November 21st, 2008 • 1:27 pm
And now, for Betalogue’s literary moment of the week:
Subject: sorry admin **bibi-info**
Date: 21 novembre 2008 11:08:54 HNA
To: [my email]
hi admin -pierre-
am bibi-info hacker algeria your friend
first , am very sorry for hacked your site or your blogs but am doing this from you for mor security .
your blog is very nice. good luck my friend admin
Sono arrivati i supereroi di Messenger! Scarica le emoticon di Hero!
Yes, this is my “friend” the hacker, who has been persistently attacking my Betalogue web site for the past month. Incredible, but true.
If anything, it confirms a number of my suspicions, including the fact that this was not just a random attack by an automatic robot (although it might have started that way). There was obviously a very real live human being behind the attacks. (I don’t think they make robots that write like this yet.)
The timing of the e-mail is interesting. It comes less than a week after the last successful breach of Betalogue’s security barriers, discussed here. Following that last attack, I once again rebuilt things from scratch, with new passwords, but this time I used one additional layer of protection, which is to block access to the entire /wp-admin/ folder for any IP address outside the range of my own Internet service provider.
This, of course, means that I can no longer administer my blog from an access point other than my home office, but that’s not really a significant problem for me, because I very rarely need to administer it from outside my home office. If I ever need to, I can always update the .htaccess rules to temporarily allow access from another access point.
Does this e-mail from the hacker mean that this latest barrier is a good one and that the hacker has finally given up on trying to breach my security features? I hope so, even though I am not about to reply to this message to ask for confirmation. I guess that time will tell.
But if that’s the case, then I am afraid it confirms that there are inherent vulnerabilities in WordPress that cannot be entirely eliminated without denying access to the admin folder for all IP addresses except the current IP address of the administrator. It looks as if, even with hard-to-guess passwords and several other security precautions (detailed here) that are not included in the default WordPress configuration, a persistent hacker is still able to ultimately breach the barriers.
Did my hacker do it through a “brute-force” approach? I don’t know. It’s possible, since there was an interval of nearly two weeks between the last two successful attacks. Does denying IP access completely eliminate the risk of another brute-force breach? I don’t know. I hope so.
All this still makes me think that I should probably consider ditching WordPress altogether. I don’t relish that prospect, because WordPress does have many positive aspects, and I don’t really fancy having to re-learn all the things that I have learnt about WordPress for a different system. But I might just have to. (If you have any recommendations about which system you feel would be the best in my situation, feel free to contact me using the “Contact the Author” link in the side bar.)
Out of curiosity, I also looked at the hosting services offered by WordPress.com, the “commercial” arm of the WordPress empire. I would want to keep the Betalogue.com domain name, obviously, so I would want the so-called “Premium Features.” But the feature list is far from clear, with all kinds of individually priced add-on options instead of one clear pricing solution.
And then of course there is the VIP hosting option. If the spike in traffic generated by my post on the Adobe CS4 installer becomes a regular occurrence, I just might be a “good candidate for VIP hosting,” at least according to WordPress.com.
The thing is, I am definitely not a good candidate for the VIP pricing, which “begins at $500/month per blog with a one-time setup fee of $600.” Yikes.
Anyway, it would be somewhat paradoxical if I ended up giving money to the WordPress.com organization precisely because of the flaws in their open source WordPress software. So I don’t think I could bring myself to doing it anyway. What if my blog were hosted on their servers and got hacked just the same? What would be the experience dealing with their tech support service? I don’t think I want to find out.
Another issue that this latest development raises (i.e. the possibility that IP blocking for the admin folder might finally have successfully blocked the hacker, although I don’t want to jump the gun here) is whether I should try and restore some of the other features, namely the ability for Betalogue readers to post comments. I don’t think I am ready for this just yet. While I value my readers’ input and enjoy the conversations that it can generate, Betalogue remains first and foremost an outlet for me—and my readers always have the option to send their feedback privately by e-mail.
So, here we are. The hacker has spoken. I frankly don’t give a hoot about what his real motivations are/were. I just hope that this e-mail is a confirmation that the IP blocking is working, and that my blogging system is secure again for now, without requiring additional measures.
There is certainly no way that I am ever going to be grateful to him for having put me through this. Part of me wants to believe in the fundamental goodness of humanity, but it is quite obvious that the reality is that it’s “an ugly world out there,” and that even non-commercial ventures such as this blog are eminently vulnerable.
I suppose another option that I have is to try and find ways to monetize the traffic generated by Betalogue and to use that money to hire a service that would help me further secure the site. But I really do not like ads, which are probably the only viable option. Will I have to change my mind about this? We’ll see.