Update: Our archival site at TeleRead.com will return on a new host in the very near future. – D.R.
Haven’t we said that long term, WordPress can be a disaster for secure storage of a small site’s contents—well, at least TeleRead’s?
Resources are limited at the world’s oldest ebook news and views site, which goes back to the 1990s.
Now a new challenge arises. A hacker with a claimed .ru address has repeatedly been registering for the TeleRead.com archival site (not TeleRead.org,) as an administrator. Rather than put any old posts at risk, we’ve temporarily taken TeleRead.com offline. Sorry.
It’s a shame. Tens of thousands of people each month still seek out TeleRead.com posts. Happy now, Mr. or Ms. .RU?
My hunch is that one of the .com site’s many WordPress plug-ins is the Achilles heel—ideally my colleagues and I can find and plug up the hole. No luck so far. I’ve even tried two-step logons, with myself as the only WordPress administrator.
This is hardly the first hacker attack we’ve experienced. Security hassles are a major reason why WordPress.com is now TeleRead.org’s host, and why I currently expect the archival version of .com to become simply static HTML, at least in the online version. My trust of PHP is even lower than before.
Well-stocked national digital libraries, anyone—with provisions for secure storage of born-digital content like ours? Yes, I’d be happy to pay a small fee. And of course there should be provisions for owners’ independent offline backup.
Meanwhile if you want to read an old TeleRead.com post and the link from this .org site doesn’t work, just paste the URL into the Wayback Machine at the Internet Archive. Our writers can link when possible to old content at the Archive.
TeleRead’s nonCMS version dates back to 1995, and actually that date is conservative, since we were earlier on an server at the old Clark.Net. Another pioneering site, in Australia, e-book.com.au, years younger than ours, shut down in 2015.
The National Library of Australia promptly acted to permanently archive Bruce’s Australian E-Book Newsletter. Kudos to Bruce Preston, the publisher, for seeking preservation.
“Does the Library of Congress do the same for any US sites?” Bruce asked in a comment on our post about the shutdown. “I hope they do. If Teleread were ever to cease—I hope it never will of course—it would be comforting to know that everything that has appeared there would live on regardless.”
Will TeleRead, significant because of its key role in the evolution of ebook standards, not just the evolution of the national digital library vision, end up in Australia or other nonU.S. location someday? Could be.
The U.S. Library of Congress so far has not shown an interest in preservation of TeleRead. Whether or not that changes, I hope that LoC hardens itself against cyber-attacks from people who hate the United States and everything it stands for. Just this month, the bad guys attacked LoC and some other U.S. sites, resulting in their being down for two days or so. I haven’t heard of malicious hackers corrupting books or other content at LoC, but who knows about the future?
On the bright side, maybe LoC will now show just a little more understanding of the plight of TeleRead and other small but important sites facing their own share of security threats—not to mention the inherent risks to content reliant on PHP and databases rather than mere HTML, TXT or variants.
Hired gun here.
LikeLike
I could probably fix it, David.
And I’d do it for free.
LikeLike
@Nate: Very nice of you, thanks, but I wouldn’t wish this on you.
Because of such factors as the size, age and general complexity of the site, it would be too much of a time sink for an individual consultant working pro bono and not already familiar with the site’s quirks.
Focus on growing your business in this difficult environment, and the best of luck at that!
I’m going to contact the Library of Congress again this week and see if there’s now interest. I may explore other institutional alternatives as well.
LikeLike
I don’t know what others have done but troubleshooting this is not a big deal if you compare it to turning the site off.
You could start with turning off as many plugins as possible to see if that stops the problem. You can add a logging plugin. You can do a code search on all the plugins to see who’s phoning home. The list goes on.
Giving up the ship seems like an extreme “throw in the towel reaction”.
LikeLike
No, for a techie this problem is an interesting afternoon’s diversion. And while there’s no guarantee I’d fix it, the least I can say is I won’t break anything and I won’t cost you anything.
But if you don’t want my help, check out Sucuri. They get high marks and are used to cleaning up after attacks.
LikeLike
@Nate: You might well hackerproof the .com site by messing with the plugins and seeing which were acting weirdly, and I do appreciate your kind offer. But for now I want to work with my present consultant and explore HTMLization. That way, the server load will be less and the site can be restored with less fuss and there just won’t be as many vulnerabilities in the first place. I’m also exploring other alternatives.
LikeLike
@Mac2net: No, it’s a rational reaction. WordPress plug-ins are constantly being updated. Security isn’t the only challenge – there can also be plug-in-related compatibility issues. I really need a long-term solution that will work even after I kick the bucket. The TeleRead archives badly need to be in the hands of an organization able to handle maintenance. Even under those circumstances, the TeleRead archives still might end up as simply a collection of HTML files.
LikeLike
Regarding publicly funded archiving (e.g. LOC, Nat’l Pub Lib, etc.), must we really assume that the volume of data involved forces us to favor the more deserving? If so, we then have to consider the decision process (criteria, who decides, how do they decide and so on). I am chastened by the example of National Public Radio where politics affected funding which drove NPR to private funding and even covert advertising.
LikeLike
@Frank: The Library of Congress has archived a bunch of sites, even hate sites. As noted, I would be happy to pay a small fee. Ongoing cost of having static HTML files online would be next to nothing.
LikeLike
That sort of uncertainty is exactly why I turned my blog into a book last year: so there will be something left behind if the worst comes to pass (in my case, it hasn’t). Of course, 6 years and a few hundred articles are no match for 21+ years and what must be dozens of thousands of entries. But it might still be an option to explore.
As for your immediate problem, another solution would be to continue serving data from the same MySQL database, except with a much simpler custom script that doesn’t *have* any login or editing/admin options to be exploited. It would allow for a working search function, and theming, but without the bandwidth and security issues. Moreover, it could be written in any language, not just PHP. Not as future-proof as static HTML, but more flexible in the short term, and much much smaller in size.
LikeLike
@Felix: Good on you for your preservation efforts. And thanks for mention of the other option.
LikeLike