Well, unfortunately within hours of updating the BlogEngineDotNet application to the latest version, it resulted in getting hacked. BlogEngineDotNet is a barely functioning Blog Application and Windows 2008 is old, so it’s time to just ditch the stupid and join the 21st Century. Yes, of course I tried running BlogEngineDotNet via Apache and mod_mono but no, it’s so poorly coded it doesn’t work on the Mono platform. Goodbye BlogEngineDotNet, Goodbye Windows Server.
Miracles never cease! BlogEngine.Net has been updated to v3.2. It’s not a bad update. The automated update process went a lot more smoothly, since I knew what to do from the previous one. The Standard-28 theme was removed, so I had to pick a different default theme which is fine and the search widget appears to be missing. I haven’t checked to see if mod_security has been enabled again. I suspect it wouldn’t be working if it has. Now I just wonder what security issues will pop up that will never be announced or properly fixed. I just about gave up on BlogEngine.Net due to nothing happening with it for over a year. I had moved over a couple of sites to a different CMS and was learning it. This new version of BlogEngine.Net will make me want to stick out with it on this domain for a bit more. Depends on how long I want to maintain a Windows server. Windows is fast becoming pay to play operating service which it isn’t worth it anymore.
I have noticed a lot of posts on the BlogEngine forum with users having a lot of problems within the Admin area. One even points out the 405 error which is one of the default errors of the Web Application Firewall mod_security. Which works great in IIS. I suspect a lot of people are not aware that there is a version of mod_security for IIS. And so, people constantly search for the solution to their problem when it’s glaring them right in the face. That is, if you know what you are looking for. Hence this post. If you get a “405 Method Not Allowed” error, most likely the mod_security module is enabled. I have found that the default rules that come with mod_security are pretty much incompatible with BlogEngine and I have to disable the module in order to get it working. Otherwise you will need to disable a vast amount of rules in order to get the application functioning properly. It will be a monumental task in creating a BlogEngine ruleset for mod_security. Hopefully some day in most likely an alternate universe will someone sit down and create a ruleset for it.
When updating BlogEngine 3.x with the new updater you may run into some snags like I did. There are some improvements, yet some are ill thought out unfortunately. The first thing I ran into is that the Update process backs up your site. The problem with this is you may have a large amount of data in your media folder. The backup process cannot handle more than a few megabytes of files in this folder until it will fail with an error on the 4th step as “The directory is not empty”. If you get this error, most likely you have too much data to backup in your media folder. I had several gigabytes of video files in the folder which resulted in this error. To correct the problem, back up your media folder and remove the files from it, then proceed with the update. Once the update is completed you can put your media files back.
Also note that if you are using Chrome, once the update is complete, you may need to delete the browsing history and restart Chrome. I had to do this in order to get the Administration menu working properly.