At the moment, TheIndependent.mu seems to be the only online newspaper written in English although there’s only a small selection of the news items. Not sure how much traffic the site gets but this shouldn’t really matter because the point I want to illustrate is how a simple negligence can hurt your site’s credibility and turn you into a victim of a potential hacker. See image below:



theindependent.mu cache problem

As you can see from the above picture, a wordpress administrator bar is displayed at the top of the homepage (and all other pages). This is common when you’re logged into your WordPress blog as admin because it makes administering the site easier since you can be browsing your site/blog and the admin options are just readily available to you. However for all other users (especially non-administrators), this should be hidden or made unavailable.

The “Clear Cache” button on the wordpress bar was very prominent and when you click on it, it was performing a cleanup on theindependent.mu. Only the administrator of the site should be allowed to clear the cache but here, anyone was allowed to click on the button and subsequently getting rid of the webpages which have been cached. The purpose of cache is to make webpage loading faster. So for a dynamic website where there is a round trip to the database to fetch records (data), it is more efficient to get the data once and store it a static page instead of doing the same routine of fetching each time the webpage is requested. In this instance however, this is not working as expected and the benefit offered by the cache plugin will be useless if someone were to hit that clear cache button ever so often.

From the wordpress bar, there’s a wealth of information made available to you. For example, it was showing that 62 comments were in the moderation queue and that there was a newer version for 9 plugins that the site is using. Using outdated plugins is a big NO-N) because it poses a security risk and that can get your website hacked easily. If people know you are using an old version of a software or plugin, they can find the weakness in those scripts and use that to gain illegal access to your site. That’s why it is really important to stay up to date with new versions of applications you are currently using.

Of course, all the admin functionality was inaccessible because it required you to log in but this does not excuse the ignorance of the webmaster. The problem is that the cache plugin that was used was either wrongly configured or poorly designed. A good cache plugin should not cache pages when you’re logged in because it will confuse users making them think they are already signed on when they are not. More dangerously, it could give access to sensitive parts of your website to a casual visitor who unintentionally can bring havoc to your whole site by clicking on things they don’t understand or just out of malice, try to do things to damage the site because the opportunity was presented to them.

The purpose of this post is not to embarrass anyone but to show that negligence can have really devastating effects. Security is of utmost importance and testing is a necessity when you change something in your website. This could have been prevented by configuring the cache plugin, logging out and testing whether the functionality is working as desired, logging back in and testing once more and then making the changes live. Hopefully they will correct the problem before something bad happens.



6/Aug/2012

Posted in: Web Design

Posted by:

Leave a Comment