What’s an SSL certificate? It activates the “padlock” icon for your site in a Web browser, showing that the connection is encrypted for security. You should use an SSL certificate if your visitors type sensitive data such as usernames, passwords or credit card numbers, because it ensures that “hackers” can’t intercept that data.

What’s changed?

SSL certificates need to be “signed” by a company that’s trusted by all the popular browser manufacturers. Until recently, only a few of these companies existed, meaning they could charge a premium for their service. Even with bulk discounts, the best price we could offer our customers was $99.

The SSL certificate market has changed a lot in the last couple of years, though. We’ve evaluated several other companies, and we’ve chosen to offer AlphaSSL certificates from GlobalSign at a remarkably lower price: just $19.

(SSL certificates also require a dedicated IP address, which is included at no extra charge in our Gold and Platinum plans. Even if you need to upgrade from our Silver plan, the new price still saves you a lot of money.)

We’ve tested the AlphaSSL certificates extensively (on our own secure Webmail pages) to make sure they work just as well as the old certificates and offer the same level of security. They do.

AlphaSSL certificates have a couple of other advantages, too:

• They can work with both the www and non-www versions of your site (such as “www.example.com” and “example.com”) at no extra charge.
• They include a clickable “security seal” you can place on your Web site for visitors to click to validate your Web site’s certificate. Our previous provider charged an extra $30 for that.

Ready to sign up?

See our support page for full details on using SSL certificates, including other available options like self-signed certificates.

You can easily order a certificate through our “My Account” control panel, and it will usually be installed within one business day.

Our Web hosting plan includes e-mail accounts, free domain name registration, and free WHOIS privacy (an option that often costs $8.99 or more elsewhere). Get the full details here.

This offer is available through January 15 at 5 PM Pacific time, and it’s for new accounts or transfers only — so sign up now if you’re in the market for Web hosting service.

This plan is still eligible for our Referral Rewards program (you’ll get 33% of the $20.10). So if you have friends who need hosting service, be sure to let them know about this special offer.

However, PHP 5 is now more than five years old, and the PHP developers declared version 4 obsolete in 2007. All our new customers have been using PHP 5 by default for more than a year, and we’ve received no complaints about incompatibilities.

No PHP script should require the obsolete PHP version 4 any more. Because of that, we’re beginning the process of removing it from our servers.

This is unlikely to cause any problems for customers, but we’ll do it in several steps during the rest of 2009 to ensure a smooth transition:

• Now: We no longer mention PHP 4 support on our Web site. Existing customers using PHP 4 are encouraged to switch to PHP 5.
• July 31: New customers who sign up after this date will never see the PHP 4 option in their control panel.
• August 1-31: We’ll identify existing customers who are still using PHP 4 and send e-mail notices asking them to upgrade.
• September 1: Existing customers using PHP 5 will no longer be able to downgrade to PHP 4 without manual assistance from our staff. Also, running “/usr/bin/php” from the command line (for example, from an ssh login or a cron job) will run /usr/bin/php5 instead of /usr/bin/php4.
• September 1-14: We’ll send PHP 4 customers final notices asking them to upgrade.
• September 15 – October 31: PHP 4 customers will be automatically upgraded to use PHP 5 and notified of the change (we’ll upgrade a small number of sites each day). Any customers who experience problems can notify us and downgrade to the old version for 30 days while they work to upgrade their scripts.
• December 1: PHP 4 software will be completely removed from our servers.

Don’t hesitate to contact us if you have any questions.

We are now seeing newer versions (commonly called “Gumblar”) which spread by inserting “script” tags with encoded JavaScript code. Because there are several variations of this approach, and because some legitimate commercial scripts use the same technique to hide their source code, we cannot perfectly identify and strip out these infections. Therefore, we will not automatically strip out the “script” tags from any upload file that looks suspicious.

If your Web site is infected, your best solution is to:

1. Scan your computer for malware. See our prior blog post for links to suggested scanning software.
2. Change your account password in our control panel (since your account password is also your FTP password).
3. Change the passwords for any additional FTP accounts you may have defined.
4. Re-upload (or “re-publish”) your Web site to our servers.

Of course, we always recommend that users run anti-virus software on their systems, and keep backups of their Web site files and data.

To view the most recent 200 lines of the error log, login to the control panel (having trouble?), click “Statistics and Logs”, and look at the new “Web site error logs” section.

To download the full raw error log files, see this page.

We hope you find this useful!

We’ve taken a step to protect you against this problem (described below), but it’s wise to protect yourself, too.

The way these viruses work is:

• You visit an infected Web page (on someone else’s site, not your own site) that loads a virus onto your personal computer.
• The virus examines your computer to see if you use any common FTP programs, and whether you’ve told those programs to save your username and password.
• It sends the usernames and passwords to a server controlled by “hackers”.
• The hackers make an automated FTP connection to our servers and download any HTML or PHP files they find.
• They modify those files to add HTML code (an “iframe” tag) that spreads the virus, then upload the changed files back to our servers.
• Your site starts spreading the virus to new victims.
• Within a few days, your site will be marked as “This site may harm your computer” on Google, causing the number of visitors to drop dramatically.

