WordPress Hacked, Attackers Get Root Access

An anonymous reader writes "A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"

the cloud

[stoolpigeon]

and that's why I don't want everything in the cloud.

Re:

[doconnor]

Why do you think keeping data on your own computers makes it more secure? Big break-ins make news, but that doesn't mean they are the most common.

Re:the cloud

[Zapotek]

Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop.
That's why the parent is right.

Re:

[John Hasler]

It doesn't follow that the impact on any one user is greater, though.

Re:the cloud

[icebraining]

But it makes it far more probable.

Re:

[pasv]

Try reliably exploiting thousands of browsers on several different platforms and different environments to get at info. Or just send one well crafted email to a low-level employee of a company that controls the targeted information on a cloud and start a spear phishing campaign. Hrm.. Which is harder to do?

Re:

[jd]

Ah, that's a good question. In theory, central servers will have better security than Joe Average will know how to install. In practice, N times as many users will make the target f(N) times as inviting (where f() depends on who is doing the evaluating). This means that it is f(N) times as likely to be attacked by a human but equally likely to be attacked by zombies, worms and maybe the occasional vampire, since those won't care about N or f().

If you are concerned about human crackers, then f(N) becomes the

Re:

[dhavleak]

The impact is the same -- your data is pwned. The incentive for an attacker to go after cloud storage is greater (many people's data vs. 1 person's data). Therefore, the odds of a targeted attack are vastly higher for a cloud service.

Re:

[sjames]

The rewards for hacking thousands of sites in one go are much greater that the rewards of hacking a single user site. For that reason, the big site will be the one facing the most attacks by the most sophisticated black hats..

Re:

[Skuld-Chan]

So your solution to keeping websites from being hacked is to store the website at home on your desktop pc?

Re:

[Skuld-Chan]

Which makes your home pc a cloud server...

Re:

[mhelander]

And why is that argument not applicable to any cloud server (it will be local for someone)?

Re:

[geekmux]

Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop. That's why the parent is right.

The collective computing (and bargaining) power of several thousand computers is FAR greater than a single server, hence the proliferation of botnets.

This is why BOTH of you are right, and why the ONLY safe place for ANY of your personal information is wrapped nicely in strong crypto.

Re:

[Anonymous Coward]

Oblig. http://xkcd.com/538/

In short... It's more secure because nobody cares about his private data, and even if some hacker did care about his data specifically, whether or not it is on his own computer makes no difference.

On a large system, such as WordPress, each individual user's data is of insignificant value, but the whole of it may have some value.

It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

Re:

[xystren]

It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

It is more efficient to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

Fixed it for ya. The number of users doesn't make it easier, it just makes the potential return on the effort more significant.

Re:

[Tetsujin]

Why do you think keeping data on your own computers makes it more secure? Big break-ins make news, but that doesn't mean they are the most common.

The distinction here is if you maintain your own data on your own system, you're (probably) a small target. Aggregating a large number of small targets onto a single site makes that site a big target.

Re:

[jd]

Yes, for human attackers (who are the biggest threat in data theft for the time being, but expect zombies to get better at it). An automatic attack can't tell if a.b.c.d has one user or a million, it's just an IP address that the code will scan and attack if it has the script for it.

Also, if the increase in security exceeds the increase in temptation, you're better off aggregating. Which means, however, that there's a practical limit to how far you should ever aggregate (since the practical limit on how sec

Re:

[dotfile]

I wouldn't say my machine is more secure than that of WordPress -- although, since theirs has been compromised and mine has not, I guess that's open for debate. One big difference is, I know what and where my vulnerabilities are, and I have my fingers in there daily so I'll know pretty quickly if and when someone breaks in. When hosting stuff on Other Peoples' Servers, you never really know for sure if they are secure, how secure they are, etc. Until you find out the hard way, of course.

As for my act

Re:

[exomondo]

I wouldn't say my machine is more secure than that of WordPress -- although, since theirs has been compromised and mine has not, I guess that's open for debate. One big difference is, I know what and where my vulnerabilities are, and I have my fingers in there daily so I'll know pretty quickly if and when someone breaks in. When hosting stuff on Other Peoples' Servers, you never really know for sure if they are secure, how secure they are, etc. Until you find out the hard way, of course.

