Why I’ve been M.I.A.

This site has been quiet as I burned the midnight oil, along with new colleague Kiel McLaughlin to launch the new Johns Hopkins University web site.

I think it looks pretty good, but then, I’m biased.

Six weeks from start to finish, so there are still (many) rough edges to polish, but we wanted to get this live in time for the Inauguration of our new university president this past weekend.

WordPress blowed up real good

explosion

I think I now understand how Windows partisans feel when people like me get all smug about how viruses just seem to like that particular operating system.

Because I’m in a similar sitch at the moment with WordPress. As you may have heard, all hell broke loose this weekend as a worm had its way with WordPress installations that were neither updated to the latest version nor hardened. All of my sites fared well, but not everyone was so lucky, from uber-blogger Robert Scoble to countless tiny sites scattered across the net.

Andy Inhatko has an informative and, well, entertaining wrap-up of what it took for him to get back to normal.

John Gruber casts a much more gimlety-eye at the whole mess, saying, finally, that WP is not for absentee-admins. I’m with him on that.

As with OS X updates, I’m very bullish on WP updates, especially of the security-enhancement variety, as 2.8.3 and 2.8.4 were. I also believe that, if you really, really care about the sites you build (or, especially, build for people who hand you a paycheck on a regular basis), you should go even further in ensuring security by:

  • Nuking the “admin” named account as your second order of business, after creating a new admin-level account with a non-obvious name.
  • Requiring long, difficult passwords from all users above “contributor” level.
  • Renaming your database tables from the standard wp_
  • Putting server-level access rules in front of your admin dashboard.
  • Backing up your databases regularly. There’s even a simple plugin that will do that for you at a set interval.

Is all of this worth what you get from a self-hosted WordPress site? I still say yes, but if you’re not willing to take the minimal steps to guarantee the security of your site, then you will probably be happier in the long run with a hosted wordpress.com site or any of the many alternatives out there.

Is wonderful to have your web!

Apologies to the few legitimate commenters, but I had to turn on moderation. It seems this site has picked up a few new friends who really, really want to introduce you to the inexpensive pharmaceutical products they have to offer.

For some reason, Akismet is not working here in the same way it works beautifully on other WP sites I manage. Must investigate when I have the time. Until then, it’s moderation for the lot of you!