Why so many people hacked?

the core is save. additional stuff like infusions and mods is what is to be blamed for.

First of all, when there is an update of the CMS, it will be posted in the news, immediately below the latest threads panel. So not to worry, as soon as you open the main site you will be able to see updates announced.

Secondly, most recent hacking incidents are due to older versions of PHPFusion or faulty infusions. If you use the latest version of PHPFusion and keep up to date with the infusions (most vulnerabilities that have been dealt with will be reported here or on http://www.phpfusion-mods.com) there should be no problem.

Remain the few sites that are being hacked without clear indication why. These indicents can be due to yet unreporeted vulnerabilities, but also compromised security after ealier hacks. If an hacker was able to erase a database, assume that he was also able to extract data from the database. After restoring a hacked site from a back-up can then leave a vulnerable site, even though the scripts are all secure. So, after a hacking incident, make certain all admins from the site change their passwords. This applies to both the site's passwords and the FTP passwords (some people use the same for both, making it easier for hackers).

Thanks for responding. I'm not trying to start a fight here on my first post, but I hafta be curious. Like I said, I'm always on the lookout for a decent lightweight CMS for project sites or clients. Most of what I've read seems like script kiddie stuff or the usual bonehead admin security precautions (or lack thereof). It's just been awhile since I showed up at a script support site and had the issue leap out at every turn.

In terms of security, the core of PHP fusion is very stable, by this I mean a basic installation with no added extras such as infusions of any third party modification. The main problem right now is that there are quite a few infusions which have not been checked by any of our team for weaknesses in security. The main reason for this is because we had a fairly limited number of team members.

Right now we are putting together a security awareness team who will be responsible for testing and ensuring that all infusions available from the moddb are 100% secure. What I plan to do is to write a comprehensive guide on how to ensure that the code people write is secure. It comes down to education at the end of the day, when I started writing several years ago I had no experience whatsoever. As I am sure you can imagine I have built up a vast knowledge of how to defend against hacking and exploits.

The one basic rule in coding is that you should never expect any kind of user input to be safe, you have to think that any input or variable which can be altered by any user is malicious. PHP provides a number of functions that can be used to ensure the input is not malicious or is at least safe.

The core of PHP-fusion also has a number of inbuilt functions which can be used to sanitise and check various user input all variables.

On a final note, once a site has been compromised, hacker tends to leave some kind of backdoor in place so that no matter how many times the site is restored, the hacker can get back in much more easily than in the first instance. So it is important to check everything before you reopen a compromised site. The most commonplace to look for any malicious scripts is in the writable folders.

All in all I think you can expect that the security within our community will be increasing dramatically over the next few months especially with the arrival of version 7.

Right. Therefore any any administrator running a fusion site should check this ste on a regular basis. This is a bit reactive to me.
I would like to se e.g. the news letter (which is active on this site) used to inform about important new releases like 6.01.10. This would be more pro-active I think.

Which is sorta what I was driving at with an 'Announcements' forum. Usually with a script support site that's the first thing I look for, so if I decide to use the script I can subscribe to that forum and be notified of patches and updates. Otherwise I pretty much have to return and check when I think of it, and who knows when that will be? Not seeing a way to subscribe to an entire forum here however, so that might be a moot suggestion in this case.

Detail to take into consideration : PHPFusion is widely spread.

Here only, over 14 000 webmasters!

And the victims (I'm one of them) are not so numerous.
The one site of mine that was hacked widely uses infusions.
No problem after upgrade, though.

Besides, the Big Boss (Nick, aka Digitanium) is very security minded. You can rely on PHP Fusion for your sites, pro as well as personal.

On top of it you can buy mugs and apparel to show your support!

It's really a pleasure to use it on a daily basis. I have over a dozen sites now running under PHP Fusion, and this team is really helpful... you'll stick to it when you start :)

Yes, you can buy mugs etc, but isn't that getting a bit off topic when we discuss security issues and how to push the information about important upgrades to the webmasters.

I can accept that sending a newsletter to 14.000 users will ocupy Nick's comp for a while and therefore he might choose not to do so.

On the other hand I can't imagine anything that is more important to use the newsletter for.
If not for this, then what is the newsletter good for?

I realize that today there is no newsletter panel on this site where you can subscribe/unsubscribe. I am not sure, but I seem to recall that I pressed the Subscribe button at some point...
Could it be that Nich removed it, realizing that what I just said was true, and therefore took the consequence and removed it ;) If so, hats off!
I have no problem checking this site now and then, but it took some time for me to realize that I ought to.