Not to mention they have a myriad of processes so going through and exploiting just one of those through social engineering will probably net you something. On my system no-one else needs access to it, whereas 'cloud' businesses are built on many people having access to the system so naturally that's an easier social engineering target.

Re:

[PopeRatzo]

Why do you think keeping data on your own computers makes it more secure?

Well, I can pull the ethernet plug out whenever I want, for one thing.

Two of my busiest computers aren't even connected to the Internet except during rare occasions, during which most of my important storage is not exposed because I pulled those plugs, too.

I trust myself more than I do a bunch of people I don't know, "in the cloud". And if I screw up, I know who to blame.

Re:

[Sloppy]

Why do you think keeping data on your own computers makes it more secure?

Because SUCK is not a rigid requirement of my own computers, handed down by some PHB without regard for what the poor bastard engineer guys think about it. I don't have any conflicts where I need to put other parties' interests above the user (me).

For example, I don't ever even think about going to extra trouble to make my computers less secure, in order to make them "CALEA compliant." I don't ever even think about implementing a de

Re:

[Touvan]

Or stored on anything connected to the net at all? Do you really think most people's personal computing equipment (including - maybe especially - their smart phones) is more secure than a cloud service?

If I were betting on which, as a class of internet connected storage - cloud services, or personal hardware - is more secure, I'd bet on cloud services.

why rob banks?

[Anonymous Coward]

that's where the money is.

say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.

individuals are gonna get hit one at a time... the cloud is a really big juicy target

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation.
my method will be different from my neighbor

if we are both on amazon cloud-- you only gotta get in once.

Re:

[xMrFishx]

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation. my method will be different from my neighbor

Though in the terms of most consumers all that means is your key is under the mat, his is in the plant pot. I keep mine in a hornet's nest but leave the back door open incase I can't get past the hornets.

Re:

[Cwix]

Lets expand on your analogy a little.

Someone gaining root access has the potential to access ALL information. Therefore someone breaking into a bank could take everything.

So the modified analogy would go like this:
If a thief could take everything from the place he breaks into would he break into my apartment, or into a bank?

I'm going to guess he'll break into the bank.

So.. to wrap it up, as I see it the robber would much rather make off with 10,000 peoples assets then 1 persons. Which makes the bank a muc

Re:

[Isaac Remuant]

heh, You make me wish there was a "really bad analogy" moderation option. XD

Re:

[element-o.p.]

But even if it is harder to break into a cloud service, the reward:effort ratio is much, MUCH higher for the cloud service.

Break into Joe Luser's home PC, and you get his porn collection, the e-mail addresses in his address book, and *maybe* the user names and passwords to get into his financial accounts. Repeat for a sufficiently large number of home PCs and you might have something of value...if you don't get caught first.

Break into facebook/wordpress/$RANDOM_CLOUD_SERVICE and you get that informat

Re:

[Touvan]

> But even if it is harder to break into a cloud service, the reward:effort ratio is much, MUCH higher for the cloud service.

That's a darn good point.

Re:

[iluvcapra]

"Keep webservers off the cloud!" is a strange rallying cry.

Re:

[OakDragon]

It's slower, but so much safer: Google Classic [boomerang.nl]

Re:

[dominious]

huh? wordpress is "cloud" ? From the site: "WordPress is web software you can use to create a beautiful website or blog"

Re:

[Anonymous Coward]

This isn't an exploit for Wordpress itself, it's the Wordpress.com site getting hacked. This headline seems to be more attention-grabbing than it should be.

Re:the cloud

[lennier1]

wordpress.COM is a hosting service service which offers Wordpress blog setups out-of-the-box.
wordpress.ORG is where the software itself is published.

Re:

[kiore]

You must be new here. This is Slashdot, people don't read the articles before posting.

Re:

[lennier1]

You're just taking the wrong approach. It's called "cloud" because of all the smoke marketing guys are blowing up the asses of investors.

Re:

[IAmGarethAdams]

You keep using that word. I do not think it means, what you think it means.

The citation was given as the wordpress.org website

Re:the cloud

[zill]

Care to point out how "the cloud" is involved in this case? Nowhere in the summary or TFA does it mention that the compromised servers were cloud-based.

