WordPress, Hacking and Comments

My friend Mark Turner mentioned that he recently had his WordPress blog hacked by someone that used the ability to be able to log into his blog to upload a rootkit shell to his server.  While talking with him over email to get my account on his blog back up, I suggested to him that he look into what I’ve done with my blog: switch from using standard wordpress comments to using the Intense Debate plugin to handle all comments.  I found out about it from my friend Nick’s blog where he mentioned using it.  Intense Debate can import all your existing WordPress comments and then handle all new ones.  In addition, users can choose to have replies to their comments emailed to them.  Also, comments can be threaded so you can see how the conversation is flowing.  Overall, I think, it makes for a better commenting system than the default one that comes with WordPress.

But, the thing that is really applicable in Mark’s case is that by letting Intense Debate handle the comments, they also handle all the user accounts and you can turn off the ability for people to register for accounts locally on your WordPress instance.  So, where in Mark’s case people were able to compromise his system because they had registered an account on the system, this would not be a problem if he were using the ID plugin.

Anyway, I have absolutely no relationship with Intense Debate other than the fact that I use their WordPress plugin, but I do like it quite a bit and so thought I would post about it in case other people didn’t know about it.