When I couldn’t find a decent open source freelancer script for a project I was entertaining, I took my search to the commercial software sites. Once I had narrowed the field down to aesthetics and feature list, I decided on purchasing the Freelancers Marketplace script from SoftbizScripts. My final decision was based purely on the look of this script. I thought it was simply, clean, and it was exactly what I was looking for in a freelancer script.
What happened soon (almost too soon) after I installed this script was it being hacked by a Turkish skiddie. I literally owned the domain and script for no more than a few days before it was hacked. The site I was building was brand new and not announced in any form which made me very suspicious. I don’t know how the heck this hacker knew my site was out there, but instead of my freelancer script was a white page with simple black text forwarded to his site.
My first step was to contact my host and inform them that I was hacked. Within hours I had a response back explaining the weakness in the script I was running and instructions to inform the script author of a fix. (Just one of the many reasons why HostGator rocks) I passed the message on to the people over at Softbiz and they responded that they had fixed the issue. Minor set back since the site was new and not launched. No big deal.
No big deal until the site was hacked again. That’s enough. I took the site down, deleted the script from my hard drive, and cut my losses. This was one of those lessons us non-programmers have to learn the hard way. We don’t code so we can’t do it ourselves, nor can we find weaknesses in code. This kind of makes us sitting sucks for hackers. We’re only as safe as the script author is good at security in their coding.
I’m not trying to dissuade you from purchasing lesser known scripts from lesser known coders. I believe some of the best software can be found from up and coming start ups, but it’s probably wise to do some due diligence on the company/code first if possible. How do we do that? I think one was is to ensure the people supporting the code have a community forum or some type of public support where everyone has a voice.
The bottom line is that nobody knows I was hacked except my web host and the company and that helps nobody. Had Sofbiz had a public forum, I could have shared this information to save others the trouble, or better yet been warned and not wasted my money.