Re:the cloud

[Anonymous Coward]

It does seem that "the cloud" simply means, to most people, "storage and apps on the web". With that common definition I'd have a hard time seeing how it wasn't cloud based. In fact, that's probably why they were hacked. The hackers were looking for that silver lining that every cloud has.

Re:

[WrongSizeGlass]

Care to point out how "the cloud" is involved in this case?

Clearly the security admin's head was in the clouds ... I mean, where else could it have been? ;-)

Re:

[unity100]

precisely.

Re:

[Darinbob]

I know a place where no one's lost,
I know a place where no one cries,
Crying at all is not allowed,
Not in my castle on a cloud.

Re:the cloud

[stoolpigeon]

I never said I didn't want "anything" in the cloud. In fact the word I used was "everything". I also placed that word in italics to emphasize that I meant some things I would rather maintain on my own machines, but not all things.

One of us has rather poor reading skills. That may be the one that is "moronic".

Furthermore, you have no idea what I do or where most of it takes place. To assert that you do is, well, rather short sighted. One might almost be inclined to say moronic.

And to decide that the security of one's data is properly handled should be a matter of luck. There has to be a good word for that view, let me think on it a bit and I'm sure it will come to me.

Oh, and if being called moronic makes you feel bothered at all, I'd recommend keeping that in mind when you throw the word at others. I'm no rocket scientist but that kind of slur really isn't called for.

Re:

[postbigbang]

I stand by my description.

To look at "cloud" in any way that's different than any system on any network, including the network, is to bash the people that do hard work to protect online public and private resources.

You can store locally, but your use of the Internet is global, and differentiation with "cloud resources" is to damn professionals and not put the blame where it's due: sysadmins at Wordpress that need a really good spanking.

Re:

[Cwix]

You were wrong, you read his post badly. Perhaps you just wanted somewhere to place your opinion. Start a new post in that situation.

Re:

[Fjandr]

Nowhere in that response is an objection to your description of what "cloud" means. In fact, it seems as though the post implicitly agrees with your definition.

What it does say is that your claim of "Your suggestion that you don't want to have anything in the cloud is moronic." is entirely incorrect. Which it is.

Re:

[postbigbang]

"and that's why I don't want everything in the cloud." (italics not preserved).

I go on to equate most all external activities with "the cloud", the cloud being a nebulous term for most things online. You can divide them into categorical definitions the size of an enormous post.

Let's use some simple exclusionary math here, and damn the passive-aggressive italics. My reply is that the cloud deserves the same responsible behavior that your own machine does, or any system-- the same high standard. People were a

Re:

[Fjandr]

Unsafe for everything no. Unsafe for some things, yes. At least, much more unsafe than other alternatives which are not cloud-based. All things are relative, and what is an acceptable risk for you is not an acceptable risk for others.

Highways are unsuitable and extremely unsafe for activities that are safe elsewhere. Nobody is saying it's "good" or "bad," only that it's good or bad for certain things. To use an extreme analogy that will probably be bogged down in irrelevant pedantry, Big Wheels don't belong

Re:

[postbigbang]

This is why we have best practices. This is why we educate youth. This is why work hard: to make it safe for civilians, your grandmother, the kid down the street, and so on.

We know that some organizations won't adhere to them, or they'll screw off and not patch or update something. When we find them, we try and bring them up. Barring that, we use other motivators. If we all screw off, the whole thing falls apart. Diligence, and unwavering diligence, gets it done. Yeah, sounds almost military, yet if we evol

Re:

[AmiMoJo]

Blah blah blah, cloud or not what are we going to do about this sort of thing?

I think we now have to assume that any data stored in the cloud is vulnerable. How do you protect it while still allowing it be accessed anywhere by humans and applications?

Re:

[lymond01]

"If not, we'll be upset."

And that's all you will be. Free hosted services have no service agreement, no liability, no enforced responsibility to secure or protect your data.

Until hosted services need to compensate you for their screwups, many places would prefer to handle their data in house (where they can fire people).

Re:

[postbigbang]

No, that's not really true. There are serious sysadmins out there that take it seriously. Whether FOSS volunteers or paid people, people are supposed to take this seriously. There are consequences, both legal liability and criminal.

It's fine to keep data on your own host in your own data center with your own firewall and your own ass covered. Disconnect. Or try and raise the standard.

