Veraperez.com is back on business

After four very stressful days, Veraperez.com is back in business.

The good news is that the Google mechanisms to detect and block malware distribution sites seems to work.

The bad news is that the Google mechanisms that detect and block malware rely on the cooperation of your browser. Safari loaded my site every time, there was no warning. Firefox would not load ANY of the subdomains, or even the control panel. I did not bother to try with IE because I could not risk infecting my XP in Parallels.

Still, I have two huge concerns:

1. How the fuck did I get infected? I was using the most current version of Wordpress, and I never work on my sites from Windows, so how the hell did the IFRAME get injected? Wordpress 2.6 came out AFTER I was informed that the site was infected, and I did not see any security advisory, so I can't tell if it was injected through a direct exploit, or through the comments.

I really want to know what happened, because I know too many people that use Wordpress, including a lot of my customers, and I need to be prepared to help them.

2. The cleanup process is way above the heads of most normal Wordpress users. I am a nerd, and it still took me four days to completely clean the site. I don't even want to think what would happen to the thousands of people that installed Wordpress because it promised them a simple, 5-minute install. On top of this, the Google diagnostics page gives you very little details on what was wrong, or so it seems. All information that I needed was right in front of me, but I did not notice it. Had I searched my Wordpress database for the IP address of the malware site that the IFRAME was loading from, I could have fixed this mess in half as much time.

If you are running Wordpress, and you are stuck with it (more on that later), then search your posts and comments for IFRAMEs, and make sure that you are on the most current version of Wordpress. There should be a feed that tells you when new releases are out, so you might as well subscribe to that too. If you are not using Spam Karma 2, go get it. It's free software, so all you have to do is download and install it. If you are running multiple copies of Wordpress, consider switching to Wordpress mu, so you only need to update one copy.

Stuck with Wordpress: that should be a very small percentage of users. In my case, I need Wordpress because I use a custom plugin for my text link ads. The only blog system that they support is Wordpress, so that is what I need to keep using. If you don't belong to that group, then maybe it is time to consider letting somebody else to run it for you. Wordpress.com has free Wordpress hosting, and Blogspot is not that much different from the workflow perspective. When was the last time that either Wordpress.com or Blogspot botched an install, or got pwned?

Also, just because you use a free blogging account doesn't mean that you can't use a personal domain name for it. I am on Blogspot, yet I am using Pedrovera.com for it. Wordpress.com has a similar feature but I don't know if it is free.

Veraperez.com got PWN3D

Yup, it happened.

It doesn't matter how hard you work at it to keep a site up and running with proper software, somebody always finds a way to go around and exploit it. In my case, somebody, somehow, managed to inject one blog posting with an iframe that points to a known malware distribution site.

Assholes.

The sad thing is that the site was compromised just four days before Wordpress 2.6 came out, not that I know for sure if this new version has fixed that problem.

And people still ask me why I am blogging from Blogspot instead of hosting my own Wordpress. When was the last time that Blogspot was compromised?

From Wordpress to Blogspot, 88 posts later

89 including this one, I guess.

The shift from Wordpress to Blogspot has been pretty painless so far, as long as I exclude the fact that there is no way in hell to import my 1500+ posts from my old site into this one. That is unless I decide to program the export utility myself, something that is not going to happen.

I guess that the deciding factor was Ecto. I had used Ecto for a long time with Wordpress, and I was glad to see that it worked fine with Blogspot. It is much easier to write long posts with it, it feels no different than writing an email message. Another nice thing about Ecto is that it allows you to tamper with the HTML tag formatting, and even allows you to setup custom tags with very minimal fuss.

One thing that gets under my skin is that there is a very weird bug in the way in which Blogspot sets up custom domain names. The proper blogspot address of this blog is http://pedroalbertovera.blogspot.com but I have it setup so it will accept traffic for http://www.pedrovera.com. The problem? It won't do http://pedrovera.com by itself. It says it will do it, but whenever I tried, it gave me an error. The fix? Setup a DNS A record to point http://pedrovera.com to a machine elsewhere. That machine will take that traffic and redirect it to http://www.pedrovera.com.

The reason this is a problem is because all of Google's web hosting services rely on CNAME records instead of A records and it is illegal to setup a CNAME for a base domain.

The final challenge is the old content. I am tempted to leave it as is. After all, I have no intention to let the domain expire, and I have no other use for it. To add insult to injury, the site pays itself so I have no motivation to shut it down until the income drops below to the point when it is not worth keeping Wordpress up-to-date.

A smaller challenge is to rework the templates, which I absolutely hate. I am a terrible web designer, my strength is in programming. I would rather have a site that is 100% plain (my ideal site is Craig's List, all content and literally zero eye candy).

Annoyed

Little by little I am getting frustrated by Wordpress. There is no doubt that overall it is one hell of a system, but those little things are the ones that eventually drive one up a god damn wall.

The newest offense: it is very hard to embed things like flash movies without having WP automatically rewrite the HTML, which usually ends breaking the theme. It is lame to have to post a Youtube video as a URL because WP won't leave the damn embed code alone.

I am writing this from Ecto, a program that I used for many years without issues. Suddenly after WP 2.0.x came out, Ecto stopped working. Not cool.

Another source of irritation is that it is still a pain in the ass to update WP. Because every person runs it different, it is almost impossible to put together a safe update utility. Notice I say safe, not simple.

Here's how you update Wordpress:

1. Backup the database, in my case I have a wizard available through cpanel.

2. Backup the plugins folder.

3. Backup the themes folder.

4. Backup the wp configuration file.

5. Take a screen capture of the plugins menu, which is the easiest way to note which ones are enabled. Disable ALL plugins.

6. Backup .htaccess.

7. Delete EVERYTHING except the wp configuration file.

8. Download the new Wordpress release.

9. Copy your wp configuration file into the new release.

10. Copy your plugins and themes into the new release.

11. Copy everything to your web server.

12. Execute the update script.

13. Make sure you did not kill the site.

14. Enable your plugins.

Now imagine having to do this every time a new security hole is found and the WP folks fix it. It is a lot of work.

And what if you are running more than one WP blogs? You are screwed. Even if you use WP MU, you are screwed because they'll lag behind the main WP releases.

Well, what about using Wordpress.com?

I tried, but I noticed an undercurrent of smugness that reminded me of Live Journal. I don't want to be part of a community, I just want to write my blogs. It is almost the same argument of trying to pick between Flickr and Picasa. Flickr is obviously an online community, while Picasa is a photo dump. If you want to upload people and brag about them, compare them to others in the same subject, etc. then Flickr is for you. If all you want is to upload pictures to use them in your web site, or to share them with friends, send them to a print service, etc., then Picasa works fine.

After messing with Wordpress.com I decided I did not like having other members dictating or complaining about my content. As long as the content doesn't break US law, I should be feel to do whatever the hell I damn please within the terms of service. What these people were doing was creating artificial political systems, sort of what happens when you get a homeowners association telling you that you can't paint your fence in a specific color.

Some hard, some easy

To offset how cumbersome it was to post a Picasa picture, moving pedrovera.com to point here was pretty much a freakin joke. All I had to do was to shut down web services in my Google Apps for Domains dashboard, then add the domain to this blog, flush my DNS cache and restart Firefox.

The reason this was so easy is because the domain was already sitting in a Google DNS server (as a CNAME), so the change was internal to Google, otherwise it could have taken hours or even a day for it to kick in.