Super quick wordpress exploit stopper

I got an email yesterday from my host (DigitalOcean) that I was running a phishing website. So, I’m not, but I quickly guessed what happened: my WordPress got hacked. This is just one of the risks of running silly little PHP apps. I logged in, deleted the themes directories, reinstalled clean ones, and ensured this doesn’t happen again by doing the following:

  • useradd apache_ro
  • chown -R apache_ro:apache_ro $WP/wp-content/themes

Now apache can’t write to those directories. This means you can’t update WordPress via the web UI, but I’m ok with that.

Digital Ocean – First Impressions

For the past few years I’ve been hosting this site on an old desktop in my basement on my FiOS connection. This was one of the things I really liked when I switched from Cablevision to Verizon – they don’t block port 80 inbound, so I didn’t have to pay for separate hosting. My “server” was an old AMD desktop with 1 gig ram and a sata drive. It was ok; my site was slow but I was ok with that. I configured Nginx to cache the static assets which sped most things up to “ok” levels but it was never fast.

This setup had a bunch of problems though, and the biggest one was power. Namely, it goes out in my house all the time. I probably have 4 or 5 brief outages each month, and my old box doesn’t come back up properly on reboot (some bios conflict with an eSATA disk I have hooked up to it). Plus, since my basement became a huge bathtub during Sandy, my site was down for about a month, but that wasn’t really a big concern at the time.

Anyway, via a “Promoted Tweet” on Twitter I found Digital Ocean, a VPS provider with rates starting at $5/month for an SSD-backed VM. They also had a promo at the time for a $10 credit, so I figured I’d give it a try.

Account creation was simple and I didn’t need to enter my CC until I actually created a server (“droplet” in their parlance). Server creation was pretty trivial: select the OS image (I chose CentOS 6.4 but they offer Ubuntu, Arch, Debian and Fedora as well), the size (512 MB ram through 16 GB), the region (San Francisco, New York, or Amsterdam), enter a hostname and your SSH pubkey. In about 60 seconds your server is ready to go, with a public IP and everything. My VM has a 20 GB disk and the base OS install was about 900 MB. I installed Apache, Nginx, MySQL and some other stuff, then dumped my WordPress DB and uploaded it to the new VM and copied the entire Apache docroot over as well. Within about 30 minutes of spinning up the VM I had everything up on the new box, and I made the DNS changes shortly after that. Pretty straightforward.

It’s only been a couple of days but so far I’m really liking the performance. My site doesn’t get a lot of traffic to begin with, but since I cache most stuff to disk, and the disk is SSD, it’s really quick. I’ll keep an eye on it but so far this is looking like a great choice for small website hosting. The only thing is I’ll need to setup some sort of offsite backups, but I can just cron an rsync to my home machine for now.


Blog rename again

I hate calling this site “Evan Hoffman’s Blog,” but it seems that when I Googled my own name most of the results were about this guy. So let me just clarify… that’s not me. I enjoyed having the title be obscure lyrics from songs I love but drastic times call for drastic measures. And let me tell you… renaming a blog is serious business.

Chaos theory and Google’s crawler

I’ve been moderately perplexed by the recent spike in traffic on basically unrelated keywords. Apparently this site is currently the #5 result for “fedora 15 beta download” despite my having never written about Fedora 15. In an attempt to funnel people to a useful page I created the previous post with links to the FC 15 ISOs. I feel bad if people come here looking for an answer that’s not to be found.

In looking into this issue I searched Google for the keywords and saw this: is blockable is blockable

There’s a “Block all results” link under my site, but there’s none under any of the other sites. What the hell? Does my site somehow qualify as a spammer or content farm? Why do I get this dubious distinction? Ugh.

Traffic spike

Somehow this site became the top Google result for two different searches, “Shogun2.dll appcrash” and “fedora 14 gnome3”. My theory is that Google’s indexing the referring keywords listed in the widget on the right, causing a snowball effect. But the rise in traffic this year has been dramatic, especially for a site really about nothing.

Traffic 2011-02-01 to 2011-04-08
Traffic 2011-02-01 to 2011-04-08

How does paid blogging work?

I’ve been hearing for years about paid bloggers. If people are getting paid to write their crap down in an ad-supported industry, it seemed like it might make sense to throw some ads up on this very site to see what happens. I’ve had Adsense running on this site for a few months now and the short answer is a whole lot of nothing. Here’s what the earnings look like since 1/1/2009 (my Adsense account is much older than this site; I put the banner ads up around Fall of 2009):

Basically, in a year I’ve “earned” under $20. That doesn’t even pay for domain registration & DNS for a year. And since Google doesn’t actually pay you until you have $100 in earnings, this is fake money anyway.

Now I didn’t have any illusions about making money from this site, I just put the ads up as an experiment to see if this is a realistic way to earn a dependable income. From what I can tell, it can be, but only in certain cases, basically coming down to how much traffic you can generate.

  1. You’re already famous. If you’re already a “celebrity” in your field (whatever that field is) then people already probably want to hear what you say.
  2. Your subject matter has mass appeal. If you write about discoveries in quantum physics, you may have a decent following, but it’s still only going to be the people who care about quantum physics. If you write about Jersey Shore you have a much larger pool of possible readers, because everybody loves watching a train wreck.
  3. What you say actually matters. This is related to the first point. If Joe Shmoe (or Evan Hoffman) rants at the top of his lungs, it’s just some guy complaining. If Ben Bernanke makes an offhand comment about interest rates the stock market tanks.

I’m sure there are some other cases, but as far as I can tell a tech guy writing about things that annoy him doesn’t fit any of these criteria. I’m tempted to remove the ads altogether, but it’s too interesting seeing what ads Google puts up on some of these pages. The first few months, the ads were all for some rabbi’s circumcision service. Not sure what that was about.

5,472 ms

I signed up with Pingdom to monitor my website. They have a free service if you just want to monitor a single site, and since I only have one site, this is perfect. Since this server gets knocked offline all the time (thanks LIPA) I figured this was a prudent step. However, Pingdom also offers response time stats, and the stats are not good. Average response time is around 4200 ms, and with the first test taking 5,472 ms to respond.

Oh well. It’s free. Maybe I should move it to

Edit: Pingdom is so smart. They have banners so you can advertise your awesome (?) uptime!

We gon' party tonight

I use Akismet to filter out spam comments here, and I’ve seen a few different strategies the spammers employ. There’s the “Cool post! You should Digg it” (in both English and Spanish – tengo que Digg), there’s the “this post helped me on my class project,” there’s the pure jibberish – “xajdjhesbjsb sjhsjhrhjshwru skjskjrijsjs.” But this is a new one I’ve seen over the past couple of weeks:

We gon party tonight
We gon party tonight

Stupid things like this crack me up, not sure why.