How Not To Get Your Blog Hacked

I am going to break with seven years of precedent and indulge in a little bit of blog software wank.

Recently an exploit has surfaced in WordPress, a popular kind of blog software. If you run WordPress on a public server, an attacker can get full access to your site and do nasty things, up to and including deleting all your data. If you listen to the WordPress people, the answer to this is 'be extremely zealous about updating your software', which is the same as saying, devote half your life to learning and understanding WordPress administration.

If you listen to me, the answer is much simpler. Do not run this kind of software on a public server. Either host your blog with a competent centralized site (like LiveJournal or Blogger) that takes the burden of upgrading, backing up and patching off your hands, or use whatever personal publishing software you like (WordPress, Movable Type, and so on), but keep it on a local machine.

You can use a program like wget or curl to generate a flat HTML version of your website from this local version, and then upload these files to your public server to share them with the world. Now there is no way you can get hacked, because your server is just serving static files. As a bonus, you don't have to worry about your site ever going down because of database problems or excessive load. And as another bonus, you now have a remote backup of your blog.

If you want comments or other fanciness (why??), you might need a little more complicated setup than this. But the basic idea of keeping your administrative interface off the internet will save you endless angst as these exploits keep coming. WordPress has an especially terrible track record with security, but all these programs are just accidents waiting to happen.

If you have a blog setup that you think is insecure but don't know how to begin fixing it, feel free to email me and I will do my best to point you at an answer.