Novelr Hacked; Back Up Now

Just a couple of quick announcements:

1) Novelr was compromised for most of today and part of yesterday. Those of you using Google Chrome (or a browser with a Google search bar installed) would’ve likely seen a warning screen telling you to STAY CALM AND WALK AWAY. If you didn’t, and you visited Novelr in the past day or so, I must say that I’m sorry about this, and I recommend that you run a virus scan on your computer, just in case.

(You won’t need to if you’re on Mac, or Linux, but I suppose I don’t need to tell you that.)

2) I’ve hardened up security on Novelr’s WordPress installation. If you see something funny over the next couple of days, do feel free to drop me an email. For those of you out there with WordPress installations of your own, I’d recommend you install this, this and this plugin, and follow some of the guidelines in this document.

2a) I’ve been running WordPress for close to five years now, and must admit that I’m very annoyed with a day spent on hunting down exploits. Annoyed enough to consider switching to a static site generator like Jekyll … though I’ll probably have to put that off till when I’m freer.

3) I’ve implemented Disqus comments. As some of you probably know, the last week or so saw some pretty rabid discussion in the commenting section of Novelr. The Disqus system allows you to flag comments you find particularly nasty, and it allows me to collapse comment threads I have no interest in reading. My thanks to L. Lee Lowe, Jim Zoetewey, and Chris Poirier for helping out with some of the more ridiculous commenters.

The best way to complain is to build things. Let’s do that, and carry on.

Possibly Related Posts:

Category: Meta
  • http://www.facebook.com/clemenstation Chris Clemens

    What a strange sort of site for a takeover. Did you write something mean about 4chan scriptkiddies in one of your stories?

  • http://elijames.org Eli James

    I suspect it’s one of a few possibilities:

    1) My host got hacked, and multiple accounts were compromised.

    2) A random hacker bot found a vulnerability and launched his script.

    3) Some guy saw that Novelr’s been getting a lot of traffic recently, and ran some tests to determine if there was a WordPress hole, and got in.

    Random WordPress installations getting hacked aren’t rare, to be honest.

  • http://twitter.com/gnorb Norbert Cartagena

    Sorry to hear about your site being hacked. A while back I had a cross scripting vulnerability in WordPress exploited, so I know the feeling. Thanks for the links you offered for security. I’m going through them now.

  • http://elijames.org Eli James

    There’s also this video, worth watching in its entirety: http://wordpress.tv/2010/01/23/brad-williams-security-boston10/

    I’m perplexed as to why WordPress seems so … flimsy. :/

  • http://elijames.org Eli James

    There’s also this video, worth watching in its entirety: http://wordpress.tv/2010/01/23/brad-williams-security-boston10/

    I’m perplexed as to why WordPress seems so … flimsy. :/

  • http://shiftinglight.com/ julian

    Ouch! I seem to be one of the only people still using Movable Type – I do feel safer with it. Interesting post about how WordPress became so pre-eminent here: http://www.majordojo.com/2011/02/how-did-wordpress-win.php

  • http://shiftinglight.com/ julian

    Ouch! I seem to be one of the only people still using Movable Type – I do feel safer with it. Interesting post about how WordPress became so pre-eminent here: http://www.majordojo.com/2011/02/how-did-wordpress-win.php

  • http://twitter.com/zoetewey zoetewey

    It’s interesting to me that that article doesn’t include my reason to switching to WordPress. MovableType had a plugin to prevent comment spam. Initially it was quite good, but then the developer behind the plugin got hired by MT to work there full time. And they put him on more than just the comment spam plugin.

    The plugin didn’t get updated as often after that. I found myself personally deleting 10-20 comments a day, and considered quiting blogging. Then a friend suggested WordPress. Their anti-spam plugin worked, and I’ve barely had to think about it since. I’m sure MT’s gotten better since then, but I don’t feel compelled to check.

    All CMS’s have their security flaws. WordPress does too. The key point is to keep up to date, and not assume that you’re invulnerable.

  • http://indieaisle.com/ Ovi Demetrian Jr

    “The best way to complain is to build things.” Awesome.

  • http://elijames.org Eli James

    Thanks.