Tag: webhosting


03

Nov 2009

No Longer Happy with DreamHost

I haven’t been blogging much lately because I’ve been looking for a new web host in my spare time. I’ve been with DreamHost for years, but recently their service has become unforgivably bad.

My main complaints are:

  1. My site was hacked while at DreamHost once. (One time is forgivable)

  2. My site was later hacked again, which was probably due to outdated web app installations (and not the previous hack). But DreamHost proved amazingly unhelpful in shutting out the hacker. I thought I had shut him out once, but I was wrong. The best solution in this case, then, is to back everything up, make sure it’s all clean, then wipe the original installations and start anew. But if I’m going to do all that, I might as well move to a new host that offers better service and better security.

  3. Last weekend my site was down for three days, and DreamHost support never replied to any of my tech requests. I eventually got the attention of a tech support person via live chat, and that person let me know that the security team had actually just moved my site to a different location on the server. Moving it back was trivial. They did it because DreamHost’s WordPress automatic upgrade script creates a backup of the old install (good), but it has a bug which places that directory in a predictable, public location, leaving previous versions’ security exploits online and vulnerable to attack (bad). I was a victim of this bug when I upgraded my WordPress installs, so DreamHost pro-actively (for once) took security measures by moving my entire site’s public directory. They just never told me, and refused to answer my questions. Amazing.

I understand what’s going on here. Basically, I’m the victim of the 80/20 rule. I’m one of those demanding customers who runs multiple sites, and has special needs. It makes a lot more sense for the business to focus on the “easy” customers who have one website that consists entirely of a WordPress install. (Never mind that I’ve brought in lots of referrals over the years, which means more business.)

Anyway, I’ll soon be moving on to a host that still cares more about customer service, and that will be happy to meet my needs. I think I’ve found a good one, but if you have any suggestions, I’d be happy to hear them.

(Incidentally, the first one I tried was Media Temple. The server they randomly assigned me was blocked in China, and when I asked to be switched to a server not blocked in China, the support staff promptly directed me to the refund page. Unbelievable.)


2016 Update: I later switched to WebFaction, and have been very satisfied for years. I recommend it!


30

May 2009

Dealing with a Hacker on Dreamhost

Earlier this year, my Dreamhost webhosting account was hacked. I’ve been dealing with it for months, but I’m no programmer. The information provided by Dreamhost customer support, while helpful, has been far from sufficient to actually resolve the problem in a satisfactory way. That’s why I’m writing this blog post: to help others than might be in a similar situation.

How the Hacker Got In

I’m pretty sure the hacker got in through an old abandoned WordPress install that I had forgotten to delete. (It’s essential that you either keep all web apps up to date, or delete them. To do otherwise is to ask for trouble. Hackers will eventually discover the old installs with security vulnerabilities.)

After gaining access, the hacker uploaded a PHP backdoor script which allowed him to get back in easily and upload or edit any files he wants, even after I deleted the old WordPress installation that had the vulnerability. The backdoor script he used is called PHPspy, and is freely available on the internet. (Interestingly, it’s also Chinese.)

(more…)