Over the last week I’ve been banging my head over and over again as I’ve tried to clean malware off of a number of websites.
A couple lessons learned:
- Malware sucks!
- Keep ALL your backend software up to date.
- That template/theme you loved 3 years ago may not flag you that it needs updating because the developer stopped working on it. Don’t trust it to be safe 3 years later.
- Keep security monitoring software on EVERY site. Even the smallest sites can be hit and be a huge headache to clean up.
- Backup EVERYTHING. The extra time will be worth it when things go wrong.
- Pingbacks/trackbacks (and maybe even comments) aren’t worth the hassle. From what I’ve managed to figure out – it appears someone exploited a hole in an outdated theme via ping backs on the most affected sites. Knowing someone is linking to your post within WordPress isn’t that big of an ROI (return on investment or risk on investment) to make it worthwhile.
- Managed hosting for the win. If you can afford it – use it. Let someone else deal with the backend if it’s not your passion or area of expertise.
- Static sites for the win. Several of the sites that were hit were small sites that didn’t need a CMS, I just used it because I’m lazy and didn’t want to mess with FTP and HTML every time I made an update. But … those sites that are still just HTML and CSS – don’t have to worry about them at all.
As a result of all this, I moved two smaller sites from WordPress to static HTML last night pretty easily.
Lost one or two features – like a carousel – but they could be added back of if really needed.
But they’re way snappier than they were before and it’ll cut down on needing to update software and such.
Of course this gets rid of my online editor – really the only reason I put them in WordPress to begin with.
I just built a template in Dreamweaver and went to work.
I’m not sure how scalable that will be though.
I’ve been playing with Jekyll as a static web generator with Git Pages as of late and I like the way it works. But doing a full stack setup with Ruby (something I know nothing about) and Jekyll seemed overkill at this point for these sites.
I’m also intrigued by https://codeanywhere.com it could be a really nice tool to use in the future if I start doing more of these.
I don’t think static sites will be my solution for everything – but it feels nice to get back to the basics every now and then.