An Open Letter to Rackspace Cloud Hosting

I've yet to be affected as only have on WordPress site, but great reply to them.

Hi Robert – I totally get that. But really, as a professional, this letter only ads insult to injury. When I tried to talk to Engates about this stuff, even casually, at that tweetup you and I met at, he looked at me like I had six heads. They need to decide who their target is and work with that. RS CS was sold to me as being web developer friendly, made specifically for folks like me, and that's simply not true. Given the present situation, when one of my clients gets hacked, this is how the conversation goes:

Them: Oh shit! My site's been hacked!
Me: Okay, don't panic. I'll go in and fix it immediately.
Them: How did this happen???
Me: I don't know – I might be able to tell you in roughly 24 hours. Maybe.
Them: What happens if we get hacked again in the meantime?
Me: Uhm, we're fucked? I go in and fix it again. Oh yeah, on your dime.

Which wouldn't be the end of the world if *I* wasn't the one that sold them on Rackspace Cloud in the first place.

We need to be able to respond quickly to these types of things, beyond just replacing the files and praying to the space god Zorkon that it doesn't happen again.

size and infrastructure as an excuse only show that Rackspace has no real procedure in place to deal with this kind of thing.

WordPress being an attack vector, and a popular one is not new. The ass-raping your own blog took shows that. That was how many months ago? From what anyone can tell, Rackspace did fuck-all nothing to deal with this better, and so now, once again, WordPress installations all over Rackspace are once again getting pillaged like they had given Genghis Khan the finger.

it is absolutely astonishing that Rackspace is still acting like they have not plan 1 in place to deal with, and i say this not just as some guy with a blog, but as an IT director of a company that uses Mosso or whatever the ass name it has now, to host some of our more important client sites. Mosso is not our only option, and if Rackspace does not get their shit together, and I mean right bloody quick, I will, without qualm, or even raising my pulse, put a bullet in our relationship with your employer, and move to someone who CAN handle life's little issues better.

as far as my own site, while I would love to move to cheaper hosting, right now, I will HAPPILY pay the $200+ a month bynkii.com costs me, because unlike Rackspace, when shit starts happening at digital.forest, they aren't making lame excuses about being “too big to fix things”, they're working day and night to fix it and tell me why it broke, and why it won't break again.

This is the fundamental flaw with 99.9% of hosting companies. Rackspace is VERY proficient with hardware and networking but they lack (like others) in application protection. Putting the responsibility on the site owners to continually do zero-day updates is irresponsible. Open source with all of the plug-ins will continually be riddled with vulnerabilities. The key is to block the root problem – the hacker's (or bots) traffic patterns.

Yes… you should always keep your WP install fully up to date and this letter is a good effort to use best practices and protect yourself if the hosting company won't. There are hosting companies who are beefing up their security on the application layer but Rackspace Cloud isn't one of them.

So, the bottom line is… WP is vulnerable, even in the latest most stable? Or is it RackSpace?

One my friends got hacked 24/7 for a while, it was pure insanity. All the debugging he did, etc. – could have been so easy with a little more of the big picture but the support was not even remotely helpful.

I think he ended up writing his own log files (through a prepend directive in PHP) to gather more information. But that'll eat away on resources.

Speaking of which, what strikes me about Mosso/Cloud Sites – the cycle stuff. And no one being able to tell you which script uses how many. It's totally nutcase, it could be a random number generator in the back and then you are billed. This is pretty unbelievable and I don't see how this targets people who know more than the average John Doe.

Your blog post just confirmed what I've been telling him for months. Go get something from slicehost, it's probably a lot, lot more cost effective.

I am surprised they don't offer shell access or real time access to the logs. These seem like fundamental things for anyone who does this stuff for a living. On of the reasons I did not go with RS for my personal sites was that.

SSH access I can see why they'd be leery but the logs? That's a no brainer to setup. Even a shell can be done smartly to minimize risk. My current host has been fairly proactive about stuff. If they see trends or something comes up on your account that they think may be a risk they email you going “hey you should do something about this.”

Robert, I use you as an example at least twice a week regarding website security. You're connected to the smartest folks in Silicon Valley and yet you've been hacked… multiple times. Even smart people don't use “best practices,” because it's a lot of work.

This is the downside to running your own stuff. You DIY fanatics are going to get hacked, or spend all your time reading security reports and updating your software. Have a life, or do it yourself. Pick one.

Hi Dan – I think that's true simply because WP-Supercache is so popular, and Rackspace even recommends it for high traffic sites, so it's a pretty safe assumption that most of the WP blogs on RS CS are using WP-Supercache. Correlation is not equal to causation.

I'm not sure if its a scaling issue or the possibility of log poisoning that prevents them from giving us real time logs

Till is talking about me. Snipe – I'd love to have a email or phone chat with you – can you send me an email?

Hi Jon – thanks for your reply. I can only *imagine* that its getting a lot of attention – hopefully there aren't too many dart boards with my picture on them posted in the office just yet.

I hate doing this – I have always felt like Rackspace's intentions, if not their executions, have been good – and I have gotten to know and love so many people there that I generally don't air dirty laundry in public. It's like I said in my There's No Such Thing As a Social Media Marketer post. It becomes harder to give up on a company when you're invested in their employees. But I feel like this is a conversation I've been having for a year, and this is just the first time when there has been enough of an issue to get my panties in a wad.

I believe part of the issue here is transparency. I spoke with Adrian late last night on the phone and Jonathan Bryce emailed me today. According to them, RS has been working on addressing this problem on a higher level – but because they didn't communicate that to their users, it felt like everyone was getting fucked and Rackspace wasn't doing anything about it.

For example, one vector would be an older installation of WordPress on the same account. If someone has 8 WordPress accounts and upgraded all but one, that one can be a vector for poisoning the upgraded, solid installations. I don't know when RS realized this, but what should have happened is that the FIRST question out of every level 1 tech's mouth when responding to a customer running WordPress that's been hacked is “Are you running more than one installation of WordPress?” Lots of people use WordPress as a blog, but many use it as a CMS for sites that they don't update very often, s upgrading the WP install can get overlooked. It's not a “real” blog, so it falls off the radar. That is obviously still the site owner's fault and responsibility, but RS could have positioned themselves to be much more proactive and helpful if they nipped that right in the bud. My client had called RS several times when his sites were hacked, and not once did anyone ask him about it. I asked him today, and it turns out he did have a “static” website that runs an older version of WP. Was it his fault for not updating? Absolutely. But RS could have done so much more to mitigate frustration.

IF we are going to be working in an environment where we don't have the tools we're used to having at our disposal (ssh, svn, log file tails, etc), then we NEED Rackspace to up their game in helping us and being proactive. We HAVE to have one of the two, since we evidently can't have both. On my own server, I had multiple tools set up to keep us safe. Brute force detection, mod_security, scalp, etc. I can't set those up here, so I need to know that you guys are offering me at least the same level of protection that I'd have been able to cobble together myself.

In the interest of full disclosure, the automated security email you guys sent out wasn't a bad thing. Of course you should tell people to lock their stuff down. I reacted the way I did because I had just finished repairing the 12th hacked WordPress site in 3 days. While I was doing the restore on one, FTP randomly stopped working. 15 minutes and a level 2 tech later, it was back up. 10 minutes later, I had to login to the sites admin to check a ticket my client had opened, and the admin was down for maintenance for 1.5 hours. I reloaded a minute or two later, and it said it would be down for 2.5 hours. So yeah – I was pissed. The email was the last straw, not the cause of my frustration, and I absolutely agree and support you sending it out to your users. I just wish the proactivity hadn't ended – or started – there.

So barring SSH and real-time logs (and better mysql/uptime), what do I want? I want to be notified when traffic to my site increases from 30 simultaneous users to 700, all attempting to do malicious things. Since I pay for my cpu cycles, if I hadn't been notified by Chartbeat, you can bet I'd be losing my fucking mind next month when my bill was 25x what it normally is. I want to know that at least basic security efforts are in place to block malicious traffic, and that when malicious traffic is detected, it gets blocked from the firewall or at least denied based on the request. If someone is trying to do a RFI or LFI attack, there are lots of ways to detect that at a technology level.

I had started using Cloud Services partly to evaluate them as a possible candidate for the company I work for. We have several dedicated boxes and spend about $5k a month on hosting. At this point I just don't feel comfortable recommending them to my company. If something goes wrong, and it was my recommendation, it's my ass.

No dart boards yet … The thing about Rackers is when we hear that our customers aren't happy, we all feel responsible, and we all want to find a way to turn it around. We love our customers, and we want you to be so happy with Rackspace that instead of blogging your frustrations, you can blog about how AWESOME we really are!

I can certainly understand why you are so upset. I can tell you we are doing a lot of work under the covers to stabilize, and that good things are coming.

Hehe… btw, did you ever email them for help? Or security advice?

It's totally nuts. They'll send you a prettyfied grep output which highlights so called malicious functions in your code. It's beyond useful.

fyi i have sent you an email – thanks

Try reading the post and the comments before chiming in. No one is saying Rackspace should be keeping WordPress updated for them – it's an issue of tools and transparency.

Okay, so perhaps you read them, but missed it somehow. My point was that IF we're not going to have the tools available to us (such as ssh, real-time logs, etc), then they SHOULD step up their game for helping us with security, since we're not ABLE to do it ourselves. I moved from a dedicated box (which I still have in a colo in San Diego) specifically because this was sold to me as a solution that would work out well for devs.

If you're going to cripple me, you at least need to help me up the stairs.

it's the new Server Beach. it shouldn't have the Rackspace name on it and I see your point, you are correct, it is an issue. when it was still SliceHost, the target audience was people like yourself – informed professionals who were willing to learn from the forums, etc. but who also had a clue – NOT everyone should be in the Cloud.

Hi Devon – I actually still have a dedicated server in a colo in San Diego. I had moved everything off that server because I was tired of having to manage my own box. I've been managing my own box for over 10 years, and it's just too time-consuming. I work full-time, commute 4.5 hours a day and run a non-profit org. It was just getting to be too much. I have heard good things about their Servers product, and we have several regular dedicated boxes at Rackspace, so it seems like it's the Cloud product that's still green and struggling. I have been dealing with Rackspace for one reason or another for years, and their support really is good. I would recommend them any day, just not the Cloud product.

Snipe, sorry to hear about this.. You're actually the one that convinced me to make the switch from my dedicated box to Mosso last April. I've also had my fair share of issues with them (including one month where my bill was nearly $400!), but aside from that and a few outages, it's been ok overall. I'm willing to let a few things slide, as long as I don't have to deal with the sysadmin work anymore!

I saw your more recent post “The cloud is a lie”.. If you happen to come across a better solution, please let me know. Thanks!

Good to hear.. I also had to get creative with my caching, I'm very particular about our plug-in usage, and utilize a few other techniques to get my compute cycle usage under control. It's a pain sometimes (especially when I'm managing 40+ sites), but I guess that's life in the cloud.

I come close to the 10K/mo line each month, but I haven't crossed it in probably 6 months now! I've been asking for better tools to monitor cycle usage since I signed up, but that's a losing battle.

Glad to hear things are better now.. Thanks.

Maybe its time to move on to Page.ly. as they are focused on security by hosting their site with Firehost
• Automatic WordPress Core/Plugin updates
• Backed by the Bulletproof security of Firehost.com
o Managed Redundant Firewall Protection
o Managed Redundant Web Application FireWall Protection
o Managed Redundant DoS/DDoS Mitigation
o Multi-level Intrusion Prevention and Detection
o http://www.firehost.com/why/compare

They sounds good, but I have yet to use any of their services yet. At least I don’t get any horror stories while searching “Page.ly wordpress hacked” as compared to “Rackspace cloud wordpress hacked”. This is how I found your blog.

Off subject a bit, but Rackspace centric … I’m just so sad. I too have lauded Rackspace, and have paid more for the support I get. However, a month ago, I noticed our account at a ridiculously high dollar amount. I emailed my account person and said I thought something was wrong. We never carry a balance over $500 … we were more than double that. A reply came, with a copy to someone in accounting, asking them to provide backup so I could audit the fees. I did, and to my surprise, found no errors in Rackspace’s statements. I wrote back and asked for two things to happen, a. that my server be cut once I migrated to a cheaper solution, also at Rackspace, and b. that we begin making payments to pay down this balance, starting with a payment before the end of 2010.

Yesterday, we were suspended for non payment, and the only way to get this resolved was to pay the entire balance or $900. I am a very small business, with only myself and a part time person. This outage and resulting firestorm of communication has left me bitter and angry.

I brought the account to the attention of the accounting department, not to be punished, but to protect my relationship with them. And, with my clients. However, some of my sites are still dark and Rackspace has refused to reverse the decision to require the full balance before we go live.

I’m so angry. Thank you for the post, and for the warning. I operate several WP installations for clients and our ‘cheaper solution’ is a cloud.

Cole
Remembering.com (still down)

Sir I am sorry but get out of the cloud a doctor put peoples files in the cloud and they all lost their info with in 3 to 10 days so get out of the cloud it is very bad