Re:

[postbigbang]

I heard of one of those recently. Save you from having to smash it with a hammer.

Re:

[PNutts]

Give me a hard drive that erases itself.

I'll run down to Fry's and pick you up a Seagate.

Re:

[postbigbang]

Ok, chump, since you want to continue the disinformation. I have cloud resources at AWS, Rackspace, GoGrid, and a lot of 'cloud' providers.

What are you computing on? Do you know if it's hosted at an MSP/ISP? Unlikely-- save for the hosts that you personally know of.

Wordpress by one definition, is in the cloud. Most hosted stuff can be considered cloud. Cloud is nebulous. Cloud is SaaS. Cloud is raw VMs on the hoof. Cloud are 100 instances that I can spin up in about 30sec.

So fuck off about your definition o

Re:

[postbigbang]

Ok. Let's let it live somewhere close to you. Let's say your hard drive.

Perchance is it on Windows 2008R2? Do you have the current stack of 228 updates and fixes installed?

Maybe it's Linux on SUSE 11. Did you do the 51 kernel updates? How about the other apps?

Is your router up to date? Cisco? Extreme? F5? Updated? Not using a firewall, are you--- silly to imagine that there are secure perimeters.

Watching all of the traffic on your backbone and local nets for interesting destinations to say, Rumania? Have an

Facebook? Twitter?

[Jeremiah Cornelius]

The Word Press devs promoting integration with Facebook is like handing Sweeney Todd the razor and saying "Shave away, whatever you like."

It starts with FB managing the identities and next, the discussion threads, and slowly creeps throughout - until WP is a hollow frame on which to drape FB parts.

Eviler than Google. And that's saying a lot.

WTF?

[Anonymous Coward]

>> Eviler than Google. And that's saying a lot.

Er.. Anything from Apple|Microsoft|Oracle|Sco might have made slightly more sense. But then, if you had taken your medicine today on time, we wouldn't have had this discussion. Just saying...

Re:

[Anonymous Coward]

Google owns you and you're too dumb to see it.

Re:

[Anonymous Coward]

It doesn't matter how much you keep trying, Mr. Beck, Slashdot won't hire you after your gig at Fox News is done.

Re:

[Dishevel]

But they don't own me they though rent me with really cool shit.
Even after they rented me they kept improving the shit they rented me with.
They win too. The serve me up small text ads. Ones that kind of hang back and allow me to see the stuff I want to see.
Because they rented me they also can do a better job of making those unobtrusive text ads sometimes useful.
If they fuck us over then their flock runs away. Then their profits go down. They do not want to do that.
What they want is to continue to serve me r

Re: twitter/fb-This has been happening everywhere

[Anonymous Coward]

Login: Half the sites I visit these days have a facebook login option to access that site's account. A subset of which no longer really -have- an account management of their own.

Discussion threads: Almost every site that has discussions threads seems to use Disqus these days.

Avatars / Profile pictures: Thanks to the use of Disqus, that'll be Gravatar, but even sites that still have their own commenting system seem to be jumping to Gravatar; including WordPress.com .

I'm not sure who knows more about people

Re:

[hedwards]

I refuse to sign up for sites like that. I played around with OpenID for a bit, but stopped pretty quickly. A single point of failure is really not a good thing.

Re:

[TheRaven64]

The gravatar one is the one that irritates me the most. Ohloh.net uses it, and they don't even let you point to an avatar on your own web server. I can sort of understand them not wanting to have to host everyone's avatar (although, given that they're 10KB or so each... not really), but a service forcing you to use a third-party service to make some features work seems really stupid to me.

Re:

[Anonymous Coward]

Gravatar is particularly bad because it is uniquely* identifying to your e-mail address.
(* as far as MD5 is unique for the purposes)

If you were ever silly enough to use your e-mail address on some random blog to make an anonymous post - falsely trusting that the site wouldn't make this public - and that site decides to add Gravatar -without- making sure it only adds this for non-Anonymous posts... bam. exposed.

