For over three years this blog was hosted on a shared server offered by BlueHost. However, six months ago I lost control of the admin account. From what I could gather an adversary had been able to socially engineer BlueHost support into changing the administrator email address to one under their control. Once this had been achieved, they were able to perform password recovery and gain access to the admin account.
Once they had access, they shutdown the server running my blog and launched a high power instance which worked up a considerable bill. After much pain I managed to re-gain access to the admin account and removed the powerful instance. Luckily, BlueHost refunded the cost of the powerful instance.
After this occurred I started looking for other methods of hosting my blog. Initially, I looked at hosting on Amazon Web Services. This method would have given me the best control over the blog as I could create a small Linux EC2 instance and then install WordPress to run my blog. However, this method would have also require me to maintain the site and server, a task I don’t believe I currently have time for.
The solution to this problem was brought to my attention by one of the security podcasts I often listen to “Security Now”. One of the sponsors of the show is Worpress.com which provide you with a WordPress site of your own, that is fully maintained by them. Additionally, their pricing was very reasonable and included the costs of registering the domain.
I created this blog on WordPress.com and will now have the fun of moving my domain registration and blog content over. Hopefully it won’t be too hard.
Additionally, the security of my blog appears to be sufficient. The WordPress.com site supports two factor authentication using either my phone or an authenticator app. I elected to use the authenticator app to eliminate the risk of the SMS message begin intercepted or the telecommunications provider being socially engineered and allowing a SIM swap. Another security benefit provided is that my blog is now running over HTTPS, resulting in my login information being encrypted when it is sent to the site. Hopefully, these measures will be enough to keep the site safe this time.