Quick quiz: What does a hosting provider do when they know they’ve messed up and don’t want to deal with the fallout?

You apparently blame WordPress.

Don’t get me wrong here – being behind the scenes of server management for a webhosting company makes you the target of a lot of accusations.  And yes, most of the time when a user’s site gets hacked it’s their own damn fault. But in this case, Network Solutions is apparently trying to push their issues off on WordPress because they don’t want to admit they f***cked up.

Well, WordPress is pissed.  I logged into my dashboard today and the first thing I see in my news feed is:

A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.

To highlight the best part:

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

P.S. Network Solutions, it’s “WordPress” not “Word Press.”

Burned.

In short, Network Solutions acknowledged that most of the problem was due to users’ public_html and wp-config.php files being readable by other users on the server – something which could have easily been caused by the users setting the permissions of those files insecurely. But they took a shot in the dark and said that the problem was caused by WordPress putting cleartext database credentials in the wp-config.php file – something that just about every software developer does, as WordPress states:

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

Good point. They also went on to say that a properly configured web server will not allow users to access the files of another user, regardless of file permissions. This is why most hosts have switched to using suPHP or phpsuexec, a technology which Network Solutions was apparently left in the dark on. At least now they seem to be taking responsibility for the problem and are attempting to handle it.

I’m also going to state, based on comments in popular blogs from users that don’t know what the hell they’re talking about, that unless someone has access to view the source of a PHP file, they can’t see the database credentials. PHP files are executed server-side, and only their output is sent to the browser. Since the username and password are stored as variables and are not echoed out anywhere, someone simply calling wp-config.php from a browser can’t access your login data.

You’re probably going to find all kinds of fixes on various sites that this story is covered on, but I’m going to give the same advice I do for all my customers that have had sites hacked:

• Change your FTP and MySQL user passwords
• Replace all files on your site from a ‘clean’ backup
• Make sure the software on your site is up to date
• Scan your PC for viruses
• Choose a secure host

Remember that your site can get hacked regardless of who your host is or how secure they are, though your host has to take some level of responsibly for hacks that are caused by their own bad configuration, such as in the case with Network Solutions.

BlogSell

BlogSell is the next generation of managing blog income.  There are dozens of services out there that assist with buying and selling ads, but this one actually helps you keep track of all your banners and affiliate links, as well as various sources of blog income such as paid reviews, banners, and text links. Definitely a must-have for bloggers needing a more flexible platform for keeping track of their income sources, who want to do it all in one place.

Yola

Yola is offering something that most other web hosts and template services do not – free site hosting AND design for basic usage. The templates offered are actually very nice, but you can also purchase a series of upgrades based on what you actually need.  The price of custom design may be a bit steep for some people, but is still a lot less than hiring a freelancer.

FitClick

Move aside, Sparkpeople. No one really needs you anymore. FitClick is a free online weight loss service offering free weight loss programs, diet tips, and fitness/calorie trackers, with reportedly a much better user interface than Sparkpeople.  I’m not trying to call you fat, but umm…maybe you should take a look at this site.

MyPunchBowl

Party planning has never been sexier. MyPunchBowl is a free online party planner that lets you plan an event by recommending vendors, helping you to prepare lists, send out invitations, and shop for party favors and supplies. It even has a link to Facebook to help you promote your event.

ProjenyPM

This one was developed by a customer of IMH and introduced to me a couple months ago. It’s an online project management tool that goes above and beyond most other project management solutions out there, including the ability to manage employee timesheets, performance, and scheduling. This service is free for personal use, and moderately priced for business use.