On Sunday I was building out a custom WordPress solution for a client who has been using Network Solutions for web hosting. I went to connect through FTP to upload the files and FAIL…I could not connect. I went to the site to log in to WP Admin to see what is up and got a white screen of death that read “Error establishing a database connection.” FAIL!

After contacting Network Solutions and we found out that the “site might be down for several days” and the service rep did not know why it was down. The whole thing sounded completely wrong to me, I had a bad feeling about it and several days was way too long for her site to be out of commission. Monday I checked again, same thing no improvement. Then Tuesday, same same. I got an updated on Wednesday from my client that the blog was back up. I was dismayed that it happened and at the amount of down time.

Proper Server Security Configuration Matters

Coincidentally I saw an article entitled Secure File Permissions Matter by Matt Mullenweg hit the WordPress Dev Blog on Tuesday and I re-tweeted it. Here was the description of the situation from Matt on Network Solution’s security FAIL:

“Summary: A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information.

When you leave the keys to the door in the lock, does it help to lock the door?”

Leaving The Keys In The Car and Blaming The Car For Getting Stolen? Really?

I learned the fundamentals of information technology security and the reason why Matt is using this metaphor is so that users can understand how amateur this mistake is. I will relate it here in a different way, it is like Network Solutions left the front gate open to their pay car lot open, full of other people’s running cars with the keys in the ignitions and then were somehow surprised when the cars were stolen or vandalized. The customer’s got taken for a joy ride and Network Solutions blamed the cars themselves for getting messed with. The gates and keys should have been secured by the lot owner and been guarded with good security. Got a metaphor that beats this? Leave a comment.

Three Days Down Time is Unacceptable. Period!

Net Solutions had my client’s WordPress site down for THREE DAYS! OK, I have used a lot of different hosting companies over the years Media Temple, Go Daddy, 1and1 etc. NEVER has a hosting company ever had one of my sites or one of my client’s sites down for as long as THREE DAYS! That amount of down time is just unacceptable by any web hosting standards. Not securing server files so that others can gain access to the server is an unforgivable and amateur mistake that no competent big, well respected hosting company should make. There are too many web hosting companies out there competing for a very saturated hosting and domain market.

Fails Happen, But Not For Three Days

Fails do happen, a couple of hours for routine maintenance and that is communicated in advance is just part of technology. Three days is not.  The worst I ever encountered was about 24 hours of down time because one hard drive head crashed failed on a server running RAID. It took a day to fix because the techies had to rebuild the hard drive to get my data restored. I received an apology email, a month free hosting and an exact explanation of what was happening while it was happening. This was not my client’s customer experience with Network Solutions, not even close.

NetSol Can Secure Their WordPress Blog, But Not Customers?

In one of the responses from Network Solutions they too were using WordPress for their official blog. Why is it the Network Solutions can secure their own WordPress Blog but NOT their clients? Perhaps NS should put themselves in their customer’s shoes and in a show of solidarity put up a great big ugly white screen of death reading “Error establishing a database connection” on their official company blog and then spend a good few days wondering if all of their password/database/personal/financial account information had been compromised by a hacker for a half a week.

Social Media is Nice, NetSol Should Get A Server Security Swami

Network Solutions has been engaged in using social media (blogs and microblogs) to do damage control for this major security FAIL. A really nice guy named Shashi Bellamkonda (Shashib) aka the “Social Media Swami” who I met at Blog Potomac 2 in 2009 heads up social media for NS. It’s great that they are using social media. It’s great that they have a @netsolcares twitter account they respond to for customer service (kind of like @comcastcares)….but as I have said time and time again -

“If your product, service, culture or company sucks then social media cannot save you.”

Pushing the same level of product or service into a new medium, does not solve problems and it can actually amplify them. My humble yet strategic advise to Network Solutions: Get a Server Security Swami.

Advice To Other WP Community Users and Members

If you have WordPress don’t use Network Solutions for WordPress web hosting. But hey don’t just listen to me, find out what the community is saying, listen to the conversation and check it out for yourself. Read the articles below and more specifically the comments on those blogs to hear exactly what happened.

From Matt Mullenweg (Founder of WordPress)

“A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

“If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.”

Five years? Something wrong?

THE FACTS

• Network Solutions had my client’s WordPress website down for three days.
• Network Solutions impeded the time it took for me to deliver a product to my client and finalize a site, thus they took away value from my service.
• Network Solutions made my client look bad, she was unable to post and no one was able to access her content.
• Network Solutions delayed the presentation of an updated portfolio to a potential new client, possibly costing me an opportunity at a critical time.
• Network Solutions has created more work for both me and my client because now we will have to cancel the hosting with NS due to security concerns and go through the setup process with a new better web hosting service.
• Network Solutions has created even more work for me because I had to write this article when I could be doing more useful things.
• I will not use Network Solutions or recommend them to any of my clients/peers.

Related Articles

04/14/2010

• Network Solutions Blog – WordPress Is Not The Issue
• WP Addict – Network Solutions On WordPress: FAIL

04/13/2010

• Network Solutions Blog – Matt, Sorry I Made A Typo
• WordPress Dev Blog – Secure File Permissions Matter
• Domain Incite – WordPress Founder Criticizes Net Solutions Security
• WP Tavern – Who’s Right? Network Solutions Or Matt?

04/12/2010

• Network Solutions Blog – Tips and Info for Network Solutions WordPress Customers
• The Register – Network Solutions Mops Up After Mass WordPress Breach

04/11/2010

• Network Solutions Blog – WordPress Issue Fixed

04/09/2010

• Network Solutions Blog – Alert: WordPress Blog & Network Solutions

04/08/2010

• Tech Cocktail – WordPress Hacked! Virus Cloaks Search Engines (Not Accurate)

If you have anymore links to good articles about this please post as comments and I will update this article.