PHP 5.3.29, 5.4.34, and 5.5.18

The PHP developers recently released versions 5.3.29, 5.4.34, and 5.5.18 that fix several bugs. We’re upgrading PHP 5.3, 5.4 and 5.5 on our servers as a result (this will be complete on all servers within 24 hours).

These changes should not be noticeable, but in the unlikely event you experience any trouble, don’t hesitate to contact us.

About the “POODLE” SSL security bug

Internet security researchers recently announced an SSL security bug nicknamed POODLE that affects SSL version 3 (“SSLv3”) connections.

The POODLE bug sounds similar to the Heartbleed SSL bug (which is probably why it’s getting so much press), but we should mention that it’s less of a risk: For POODLE to cause a security problem, someone would need to be able to intercept website traffic between a visitor’s older web browser and a secure site to start with — i.e., an attacker would need to have first “tapped” the network traffic to the affected site. That’s not impossible, and is certainly a particular concern for large sites, but it’s a relatively low risk for most sites. This isn’t the first “man-in-the-middle” SSL bug, and probably won’t be the last.

In any case, the impact of this bug is minimized because our servers support something called “TLS_FALLBACK_SCSV”. This prevents the attack with current versions of the Google Chrome browser, even if someone is intercepting all your network traffic. It will also prevent it with forthcoming versions of other major browsers like Firefox.

Read the rest of this entry »

Brief MySQL scheduled maintenance October 24 2014 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday October 24 2014, the MySQL database software on each of our servers will be upgraded from version 5.5.38 to 5.5.40. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:23 PM Pacific time: The maintenance was completed and all services are running normally.

Protection against a critical Drupal security bug

The authors of the Drupal CMS software recently announced a “highly critical” Drupal security bug (CVE-2014-3704). This vulnerability is being very widely exploited: If you use Drupal 7 on a server without protection, and you haven’t upgraded to Drupal 7.32, your site is soon going to be compromised (taken over by “hackers”).

To protect our customers who have installed Drupal, yesterday we added security rules to block the common attacks. And today, we “patched” the vulnerable “” file on every copy of Drupal on our servers, blocking the more complicated attacks that we expect to see in the future.

So our customers are protected against this particular problem. But that doesn’t mean you shouldn’t upgrade Drupal: older versions also have other security bugs. So if you’ve installed the Drupal 7 software on your site, please make absolutely sure you’ve upgraded to version 7.32 today.

Read the rest of this entry »

Blocking very weak WordPress login passwords

Recently, we’ve been seeing more and more WordPress sites maliciously “hacked” because the author chose a very weak password like “admin”, “password”, “temp”, “test”, or “wordpress”.

If you use a password like this, “hackers” can login before rate-limiting stops them from guessing stronger passwords.

Hackers are using automated software to try to login to millions of WordPress sites every day with these passwords. Because so many sites are being compromised this way, we’ve taken the fairly radical step of blocking all WordPress logins that use them.

Read the rest of this entry »

SSL certificates and SHA algorithms

This post describes a significant change in the way Web browsers recognize certain kinds of SSL certificates. We’re making sure that all SSL certificates bought from us are compatible with this change, and most customers can ignore the rest of this post, which has technical details.

Read the rest of this entry »

Our servers are not vulnerable to the bug in “bash”

We’ve had a couple of people ask if our servers are vulnerable to the recent security bug in the bash shell, also known as the “shellshock” bug.

The answer is no. All copies of bash on all our servers were updated to a fixed (patched) version yesterday, within an hour of the news becoming public.

Update September 25, 2:58 PM: We’ve also applied a later, stronger version of the fix today. This will soon be announced as Debian Security Advisory DSA-3035-1 .

Upcoming Debian “wheezy” software upgrades

Update October 14: This process described below is complete. All the updates were installed, and we’re now using only Debian wheezy on all servers.

Over the last year, we’ve been slowly upgrading our servers from Debian Linux version 6 (codename “squeeze”) to version 7 (codename “wheezy”).

All the “prominent” software (such as the Apache Web server, MySQL, PHP, the Linux kernel, and so on) was updated months ago, one piece at a time, usually with individual announcements here on our blog. Any software with security or compatibility issues has also already been upgraded.

What’s left at the end of that process are many “minor” packages, each probably used by less than 1% of our customers. We’ll be upgrading the rest of these over the next 30 days.

Read the rest of this entry »

WordPress 4.0

WordPress 4.0 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

We strongly recommend keeping your WordPress installation up to date (and using unguessable passwords)! You should first update the active theme and plugins, then delete all inactive themes and plugins, and then update the core WordPress files.

Network interruption August 29 2014 (resolved)

Between 5:29 and 5:42 PM Pacific time, one of our upstream network providers had connectivity problems, causing many people to be unable to reach any of our servers.

We have resolved this by removing that provider from our network while we investigate the issue with them, and all services are now working normally.