Normalkid:Arnold Kim

I don’t mean to single out Wordpress… but for all the joy of these free open source applications we have — there’s an distinct element of “pain in the ass” that accompanies it.

For some background, MacRumors.com was started with an open source version of Slashcode called PHPSlash. It lacked a few features, but it was easy enough to install and free. MacRumors ran on PHPSlash for probably a year or so… until one day, we got hacked. So, I took the site down, changed all my passwords, and looked into the problem. I hadn’t kept my version of PHPSlash up to date, and there was some known exploit that someone had used to get into the site.

The problem was that there were known exploits in every version… and it was like holding up a sign to anyone out there to “Please Hack Me”. Sure, I could have kept up with every single update… but I have other things I want to do with my day than upgrade server software regularly and hope things don’t break.

So, my decision that night was to rewrite MacRumors’ front end on my own. Do I write perfect PHP code devoid of exploits? Of course not… but I don’t care what people say, there is some degree of security through obscurity. So, the initial rewrite took that weekend, and I’ve built on it ever since. Now, this isn’t necessarily the best time-saving technique, but it worked for me at the time.

Not long after, I started looking for forum software to use as a comment system for the site, since I didn’t want to reinvent that wheel. I started with PhpBB. I had heard good things about it, and I even installed it. Of course, I ran across a strange installation error. I asked around on the PhpBB forums, and searched for help… in the end I got versions of “what do you expect, it’s free” answers.

As a result, I decided, I wanted to pay someone to take some responsibility for their software. In the end, I settled on vBulletin — a decision I’ve been happy with. For whatever reason, their security updates are far less frequent, and yet have seemed quite secure over the years.

So, that brings us to today. On November 18th, someone hacked this blog and inserted hidden spam links into the template and a couple of stories. Based on my research, I think it was a non-shell exploit. I swept my directories to make sure there was no residual scripts left behind. I did have a couple of plug ins and was using an old theme (lowstream) which had not been updated to the latest Wordpress.

So I wiped my install and have gone 100% default (and latest) for now. I don’t have the time to customize another theme, and I certainly don’t have time to track down any more hacks.

It’s remarkable to see how large our MacRumors Forums have grown. We’re at over 138,000 members and 4.4 million posts, and represent the most active Apple forum on the internet.

I added the forums to the site in 2001. Before that, I had experimented with integrated comment systems for our stories, but these tools were very immature at the time. In the end I reluctantly decided to add a full forum with user registration and additional sub-forum discussion.

I say ‘reluctantly’ because I knew the baggage that comes with launching a forum. Spam and moderation become major issues. I also knew that with me having a more-than-full-time day job, I simply didn’t have the time to police the forums. But I launched them anyway.

As I could have predicted, after a few months, the forums discussions had spiraled out of control into massive flame wars. There would be lengthy threads with people cussing each other out back-and-forth. It was ugly.

In trying to sort out the issues, I recruited a few moderators, banned a few users, and set up some rules to try to prevent this from happening again.

Now the rules I instituted may seem odd 6 years later, but I still feel the reasoning behind it holds true.

While you can read the lengthy rules as they stand today, the cardinal rules remain the same:

- Don’t personally insult someone else.
- Keep discussion on topic.
- Don’t waste my (our) time.

(more…)