rocknbil - 5:25 pm on Jan 20, 2011 (gmt 0)
<bit of a rant, as this just came up yesterday, and is not directed at the OP>
Ever single CMS, blog software, ecommerce site, or other open source software will have a statement similar to this in the install instructions:
"The default login name for your first login is 'admin.' Please change this name on your first login to avoid attempted attacks."
I used to think they were insecure by nature, but the more I work with these things, the more I realize one of the weakest points of open source software is the user. PEBCAC. How many have I encountered that did not adhere to this recommendation?
100%. Not 99, not "most," - ALL. Accompanied with a weak password (at least 50%, things like "sitename123") it's got "hack me" written all over it. And I'm only looking at the tip of the iceberg.
Last week I encountered a client using a third party interface that holds thousands of customer records with personal information. This is a company involved in the medical field (NOT medical data, skirting HIPPA requirements.) What was their password?
password123. I nearly fainted.
There are always security recommendations for every install, they are rarely followed.
75-80% of the Wordpress installs I have encountered still have the install directory and wp-config.php is still mode 777; 100% of the modX installs still have the setup directory and config.php is also writable. I find phpinfo.php at the root of at least 50% of all sites I work on. I don't even bother expressing my concerns, the reaction is always "me no computer geeK lyke U, doo whatchu hafta doo and goe awaaaay." I just fix it, one less hacked site to deal with.
The more I learn the more I grow defensive of these open source softwares. They give us the tools, most of them just aren't used.