low-priority tickets. They're not the cheapest out there, and on their hosted plan they don't let you mess around with involved stuff like making and installing Perl modules (but will do it for you if you ask). Their uptime is very good. Their support fora are full of savvy users and UH's support staff are often seen on there too.

[anivair.livejournal.com]

Happens to me a lot. It's never because of wordpress (which is easy to update via the Dreamhost panel) but because of something else on my site like html forms or something. Since i got rid of all that, my site is more secure (fingers crossed).

However, I recently set up a Drupal blog on my site and i love it and it's way less hackable. If you want to look into that, I'll send you info. It's pretty and customizable and I dig it.

[kiri-l.livejournal.com]

What is wrong with just using LJ? (ok admitted I never got the hang of wordpress - at least I think it was wordpress. too much hand coding every time I wanted to do something.. hours and hours of code just to make a post? nah. I've got a life to life thanks)

and "How to detects them?" Dear Wordpress.. how about starting with an understanding of English.. this may greatly help your skills at coding and detecting hacks. That aside this was detected nearly a year ago (28 May by the byline) a year ago and they haven't figured out a solution? Bad programmers.

Color me very unimpressed.