When I get asked for help with an attack on a WordPress site, it’s often on the same few hosting providers. And when it’s not, it’s usually a small, local hosting provider. When I have spoken to the staff of one of these hosting providers, about what seems to only occur in these few situations, they never take responsibility for having oddball server settings. And it’s not uncommon for them to actually blame their customers for using WordPress in the first place!
Some of the more popular Hosting Providers that seem to have more trouble than others with WordPress malware attacks in the past two years (in my experience) are Network Solutions and IX Web Hosting. And in general, hosting providers that have a lot of issues with malware affecting WordPress sites either
- Have screwy server settings that tempt developers to take risks with file permissions, or
- Have vulnerabilities that allow malware to sneak from one hosting account to another
As for some of the local, ma ‘n’ pa providers I’ve had problems with, I’m not going to hit them when they’re down by naming names. But let me just say this: Buying local isn’t necessarily a good idea when it comes to hosting. It’s often the worst thing you can do. You usually get crappy support, a high price, a non-standard product, and to make things even worse, you also often get a territorial ‘server guy’ who wants to blame any technical problems on the customer and not take responsibility for anything.
I can imagine being a hosting provider and not wanting to change how I do things just because a few of my customers want to run some weird PHP software they found somewhere. But WordPress is hardly obscure anymore. And although I could be wrong, it seems that the server settings required for a smooth, safe ride with WordPress are in line with “best practices” for hosting providers in general, since all the best and most popular hosting providers seem to run WordPress perfectly.
So in the ‘news,’ I guess on April 12th, 2010, someone (rshinsec) at Network Solutions announced that an attack on many of Network Solutions’ customers’ sites was actually caused by a “WordPress Vulnerability.” (Quote is actually from a WordPress.org page HERE, because according to the WordPress.org page, Network Solutions has since edited the announcement)”
“Beginning last week a WordPress vulnerability has been the target of attacks on multiple WordPress websites on hosting platforms around the web. We have a blog post with additional details about the vulnerability and how to secure your WordPress site.”
In fact, it was not a WordPress problem at all. So in response to some of the inaccurate anti-worpress blogosphere chatter caused by Network Solutions passing the buck like this, Matt Mullenweg, founder of WordPress posted to the WordPress Development Blog, clearing some things up, as well as putting it like this:
“Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.”
Thank you Matt! We the people that use and love WordPress need to stand up for ourselves and demand what we deserve. We are not a fringe community anymore. WordPress is mainstream software and any hosting provider that has issues with it needs to check themselves!