Please pardon the downtime.

A quick explanation for why the blog has been down a lot over the last few days.

On Monday, I discovered that my WordPress installation had been hacked again.  I spent a few hours cleaning things up, and then I got really frustrated with the Sisyphean nature of the whole process.  Because of that, I decided to move my site from a self-hosted WordPress installation to WordPress.com servers, so that constant vigilance against hacks and software updates would be Somebody Else’s Problem(tm) for a change.

The annual fees for WordPress.com hosting were, I thought, well worth the one night a month I would gain in not having to clean out my blog’s infection and reset everything.

The last two days during which the blog was completely down were due to a failure in my nameserver change from Dreamhost to WordPress.  This failure is ongoing and Dreamhost support is working on it-  I’m actually using an http cloak to load the WordPress site directly without properly mapping the domain name.  It’s a kludge, but it will at least bring me back up for the time needed to resolve the real problem.

As a nifty bonus though, WordPress.com hosting does a few things natively that it took me several plugins to get working on the self-hosted variety.  Things like the direct connections to Facebook and Twitter to notify of new blog posts.  The only functionality I lose is the LiveJournal crossposting, and I have a different solution for that once this is all sorted out.

The downtime is not the fault of Dreamhost, although their initial communication infuriated me because they misread my question three times.  The downtime is also not the fault of WordPress, although their documentation could be a little bit more clear.  The real fault for the downtime is a combination of my poor understanding of DENIC’s strict rules and an as yet to be determined problem with Dreamhost’s third-party registry vendor, Logic Boxes.  That support request is ongoing.

Technical Note (If you’re bored by the technical stuff, skip this paragraph): DENIC, the registry for .de domain names, has very, very strict rules about things.  It requires that you have a valid zone file on the name servers you want to change to, and this was not clear to me at first.  I realized yesterday, after I discovered an “unexpected RCODE failure” on their nameserver check at http://www.denic.de/en/background/nast.html that I needed the zone on WordPress servers to make this happen.  WordPress is used to this, and they get support requests to create zones manually all the time, so this was a piece of cake to fix once I knew that it was needed.  However, the nameserver change is still not going through because the Dreamhost panel thinks this domain name isn’t registered.

In any case, there may yet be some additional hiccups to the DNS here, but once this is all sorted out I’ll get back to posting about life outside of the command line.

4 thoughts on “Please pardon the downtime.

  1. Great hint about DENIC! Good to know, especially if you move your nameservers to somewhere else sometime — some place that isn’t as big as WordPress and therefore doesn’t get those requests all the time.

    I have heard nothing but bad news about Dreamhost, sorry to say. Besides the DNS/DENIC stuff you’re dealing with now, are you sure that’s at the root of your troubles with your blog and getting owned? If I had to guess, I’d say one of two things is at the root of it:

    (1) Dreamhost (shared hosting, yes?) has something sloppily configured such that someone else’s vulnerability has resulted in someone gaining unauthorized access to your site.

    (2) The vulnerability is entirely on your site. Have you checked permissions on all the files and directories in the wordpress root directory and below? There shouldn’t be a need for anyone other than you (the owner) and the group (ideally just the user the webserver itself runs on, like www-data or web or httpd) to have write access.

    Some plugins I’ve used want permissions set to 777 (user/group/everyone has read/write/execute), else they refuse to install. Some of them suggest a return to more restrictive permissions after installation is complete. But I think that’s pretty insane, in general. Other than me and the webserver, who else should need to write files on my server? Even for installation purposes? It should still just be me and the webserver!

    I hope you’re happy hosting with WordPress.com. (If you’re not, I’d be interested to know why.) I’ve only ever hosted with nearlyfreespeech.net and and Slicehost.com. I recommend both of those strongly, but for different reasons, depending on your needs.

    • Your points, in order.

      1) Dreamhost. I’ve been with them for roughly ten years, and I’ve never had a problem before. Their platform, product, and administrators have always been on point, and they’re pretty proactive against site hacks.

      2) I checked the permissions, ownerships, and such on day one. I don’t speak about my job often on the blog, but my profession is UNIX Systems Administrator. I work for a web host, but not DH- I never put personal stuff on my employer’s servers. I know what I’m doing. The first time I got hacked, I did find permissions were askew, my wp-config file was world readable, and so forth. None of that was the case this time. The entrance vector was absolutely weak php code in WordPress plugins, and I’m almost positive it was the ‘Faster Image Insert’ plugin.

      So far I’m quite happy with WP.com hosting, but it will take another week or two to get all the kinks sorted out, I think.

      • Glad to hear that it’s not the hosting company then, and sorry to have vouched for the competition on your personal site — delete at will!

        • No sweat, Cliff- there’s no need to delete anything. I generally try to keep work and everything-that-is-not-work separate…

Comments are closed.