rolling your own and getting pwned

It’s been a banner couple of weeks for exploits on the web. At the end of March it was reported that was exploited by a blind sql injection. The results of that attack included the revelation that the dude at mysql in charge of product development for mysql’s WordPress account used a four digit number for this password. And these are the people who should know better. Speaking of WordPress, there was a very large DDoS attack against at the beginning of March. The speculation is that the attack originated in China and was politically motivated. On the heels of that, Matt Mullenweg reported on his blog a couple of days ago that Auttomatic’s servers had been exploited at root, and sensitive code liberated.

Those are high profile attacks, rooted in a variety of motivations. Beyond that, there are so many day-to-day exploits that occur. It’s very hard for the development communities of tools we like to use to keep ahead of the exploiters. If the experts at places like Auttomatic and can get owned, what does it mean for the rest of us… who aren’t experts? At the beginning of this month, I discovered that my own wordpress installation was exploited by some criminals running phishing schemes to get peoples bank info. It makes me feel sick to my stomach knowing that my server was aiding inadvertently in that kind of activity. How did it happen? As best I can tell, the site was exploited via a third party plugin that allowed image uploading. But, there are apparently many ways that a wordpress installation can get exploited. In my case, it seems the code was injected many months ago, and only recently turned on, as it were. This makes for a problematic situation in re-building from backups, many of which are themselves compromised. Furthermore, I learned from a computer forensics grad student who contacted me, that her program at UAB identifies many thousands of sites a month that have been compromised for phishing.

So, what to do? We are very close to the end of the semester, and because I use these sites to run my classes, I’m faced with some long nights of rebuilding sites from scratch and the like. I love wordpress, have loved using it in the classroom. But, now I’m wondering if its worth it. I won’t be moving back to Blackboard, that’s for sure. But, my university’s OIT will not provide support for professors to do anything on their servers except roll a very simple UNIX account, use Blackboard, or maybe get someone to make a Sharepoint application (groan).

In thinking about the situation over recent days, I’m wondering what I really need for myself and for my classes. Much of the functionality of wordpress comes at a price — 1. third party plugins are inherently less safe than core features; 2. core features aren’t necessarily enough to do some of the nifty things I like doing (see, for example, feedwordpress); 3. dynamic sites are resource intensive, and require much more RAM server side; 4. it’s hard to imagine sql ever being safe; 5. I’m not sure how much my students really enjoy the spiffier side of things on my sites; 6. As this twitter status states so clearly, PHP is essentially a domain specific language for remote exploits.

As a result of all of this, I’m considering the ditching the entire enterprise of a server-side dynamic website. Given that much of the dynamism of web2.0 platforms like wordpress can now be accomplished using client-side javascript, and especially a few javascript plugins like disqus for comments or gmodules for linking to feeds or a calendar or the like, the option of moving back in time to static html pages is kind of attractive. The question is, “Can I accomplish with static html and javascript what I need to accomplish to run my courses?” To answer that, of course, I need to be clear on both what I *think* I need to accomplish, and what my students might really *want* me to accomplish.

A short list would include at least the following:

    1. An attractive, well designed layout for each class, where page appearance is thematically consistent, but not identical to my main site/page.
    2. The ability to distinguish between pages and posts.
    3. The ability to feed student posts onto the site in some manner or form.
    4. The ability to distribute readings- preferably with some password protection.
    5. The ability to show video from lectures or in support of lectures.
    6. The ability to show an updated calendar (something I don’t actually do right now, but would like to).
    8. A minimal need for distributing any of these services.

My instinct right now is to move to a dynamically-generated static content site, where the site would be dynamically generated on my own machine as a set of static html pages that would then pushed via source control to a repository on the server. Flat files are fast, and the source control side of things is really attractive. There are a few different systems out there that offer this now– but require the effort of importing my old site in and making sure that url redirects and the like work. I’m looking into jekyll and hyde, which are ruby and python implementations respectively. There are a number of other options as well (nanoc, middleman, chisel, webgen, and aym-cms among many).

Another idea would be to run a wordpress install on localhost and produce static files from that using a tool like this one, use disqus for the comment system, and then using source control to push to the server.

Security issues are a real concern for the DIY professoriate. I’m wondering what others of you think.


Associate Professor of Early Latin America Department of History University of Tennessee-Knoxville

Posted in Digital History, Panic and Terror, Teaching
One comment on “rolling your own and getting pwned
  1. […] In April I wrote about the experience of hosting one’s own course sites (using wordpress) and getting pwned. That experience put me on the trail of migrating my sites off of wordpress, and into a static site […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Hacer juicio ú dictamen acerca de alguna cosa... significando que el objeto excita el juicio ú dictamen en la persona que le hace.

Deducir ante el Juez la accion ú derecho que se tiene, ó las excepciones que excluyen la accion contrária.

RAE 1737 Academia autoridades
Buy my book!

Chad Black

I, your humble contributor, am Chad Black. You can also find me on the web here.
%d bloggers like this: