i was listening to the replay of the teleconference hosted by WPSecurityLock (with special guests from GoDaddy) in light of the recent wave of website hacks that affected hundreds of sites not once, but twice. it was actually when they were talking to a customer (one who had been hit twice) that a concern was raised in my mind. the exchange went something like this:
a GoDaddy representative was on the line talking about ways to protect your site against attack, emphasizing the importance of keeping your software (be it WordPress, Joomla!, or whatever) updated. — note: for the record, this seems like a lame cop-out. yes, it’s great to keep your software updated, but when the attack is indiscriminately affecting php files — whether they belong to a known open source software or are completely custom-coded — i don’t see how this has any relevance on the situation at hand. it should be noted that neither GoDaddy nor WPSecurityLock have been able to identify how intruders were able to access users’ sites and change the file permissions which allowed them to inject malicious code into the php files. software version doesn’t really have any bearing whatsoever on that. —
after he said his piece, Regina from WPSecurityLock spoke with a customer who suffered in the first wave of attacks — actually the first client that they (WPSecurityLock) fixed, and then fixed again when the second wave hit. she started talking about how, after the second intrusion, she noticed that all the files were left completely open in terms of file permissions (i.e. 777) and that she didn’t think he would have installed it that way. he expressed gratitude for having them on his team because he admitted that he had absolutely no idea what she was talking about.
and that’s the problem isn’t it?
GoDaddy and other web hosts are saying you are responsible for your files. you should know what goes into a WordPress installation so you can identify anything weird that’s not part of it. you are expected to be familiar with FTP and changing file permissions. but i think that most people hear “file permissions” and it’s like you’re suddenly speaking like the teachers in Charlie Brown: wah wah, wah-wah wah-wah wah.
you need to speak to the lowest common denominator here. if you’re going to provide 1-click installations for any software at all, you have to make sure that when your auto-installer does its’ job it’s not leaving customers open to attack. because no one that’s going to use a 1-click installer is going to know anything about FTP or chmod, that’s why they used the installer. and even some people clever enough to know their way around FTP and WordPress’ patented 5-minute install might not know the proper file permissions for their site and just use 777 because it works. we are lazy. we use the same single password for everything we do online. we can’t be expected by our service providers to be educated on proper security practices and safety procedures. that’s what the geeks with the smelly t-shirts and glasses that make them look bug-eyed are for (although i wrote about some ways to help make your website more secure on arcane palette on tuesday). no, it shouldn’t be the webhost’s responsibility to wipe their customers’ butt for them when it comes to securing their site, but neither do i think it’s fair that hosts honestly expect otherwise. especially if one infected site on a server can spread to any or all the other sites hosted on the same shared server which seems like it was the case for both GoDaddy and Network Solutions.
it would be great if everyone remembered to change permissions on their files after installing software like WordPress. it would be great if everyone knew and used the special extra security tricks WPSecurityLock mentions on the call, on their blog and in their free e-book. but, i’m looking at you guys here, webhosts: the files may belong to your customers but they’re on your servers. they, apparently, affect all the other sites on your servers (or have the potential to, anyway). and you can point the finger everywhere except yourself as much as you like — you can say it’s the customer’s responsibility to keep proper permissions, you can say that old software has known exploits that can be used by hackers and that upgrading your software can even leave artifacts behind from older versions (so that, even if you are upgrading your software, you still aren’t safe) — but none of those things are going to make you any friends. none of those things are going to make you into the good guy. you know what is going to make you the good guy? thinking for your customers. taking care of the situation before it becomes a situation. taking the role of assigning and/or correcting the file and directory permissions on a website out of the customer’s hands and taking responsibility for that yourself. surely, by now, webhosts, you’ve figured out that people aren’t going to do something just because they’re told to do it. surely you don’t really expect people to walk away from these widespread hacks and say “gee, i guess i should be more careful next time.” unless that’s really part of the plan: give the user the responsibility, then when the shit hits the fan you can say “well, it wasn’t really our fault, but we can have one of our security analysts fix it for you for $150.”
wait. nevermind. i see the business model now.