In addition, of course, Gravatar knows who you are, at least by e-mail address (not sure what othe

Re:

[Jeremiah Cornelius]

Facebookâ(TM)s New Realtime Analytics System: HBase to Process 20 Billion Events Per Day

Via: High Scalability: [highscalability.com]

The need for such a high powered analytics system is driven by Facebook's brilliant plan for world wide web domination via the viral propagation of social plugins, all tying the non-Facebook web back into Facebook and the Facebook web back into the non-Facebook web. Basically anything that people can do is captured and fed back through Facebook and anything done on Facebook can be displayed on

Re:

[JaredOfEuropa]

Remember why Facebook offers such integration: to Facebook, you are not a customer; you're the product. A product generating data to be sold to marketeers. That is the real purpose of their offering of integration, Facebook currency, Like buttons, and soon to come: what is called the social layer on the WWW. It's all meant to generate valuable data, and it'll get worse and more pervasive as FB moves from the Grow and Consolidate phases to the Cash-in phase. And that is why I am staying well clear of Facebo

Spammers?

[joesteeve]

If obtaining API keys was the target, then we are gonna have a fresh wave of spam. Shyte.

beyond that...

[hxnwix]

They stole everything, but, "beyond that, however, it appears information disclosed was limited."

Re:

[xMrFishx]

Quick, if we shut our eyes we can't see anything being stolen!

Automattic

[asvravi]

So low level break-ins are automatic now?

'Automatic had a low-level (root) break-in to several of our servers'

Refreshing honesty?

[slackzilly]

Many (most?) companies try to lie about the severity of the hack. Looks to me like they are saying it like it is. I like that.

Re:

[yincrash]

99% of the comments on the wordpress post are exactly like yours. Everyone is treating it like it's not even a problem.

Re:

[slackzilly]

I didn't say it's not a problem.

Saw some unusual activity this week

[Anonymous Coward]

I was seeing some unusual activity on my blog hosted there. I opened a ticket and they thanked me for the info but never got back to me. Just emailed them regarding the ticket to see if they were related. Good thing I immediately went and changed my password for them. I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file... I'll probably als

Re:Saw some unusual activity this week

[v1]

I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file..

If they raided the entire fridge, even if it was encrypted, they'd have the keys and thus all the passwords on a silver platter.

I think what you meant to say is you hope the passwords were hashed .

Re:

[joost]

Yes, the passwords on wordpress.com are hashed:

Matt

April 13th, 2011 at 5:27 pm

WordPress passwords are hashed and salted using phpass.

http://en.blog.wordpress.com/2011/04/13/security/#comment-124231 [wordpress.com]

Re:

[hedwards]

Personally, I like my hash salted. But that's just me.

Re:

[dave420]

Hmm. Usually it's a hash of the password that is stored. The entered password is then hashed the same way, and if the result is the same, access is granted. Encrypted data can be unencrypted, but hashed data can't be unhashed.

Re:

[blair1q]

Yeah, I figured that out after reading through some links. Even posted a demurral but I don't see it here. Could just be /.'s new fucked-upedness taking over.

Been a while since I did anything with passwords and the linguistic shift from encrypted to hashed is just reaching Barsoom.

Re:

[slaad]

So having the key is irrelevant.

Having the "key" is entirely relevant. If an attacker doesn't have the key, they can't even begin to attempt a brute force crack. Once the key has been obtained it becomes possible.

Furthermore, many people use stupidly simple passwords. The attacker will be able to find these passwords within just hours. Without the key though, even a crappy password is unbreakable.

Of course, that doesn't just leave everyone's password out in the open, the passwords still have to be gu

Re:

[dkf]

The attackers gained access to all information on the site, so it's entirely possible that they've got enough information to work at breaking passwords at their leisure. OTOH, the site is using a salted hash for their passwords, so the only approach that can be used is a simple brute-force test, one password at a time, one user at a time. Weak passwords are under threat, but strong ones should be OK (at least for some time).

It's still a good idea for users to change everything that uses the same password to

Re:

[dkf]

hashing = encryption, here. they've changed the terminology since the last time i cared.

There's a formal difference. Encryption is reversible (if you have the decryption key) whereas hashing is not (it formally loses information from long input values). Theoretically, hashing is less strong because there could be other values that hash to the same thing (this is one of the principles behind rainbow tables) but with a good crypto hash algorithm, finding two values that collide is really hard.

Re:

[v1]

It certainly is amazing how many people don't understand the difference, or more specifically, that there is a difference.