Obviously, you don’t want this to happen to you. It’s bad enough to be infected with a virus, but it’s even worse for your Web site to get a reputation as “harmful”.

The first thing to do is protect your computer against this kind of virus. Make sure that you’ve updated Windows and any Web browsers you use. Also make sure you’ve recently updated Adobe Reader or Adobe Acrobat (which allow your Web browser to display PDF files), since many Web viruses are spreading through an Adobe security vulnerability discovered just two months ago. (You can download the latest version of Adobe Reader from this page on the Adobe site.)

It’s also a good idea to scan your computer for “malware” every so often. Some of these infections disable standard virus scanners, so checking with a different program is wise even if you think you’re protected. One product that can detect these kinds of viruses is Malwarebytes.

If you’re really concerned about this, you might also avoid saving your password in your FTP program. It’s a little less convenient to type it each time, but it prevents these viruses from getting your password.

We mentioned that we’re doing something to protect you, too. We’ve modified our FTP servers to scan uploaded HTML and PHP files and automatically remove malicious “iframe” tags. If your computer does get infected with this kind of virus, this can prevent your site from spreading it and being listed as “harmful” in Google. (We’ll notify you if the system alters one of your files.)

Our servers currently only look for a couple of common “iframe” exploits, and we certainly can’t guarantee that we’ll catch them all. But it’s a good start — we’ve already caught and prevented several Web site infections.

Update 2009-05-19: The virus now also spreads via a “script” tag that we cannot filter out. Please see our newer post for more details.

Update 2009-10-01: The virus is also spreading through certain versions of the Adobe Flash player. You can update your copy from this page on the Adobe Web site. (These mentioned programs are not meant to be a comprehensive list of all vulnerabilities — you should keep all of your software up to date.)

No e-mail will be lost, of course; incoming mail will just be slightly delayed.

We apologize for any inconvenience this may cause. This maintenance is necessary to install an updated “kernel” on our servers, as described in an earlier post.

Update: We’re also going to include the “zapp” server in this maintenance to replace a disk in the RAID array.

Update 2: The maintenance was completed with less than five minutes of “downtime”.

AdWords ads run alongside or above Google™ search results, so you can reach new customers right at the moment when they are searching for keywords related to the products and services you offer.

This offer expired December 31, 2009.

No e-mail will be lost, of course; incoming mail will just be delayed for a few minutes.

We apologize for any inconvenience this may cause. This maintenance is necessary to install an updated “kernel” on our servers, as described in an earlier maintenance announcement.

Update: the maintenance was successfully completed on all servers with less than 5 minutes of “downtime”.

• Redundant outgoing mail delivery
• Automatic whitelisting of replies

Redundant outgoing mail delivery

One of the hardest things about running an outgoing mail server is dealing with obscure blacklists. Our strong anti-spam policy, outbound virus scanning, and rate-limiting systems do a good job of preventing outgoing spam and keeping our servers off major blacklists — but occasionally we hear about more obscure blacklist errors, too.

For example, one of our customers recently sent mail that was returned because one of our mail servers was on a blacklist we’d never heard of. We found that the blacklist tries to include every server that sends any kind of marketing mail, even when the messages have been explicitly requested and aren’t spam. As you’d expect, the blacklist includes servers run by large companies you deal with every day.

Fortunately, few people would use such a blacklist to block mail. In fact, the blacklist Web site explicitly tells people not to do so (you’re supposed to just use it to sort mail, marking messages from large companies as lower priority than personal mail). Unfortunately, some people think more mail-blocking blacklists are always better (which isn’t true, as Al Iverson’s excellent blacklist reviews explain).

To solve this rare-but-frustrating problem for our customers, we’ve added a feature that other companies don’t have. If an outgoing e-mail message from our servers is rejected, we try sending the message again from our secondary data center before “bouncing” it.

So every message you send is tried twice, if necessary, from two completely independent servers and IP address ranges. Since most blacklists block the IP address the mail is coming from, the chance that both attempts will be blocked by an obscure blacklist is low.

This should virtually eliminate the chance that your messages will be returned because of an obscure blacklist entry.

Automatic whitelisting of replies

We try to block as much incoming spam as possible — in fact, we’re blocking a higher percentage of it all the time. (Unfortunately, spammers just keep sending more and more, so the number of spam messages our customers receive remains about the same, unfortunately. Keeping it roughly the same is an accomplishment in itself.)

As we block more and more spam, we need to be careful that we don’t accidentally block a real message. One of the ways we do this is by “whitelisting” — allowing certain messages past our filters even if they look like spam.

We’ve always done some whitelisting, but for the last few months, our mail system has automatically remembered who you send mail to, then whitelisted the replies. Any reply someone sends to you won’t be blocked, no matter how much it looks like spam. (The only exception is certain kinds of forgeries flagged by SPF — that makes sure that if you send a message to PayPal, for example, we won’t incorrectly whitelist forged PayPal messages.)

This has advantages over the “add to your Webmail address book” whitelisting offered by some companies, because it works even if you use a mail program like Outlook on your own computer.