Our customers are not vulnerable to this problem because of the way PHP is set up on our servers. You don’t need to worry about it.

Since this is a big deal, we’ve checked all the possibilities very carefully:

• PHP scripts that run without FastCGI;
• PHP scripts using FastCGI;
• Custom compiled PHP versions that use our “compile-and-install-php” shortcuts.

None of these are susceptible to the bug. The first and last aren’t vulnerable for the reason listed in comment 38 of that page (we use “AddHandler” instead of “Action”), and the FastCGI case isn’t vulnerable because the “wrapper script” we suggest doesn’t pass any user-supplied parameters through to the PHP binary.

So unless you’ve compiled your own version of PHP and installed it in a way that the PHP documentation recommends against for security reasons (and you’d certainly know if you’d done so), you’re safe.

As an extra measure, we’ve also added “mod_security” rules to block the most common “in the wild” attempted attacks that try to exploit this bug (based on seeing a very large number of them in our logs). These attackers can’t even start PHP running.

We’re investigating the underlying cause of this, and we sincerely apologize for the trouble if you were affected.

Our WordPress one-click installer automatically installs the latest version for new sites. If you’ve previously installed WordPress, you should upgrade it right away from within your WordPress Dashboard. (You should always do that when WordPress tells you there’s a new version available.)

That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.

This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.

Part of this was unfortunately the customer’s responsibility for choosing a weak password — he chose a common dictionary word beginning with the letter “a” that could be easily guessed. In fact, it only took the hackers a few dozen tries to guess it. However, we were still surprised that they succeeded, since the rate limiting usually blocks this.

A detailed investigation revealed that these hackers were smarter than average. Instead of trying lots of passwords all at once, they tried them fairly slowly, making about one attempt every 20 minutes over several days.

To thwart this, we’ve made our rate limiting more strict — it “remembers” login attempts for a longer period, for example, and we now limit some IP addresses if they try as few as 12 login attempts per day. That still shouldn’t affect most human users, but just to make sure that’s not a problem, we’ve also added a feature that lets humans reset the rate limiting. You’ll see this option on the error page that rate-limited requests get redirected to if it ever happens to you.

As always, don’t hesitate to contact us if you have any problems or questions related to this.

Most customers will not notice any service interruption because we use redundant network providers, but in the worst case it can take up to about 90 seconds for certain parts of the Internet to see the changed “routes”. That means a brief interruption is theoretically possible for some connections. We’re announcing this just so you know that if you do see any problem, it will be resolved quickly.

Update 4:33 PM Pacific time: The maintenance has been completed.

This maintenance is necessary to install a mandatory MySQL security update that will upgrade the MySQL version to 5.1.61. We apologize for any inconvenience this causes.

Update 10:13 PM: The maintenance was completed with less than 30 seconds downtime on each server. Customers should not notice any changes, but as always, don’t hesitate to contact us with any questions or problems.

This was caused by a “hung” process that prevented a routine Apache Web server reload from completing. Other servers were not affected. Our staff restarted the server to stop the “hung” process, and the problem was resolved.

We sincerely apologize to customers affected by this incident. We’re considering possible underlying causes to prevent a recurrence.

Most customers will not notice anything, but the upgrade will cause approximately 30 seconds of slow Web page loading at some point during that hour as we delay incoming connections at the network level.

This maintenance is necessary to apply security and reliability fixes released by the Apache developers. (We’ve been using the upgraded version on our Webmail servers for several days, so it’s well tested.)

Update: The maintenance was completed at 10:03 PM Pacific time.

One of these involves a fake ad agency, and the other involves offers to upgrade outdated software on your site. Don’t fall for these!

What’s new about these?

“Phishing” messages have been around for years. Most of these revolve around the same basic idea: a stranger convinces a user to provide private information in exchange for a product or service. This information can be anything from your bank account number to a username and password.

So what’s different about these new messages? For starters, these newer messages are written by real people using complex language; they don’t look like something generated by an automated script, or by someone who doesn’t speak “business English”. But these messages also exploit another popular trend: content management systems.

Many users now rely on software like WordPress, Joomla, and phpBB to run their Web site. These software packages allow people to create and manage sophisticated Web sites that in the past would have required an experienced (and expensive) Web developer. As a result, users often rely more on third party software, and have become comfortable installing software based on description alone — without knowing how well tested it is or who wrote it. In fact, we’ve written about the threats of untested plugins before.

Both of the scams mentioned above exploit this new behavior. Users have been convinced to install custom software in order to provide a specific feature for their site, only to later find out that the software actually allows “hackers” to access their files and information.

How can I avoid this?

The most important thing to remember is to never give out any personal information to somebody you do not know. You should treat all unsolicited e-mail asking for personal information as a scam unless you can verify otherwise.

Also important is to never install unsolicited software. Stick to well tested software downloaded from verified Web sites. For example, while it doesn’t promise full security, the official WordPress plugins Web site does scan each file uploaded for common bits of malicious code before making them available to users. Combine that with many peer reviews of a popular plugin, and you can feel more assured in the quality and safety of the software you are installing.

Of course, Web site security isn’t completely up to you. We make sure to keep server-wide software updated on our end and to provide as much protection as possible at the server level. If you do your part, too, you’ll reduce the risk of problems dramatically.