Blocking very weak WordPress login passwords

Recently, we’ve been seeing more and more WordPress sites maliciously “hacked” because our customer chose a weak password like “admin”, “password”, “temp”, “test”, or “wordpress”.

If you use a password like this, “hackers” maybe able to guess it and login before rate-limiting stops them from guessing stronger passwords.

Hackers are using automated software to try to login to millions of WordPress sites every day with these passwords. Because so many sites are being compromised this way, we’ve taken the fairly radical step of blocking all WordPress logins that use them.

Read the rest of this entry »

Sites hosted with us aren’t subject to website “cross-contamination”

One of our customers asked if multiple domain names hosted with us are vulnerable to “website cross-contamination”, a nasty security problem that can happen at many hosting companies when two different sites share the same “account”.

The answer is no. We intentionally handle multiple hosted domain names differently from the way most hosting companies handle extra hosted domain names, avoiding the problem.

Read the rest of this entry »

Problems with mail forwarding from “@cs.com” addresses

A customer recently reported problems when forwarding mail sent from a “@cs.com” CompuServe address to a Yahoo or Gmail address. Yahoo completely rejects the forwarded message and Gmail puts it in a “spam” folder.

This is caused by a misconfiguration at cs.com, and happens whenever anyone, anywhere, forwards @cs.com mail. It’s not related to our service in particular. However, we’ve reported this to cs.com in the hope that they’ll fix it.

Until they do so, there’s no way to avoid this problem except by having the sender send mail directly to the final destination address, or converting the forwarding address to a mailbox. (This problem is another example of the general rule that “a mailbox is usually more reliable than a forwarding address, because forwarding involves two places where things can go wrong instead of just one”.)

Read the rest of this entry »

Tip: Searching the Gmail spam folder

Customers who forward their mail to Gmail occasionally tell us that they can’t find a message they know someone sent them, even when they’ve searched Gmail for it.

These messages are often eventually found in the “Spam” or “Trash” folders of Gmail. What’s surprising is that by default, Gmail search doesn’t look in these folders at all, so people are (quite reasonably) sure it’s not there.

Read the rest of this entry »

Old e-mail programs with expired SSL certificates

Some customers using very old e-mail programs (such as Microsoft Entourage and Netscape Mail) have complained that their programs have started showing a warning that the “Certificate Authority Is Expired” or “Unable to establish a secure connection”. These old e-mail programs have certificates for common “root certificate authorities” built into them, with expiration dates that have now passed. There is no way to update the root certificates which are built into these old programs, unfortunately, so these e-mail programs will always complain that the root certificates are expired and thus no longer valid. This is not a problem with our e-mail servers, but instead is a problem with the old e-mail programs — they were never expected to be used this long.

If this is happening to you, there are three possible actions.

Read the rest of this entry »

WordPress plugin authors: Please use timeouts when contacting other servers

We occasionally hear from customers saying “my WordPress site suddenly got so slow it’s unusable”. When we look into these, the usual cause is that:

  • Our customer has installed a WordPress plugin;
  • The plugin attempts to contact another server as part of its normal operation;
  • But the other server isn’t working properly: it fails to respond to connection attempts.

Read the rest of this entry »

WP Super Cache and W3 Total Cache security

Several people have asked us about the recent WordPress WP Super Cache and W3 Total Cache plugin security vulnerability.

For the most part, sites hosted on our servers aren’t vulnerable to this because we block comments that contain the malicious code.

Read the rest of this entry »

WordPress login rate limiting (again)

We’ve talked before about WordPress login rate limiting. Attempts to guess WordPress administrator passwords are an ongoing problem, getting worse all the time.

The average WordPress site we host has received tens of thousands of malicious login attempts this month, with hundreds of thousands of different IP addresses being used in the attacks. We try to block the IP addresses that are responsible, but the ever increasing number of addresses means we can’t block all of them — an individual address often attempts a login only once a day for a given site. We need to adopt other tactics.

Read the rest of this entry »

Even my five-year-old son thinks you should always choose a .com domain name

We’re occasionally contacted by customers who report that mail isn’t arriving (when we can see that it is), or that their Web site is down (when we can see that it isn’t)…. and the mystery is eventually solved by the customer saying “Oh! Never mind. I own something.org [or something.net, or something.biz, etc.], but the person who had the problem was typing something.com”. Sometimes people even make this mistake with their own domain name.

As far as most people are concerned, “.com” means “the Internet” (and vice-versa). You can tell people “something.biz” till you’re blue in the face, but they’ll still often remember it as “something.com”. That’s a real problem if you own one but not the other.

Read the rest of this entry »

(Even more) WordPress login rate-limiting

Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.

That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.

This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.

Read the rest of this entry »