I’m sure you’ve probably heard the advice: Make sure your website software is up to date, and make sure you keep regular backups of all your files and database data. The reasons should be obvious and I should have known better!
I hate to say it but this week I let that obligation slip by just a few days longer than I should have, and as a result I’ve lost a minor side-project and had to stay up all night rebuilding it. The good news is that my current website build is a lot more stable, functional, and search-engine friendly than the out of date version I had been keeping alive through occasional tweaks and modifications. Sure, the template I hadusing was designed for the version that came out a dozen public releases ago, but I thought
it looked cool and I wanted to make it work, even if it meant cutting corners on security and missing out on functionality.
Well, I won’t make that mistake again.
Here’s what happened. A new version of Pligg was released about two weeks ago because some vulnerabilities were discovered. I got a nice notification from the people at Pligg and Dreamhost even updated their one click installer to facilitate easy upgrades to the newest secure version.
“Well, its not my top priority site. ”
“Well, I’m very busy with other projects and articles right now.”
“I’ll do that tomorrow or next week…”
Well it took two weeks for them to find my vulnerable website and they struck immediately. At first it was comments and links about bad neighborhood types of content and I casually dealt with it by manually removing the comments. I went to bed and didn’t think about it until later the next night…
When I looked again that next day, it was chaos. Hundreds new submissions and comments had been added to my site of originally just 50 pages. Almost every link was offensive to say the least, and had they been allowed to stay it would have certainly hurt my reputation with Google as a reference to quality resources in my niche.
The worst part was when I went to the tast of manually removing this spam/vandalism. As I clicked on the comment moderation button of my admin panel, I was actually redirected to an affiliate linked storefront!
To make a long story short and spare you the details of my resulting work-marathon, I’ll summarize by saying I had to delete everything associated with the website and re-build it from the ground-up with a new MySQL database, account name, passwords, and everything.
So now the site doesn’t look as good (the nice template is hopelessly beyond my ability to bring up to code) but at least I’ve got a solid & secure Pligg installation again.
Next time I won’t wait a two weeks to update my content management software when a security release is pushed – I learned my lesson the hard way this time.