GoDaddy, WordPress, GoCentral web Builder? What to use for WebSite?

[ronsimpson]

Years ago I made a website on GoDaddy using WordPress.
Then there was are security problems where anyone could make changes and add programs to my website. GoDaddy.com had no solutions.
I payed money to another company that remake the website and posted it some where different. For BIG MONEY they watch for changes every day.

I am retrying GoDaddy. I tried "GoCentral" web builder but; I can not change font size. If in a year they will not fix some thing as simple as that, then don't use GoCentral web builder.

Has WordPress fixed security problems? (in the last year) Does any one here use WordPress?
I am looking for advice on where to host and what program to use.

 

[Cicero]

How many years ago?

Things have progressed quite rapidly, and security is a high priority these days.

 

[ronsimpson]

How many years ago?

Six month ago I gave up and now pay $50/month to have some one watch for changes.
So maybe 1.5 years ago it was getting hacked weekly.
Word press said you must update to a new version every time there is a update. No delay!
Godaddy.com has a price + price for SSL + $15/month to stop hacks + $250/year to fix hacks. (maybe the $50/month is not so bad)

Several WordPress hosting sights don't have a "stop hacks" priced. So maybe now these is not a problem.
GoDaddy has "$5/month" price "no one gets hacked now" but just before you hand over the credit card they strongly urge you to pay $16/month for "hack prevention". I don't know if I can trust them.

If you don't have a problem then maybe I should give it another try.

 

[unclejed613]

i recently helped a friend get their website up and running on their own raspberry pi as a server. i forget off the top of my head whether they bought their domain from godaddy or hostzilla, but after setting up an apache server, and blog software (nanoblogger) all it took was to use the dynamic dns service provided by the registrar (godaddy does have this service). the way it works, is you get an API key from godaddy, and you use a cron script on the web server to periodically update the DNS record. if you are like most people, your ISP changes your ip address occasionally, and the godaddy script updates your domain name to point to your ip. you can use whatever software you want on your server, but wordpress runs PHP scripts, and lots of nasty things like code injection in the url can ruin your day. an example of this would be putting the following after the question mark in a php url ";rm -rf . " which would delete everything on your web page. that's why i helped my friend set up nanoblogger. there is no executable code, because php is not being used. nanoblogger uses bash scripts to assemble the web page, and those scripts can't be run from a browser. if you really like wordpress, you can install that, but make sure you plug all of the security holes before putting the website up live. ip address scanning is so intense these days, that it takes about 10 seconds between putting a server up on the internet, and getting hit by exploit attempts.

 

[Cicero]

Wow that is nuts. I didn't really realise it was that bad. I have 3 websites, random **** really, but none of them have had any issues.

 

[ronsimpson]

but none of them have had any issues

WordPress??
I have a non WordPress sight that has not been hacked on years (decades).

 

[unclejed613]

you can still put JS code on a website that doesn't use PHP, because JS executes in the browser, not on the server. if you want some examples of how PHP can do bad things to your server, go through some of the tutorials on hackthissite.com. i learned a lot about website security that way. they don't just teach the exploits, they teach the countermeasures as well. quite often (and this is true of wordpress) you have PHP code interfacing with an SQL server. you can ruin somebody's day if you issue SQL commands through the browser. if the website owner doesn't keep backups, then injecting a DROP_TABLE command can erase a database. of course there are fixes for that kind of thing, but some people still get in a hurry to meet a deadline, and forget to lock down PHP and SQL functions.

 

[Cicero]

WordPress??
I have a non WordPress sight that has not been hacked on years (decades).

Ah no, my current 3 aren't Wordpress I must admit.

I've had one Wordpress site that was never hacked, but I stopped it years ago.

 

[ronsimpson]

GoDaddy, today, told me that I have malware again.
I moved to another host company and am just storing the old files with GoDaddy. (we paid for a year and am not using it)
I don't even know how to get to the files because the name points to a different address now. Probably the numeric address works and some one entered and added malware again. I would think they could write protect the files but not.

 

[unclejed613]

you can look at your public html folder, and see what's been changed. you actually be able to look at your whole file tree from your login. did godaddy tell you what files were affected?

 

[ronsimpson]

did godaddy tell you what files were affected?

They gave a very long list of files that ended in "71195 more files". Which is not bad for a 3 page web sight.
Most all html.bak*.php files.
Most all html.bak*.html files.
Most all html.back*.php files.
1000. of html/wp-content/themes*.php files.

 

[unclejed613]

it would be interesting to see what the " infection" looks like. you probably will find it in the /cgi-bin folder, or in the .php scripts in the /public_html folder.

that's why i recommend people to either use "static" website builders like nanoblogger (and you can do a lot with those, even having embedded audio and video, or javascript code) or read everything they can get their hands on about locking down security on PHP, CGI, and SQL. javascript, embedded video, embedded audio, all execute in the browser, but PHP, CGI, and SQL execute on the server, which is why they get attacked. if PHP code isn't locked down, somebody can enter data in a form, add a semicolon, and a command line, and the command line will execute on the server. when testing stuff like IOT devices, i try the following in the password prompt:

password ;reboot

if the IOT device reboots, it's got a serious security flaw that allows a form entry to be used to enter commands. password forms are usually php scripts. another thing that can ruin your day, is SQL injection. if you have a user database with passwords, etc... and someone does this on the form (we'll use the password entry again)

password ;DROP_TABLE "users";

your user database just went bye-bye...

commands entered like that can copy files from outside the website into the website's root directory, the cgi-bin directory. they can upload a hacked copy of your index.html file with javascript code that will load malware onto the user's computer through weaknesses in the user's browser. these can be blocked by proper configuration of PHP, SQL databases, and the http server

 

[gophert]

Amazon web services is great and will let you set up a page for free for a year as a test-drive (the storage is in the range of 30Gb for the free tier). I calculated about $20/month thereafter.

Here are the how-to instructions to set up a wordPress instance.

If you have a domain name, you can link that as well. Or you can buy one through amazons web domain company "Route 51"

Also, you get a dedicated "elastic IP" address for a minimal fee. The eleastic IP is yours as long as you maintain the instance.
You can also buy a simple Linux instance and and serve pages with Apache2 and do everything manually.

 

[unclejed613]

my friend's domain was purchased from godaddy, and because of that, the dynamic dns service is free.