I was at a funeral on Labor Day here in the village and a few loyal readers of this blog asked me what knocked me offline for so many months. I think the suspicion was I was suffering from writer’s block, but the true explanation was a heavy hacking of my server by some spammers who injected the domain with about 30,000 spam sites linking back to purveyors of porn, affiliate programs, diet plans, and content farms.
My old Internet Service Provider (who I won’t blame because it’s not their job to provide me with a hardened, secure site) had to disable the entire domain because I was on a shared server with other customers and they were seeing their sites slow down as the evil spam douche bags filled up all available space on Churbuck.com with their crap sites. I’d call the ISP, get tech support on the phone, ask them to turn it back on long enough for me to save 15 years worth of writing and migrate the entire database to WordPress.com
Even as I cleared out the bad sites, patched the code, applied security measures, and did my best to defend the old blog, I could see the jerks injecting site after site even as I was logged in. Passwords were changed, everything short of hiring an expert was considered, but in the end I had to say goodbye to the platform that kept me happy for the past 18 years.
I self-hosted way back in the 1990s because I wanted to be more hands on with web content management and server operations when I was running Forbes.com and Reel-Time, my old saltwater flyfishing site. Knowing the rudiments of HTML and web management were important skills for my career back then, and the experience helped me satisfy the nerd manque in me. Self-hosting was never easy, especially in the early days of WordPress when the ability to automatically update the codebase wasn’t possible and I had to download patches and new versions myself, and update the blog myself. I initially was on Blogger — the blog platform acquired by Google. But Om Malik persuaded me to jump onto WordPress in 2001 and I was a fan from the very start. I got nailed by an xmlrpc hack in 2005 and lost the site for a while to some hacker, and many a time I shot myself in the foot with some rogue plug-in that required my friend Mark Cahill to swoop in and save the day.
The lesson I learned from this most recent series of hacks and frustrations is that security is a very real issue for any site owner, so much so that I can’t believe a layman such as myself can survive for very long without a managed hosting provider to provide a layer of security and oversight that a casual blogger just can’t bring to bear. The scuzzier elements of the Internet — the spammers and link farmers and affiliate marketing scum who prey on other sites to build link juice to their own money making schemes, the ransom artists, the script kiddies who prowl around looking for old unpatched sites and then infect them like some toenail fungus…. eventually they’re the ones that are going to crush the notion of the Open Web as independent creators like myself get fed up with swatting down their efforts to hijack our content and traffic so they can make a few pennies off their new get-rich-scheme.
The real shift is also in ISPs. The days of dumb rack hosting — where you get nothing more than “ping, power, and a plug” are done. Where I work, Acquia, the value to the customer comes from running their sites on a hardened platform that is monitored, managed, and patched by experts who can diagnose problems and fix them. When I lost Forbes.com in the fall of 1999, the hosting provider was useless when it came to diagnosing the problems that were causing the site to flatline under an extraordinary spike in traffic. All their Network Operations Center personnel could do was confirm the server was powered on and connecting to the Internet. It took four days of a dead site and a lot of anxiety before someone was able to identify the problem came from too much stress on our ad servers.
When a seriously critical site — like a newspaper during a big news event — goes dark, it’s not just the site owner who suffers from the outage, it’s the audience who need the site to be available who also suffer. Failure on a web site is not just an inconvenience to a hobbyist blogger like myself, for big e-commerce operations, government agencies, news outlets — an outage can be disastrous.
But what about the casual user? Does the need for a simple platform even matter anymore when most people are content with a Facebook page, Instagram account, or a WordPress.com blog? I don’t need (nor care) to deal with SSH certificates, and make sure the version of Php I’m running is up to date. It’s simply too far down in the fabled stack for a casual user to need to worry about. But if not knowing those things means some Ukrainian hacker can shut me down, then I’m either going to throw in the towel and join the loathed world of Facebook, or find a middle-ground solution. Hence I’m back in the saddle and blogging and not dicking around with FTP clients and cpanel anymore.
The solution was to leave my old service provider, move the domain name to Google so I could keep my churbuck.com email address, and then map the blog to WordPress.com — the service provided by WordPress’ corporate parent Automattic. Now I have two-factor authentication, protection from a security service called “Vault Press,” and a managed provider which will guarantee the latest versions are always in place and any security patches applied without me needing to take action.
Why am I not blogging with Drupal on the Acquia platform? That’s next. One step at a time. When one has 6000+ blog posts extending back to 2001, the first priority is to save that body of work and only then consider something as dramatic as a new blog system. Stay tuned, this transition needed me to have a couple weeks off to get accomplished. A Drupal build will probably have to wait until the Christmas holidays.
I have worked with Drupal before, beginning back in 2005 when I was at IDG and needed to build a site for an advertiser at CIO.com. That was Drupal 5 — now Drupal is on a fresh new version, Drupal 8 — and I want to learn the latest.