Elise Bauer and Arvind Satyanarayan have a
short tutorial on using CGIWrap or suEXEC on *NIX/Apache
MovableType installations. If you are using MT as your content
management system and aren’t already using CGIWrap or suEXEC
you should read this article. This, of course, assumes that
your host has CGIWrap or suEXEC installed (MT installs a
utility called mt-check.cgi that, inter alia, tests
for this so you can check before proceeding).
The article also recommends, if you aren’t doing dynamic
publishing, to set permissions on mt.cfg and mt-db-pass.cgi to
chmod 600 mt.cfg) to protect it from
intrusion. In addition, they suggest setting a .htaccess file
in the same directory as mt.cfg with parameters to restrict
access (see the article for the specific code).
Given the problems I’ve had with comment spammers, these are
good recommendations. One thing they don’t mention, but I
recommend, is to close comments on individual articles after a
period of time. I don’t know why, but spammers love to hit
posts that a older than a couple of weeks. If you routinely
close comments after, say eight to 10 days, you can stop them
in their tracks.
But remember, you have to make these changes. If you think
no one would try to hack your site, think about this. Before
the authors of the tutorial actually did the things they
recommended, a spammer was able to access their index template
and modify it to show a pop-up add to everyone who viewed their
site. So, not only can it happen, it
already has. And according to a follow-up at their site,
the exploit involves not only MT sites but also WordPress and
perhaps others. The bottom line for the exploit seems to be set
your permissions to 600 on mt.cfg and mt-db-pass.cfg.