[HacktionLab] Drupocalypse v3 Can it ever stop

[ekes]

On 27/04/18 12:11, naomi wrote:
> it means it is better, because it means it is being
> looked after.

I think the number of eyeballs on have gone up even more now, so we can
probably expect more. The lovely days of being able to roll-your-own and
have it full of holes and no one notice are sadly long gone.

>> Even with Wordpress' auto-update, there are still plenty of Wordpress
>> sites that are now hacked to mine bitcoins.

It's actually partly because of the auto-updates; seems there is a
business in getting control of existing plug-ins and adding code to them
to do whatever nefarious thing :-( Obviously, not that forcing manual
updates would stop this  (unless your a wierdo who reviews the code),
it's also the because of the size of the opportunity.

>> 2) Use a shared hosting like Mayfirst collective or Pantheon or so if
>> you want it more commercial. They usually provide the core updates.
...
>> 4) Build a network to share the skills and the work. I could have easily
>> patched a few more sites while I was on it. And I would also be happy to
>> know that there are trusted people around who have the needed access to
>> a machine in case I'm travelling on Wednesday.

These two are kind of connected. I know of two collectives that have
Drupal sites on their servers and they organised to patch them live. I
know because I'm in their IRC channels and chatted to people to make
sure they were aware of the patch on its way.