The other important factor is that hashing is not 1:1 input for output. Block digest functions are a good illustration of that. But in this specific case that's not important.

The only important thing here is that given a full site dump (or outright theft of the gear) it's not possible for the attacker to determine cleartext passwords short of brute force. (or rainbow table if the imple

Terrible summary

[whh3]

Where did the anonymous reader get information regarding the hacker's access to "passwords/API keys for Twitter and Facebook accounts"? On a related note, it appears that the anonymous reader cannot properly copy and paste; It is Automattic and not Automatic.

CGI systems

[hackus]

Surprise!! Another CGI system is breached. Yes, I am one of those guys that thinks php is stupid!

Along with the whole idea of CGI based native call methods built as plugins directly into a web server.

Why don't you just give everyone the root password on your webserver and save them the effort and you the embarrassment?

At least that way you can say I knowingly did it instead of admitting you run CGI crud in the 21st century.

A century where VM technology makes such drivel totally unrequired.

So use virtual

Re:

[Anonymous Coward]

The only way today I would run a website is with a web server on the outside with no hard disk, and a java virtual machine executing the URL references on a completely separate networked machine using the apache tomcat plugin.

Wow! You could serve TENS OF USERS with that rig!

Re:

[lennier]

Got Geometrodynamics? Awe, too hard to figure out? Too bad.

John Wheeler cries! Then giggles. Then cries some more.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[simoncpu was here]

Just use jail/chroot and don't run your web server as root. Problem solved.

Re:

[H0p313ss]

Aw, Hack, did you forget your meds again?

I don't think he forgot them, I think he just took a little too much this morning.

Sure glad...

[ugen]

Sure glad now I used a "shitty unimportant level" password for my wordpress.com account. Whoever it is, is welcome to keep it.

Obligatory

[El_Oscuro]

xkcd [xkcd.com]

What have I learned here?

[__aayuzx6098]

If large, well-funded companies, even those that specialize in security (!), or whose business depends upon keeping their proprietary info safe, cannot keep their servers secure, what chance does a Mom and Pop operation like mine have?

This year I spent 4 weeks studying the OS X Server Security Config (400 pp.), and implementing those recommendations. I've looked at best practice guides for all the underlying FOSS tools I use. I monitor logs.

But it's seems never enough to keep out a determined, skilled hacker. Do I despair? Give up? What lessons can I take from this?

Re:

[John Hasler]

You don't hear about the companies that do keep their servers secure, do you?

Lesson: don't do business with wordpress.com.

Re:

[jovius]

You don't hear about the companies that do keep their servers secure, do you?

There are also reasons why the most secure organisations do not publicise breaches.

Re:

[Mazzie]

What lessons can I take from this?

If you jump off the roof of your house, you will hit the ground. If you have a really expensive house with like 5 stories, or a penthouse on 5th avenue, it may take you longer to hit the ground, but eventually.... splat.

Re:

[hedronist]

Take-aways from this:

• 1. If it's on the Net then, sooner or later, it will be compromised. This is Rowell's Corollary to Fudd's First Law of Opposition. FFLoO is: If you push something hard enough it will fall over.
• 2. Have a complete, offsite (off-server) backup ... and test it.
• 3. Hashing passwords only works up to a point. Use a password system that yields a different one for each system.
• 4. Don't keep any important information (e.g. credit card numbers) on the server if you can possibly avoid it

Re:

[psydeshow]

Do you store financial, personally identifiable, or other must-be-kept-private information?

If yes, hire a pro to audit your setup and cover your ass. You can call said pro when you do get hacked to help with cleanup. If no, stay small, don't piss off your users, and stay on top of those logs.

Oh, and in either case, make sure you have current, offline backups that can be used to recover from an incident.

Re:

[Mista2]

Be carefull, be small, and stay under the radar. Never put client data whenere it can be openly accessed on your server, encrypt everything. Most attacks will actually come from your own staff, and most likely someone with authorised access anyway. What makes these sites jucy is the passwords they may contain for other sites, and email addresses for spam or identity theft. Keep your clients so anonympus, even you dont know who they are. Except if you live in France, then you have to keep everything anyone e

How did they get in?

[Coppit]

Does anyone know how they got hacked? When I ran Wordpress it was like trying to plug a dike with bubble gum.