WP Super Cache and W3 Total Cache security

Several people have asked us about the recent WordPress WP Super Cache and W3 Total Cache plugin security vulnerability.

For the most part, sites hosted on our servers aren’t vulnerable to this because we block comments that contain the malicious code.

Read the rest of this entry »

WordPress login rate limiting (again)

We’ve talked before about WordPress login rate limiting. Attempts to guess WordPress administrator passwords are an ongoing problem, getting worse all the time.

The average WordPress site we host has received tens of thousands of malicious login attempts this month, with hundreds of thousands of different IP addresses being used in the attacks. We try to block the IP addresses that are responsible, but the ever increasing number of addresses means we can’t block all of them — an individual address often attempts a login only once a day for a given site. We need to adopt other tactics.

Read the rest of this entry »

Even my five-year-old son thinks you should always choose a .com domain name

We’re occasionally contacted by customers who report that mail isn’t arriving (when we can see that it is), or that their Web site is down (when we can see that it isn’t)…. and the mystery is eventually solved by the customer saying “Oh! Never mind. I own something.org [or something.net, or something.biz, etc.], but the person who had the problem was typing something.com”. Sometimes people even make this mistake with their own domain name.

As far as most people are concerned, “.com” means “the Internet” (and vice-versa). You can tell people “something.biz” till you’re blue in the face, but they’ll still often remember it as “something.com”. That’s a real problem if you own one but not the other.

Read the rest of this entry »

(Even more) WordPress login rate-limiting

Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.

That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.

This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.

Read the rest of this entry »

Beware of strangers asking you to install software

Over the past week, we’ve seen customers falling victim to two separate scams that allowed strangers to gain access to their site by installing malicious software.

One of these involves a fake ad agency, and the other involves offers to upgrade outdated software on your site. Don’t fall for these!

Read the rest of this entry »

Be careful installing WordPress plugins

Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.

How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.

Read the rest of this entry »

When search engines swarm new posts

We saw an interesting problem today. One of our customers’ Web sites uses WordPress with WP Super Cache to (dramatically) improve its performance. Every time the customer posts new content, though, the site is immediately swarmed by search engines, feeds, robots, and other non-humans retrieving the new post. There are a lot of unnecessary duplicate requests, but even excluding the duplicates there are hundreds of requests arriving almost simultaneously.

Unfortunately, WP Super Cache is configured by default not to serve cached results to any request that contains an “equals sign” in the query string — and the plugin that notifies the other sites of new content is including an equals sign.

So rather than being immediately served from the cache, all of the new requests were run through WordPress PHP scripts, driving up the script usage and causing “503 Service Unavailable” errors for up to two minutes on that Web site (not for other Web sites on the same Web server, though; we have protection against that).

Read the rest of this entry »

Slow folder switching in Outlook 2007

If you use Microsoft Outlook 2007 to read mail and you installed the December 2010 Outlook update, you might find that Outlook is slow to respond when you click between folders. Sometimes it can take several seconds.

This is caused by a bug in the Outlook update, not by a problem on our servers. To fix this, Microsoft recommends uninstalling the update for now.

AOL e-mail outage December 21 (resolved)

AOL.com had an outage lasting about 3 hours last night (from 11:24 PM Pacific time December 20 to 2:28 AM Pacific time December 21). This problem — a failure of AOL’s DNS servers — affected many people sending e-mail to AOL, and wasn’t related to our service (see this report and this one).

However, if you sent mail to an aol.com address during this time, your messages probably “bounced” with an error saying “Host or domain name not found. Name service error for name=aol.com”. If so, you should try sending the message again, and it will work normally. As always, we’ll continue to monitor AOL deliveries closely.

Why you shouldn’t rely on a single anti-spam blacklist

We got a couple of messages today from customers who sent e-mail to other people that was rejected — they got an error saying that all our mail servers are listed on the “ReputationAuthority anti-spam blacklist”.

Yikes! We take things like that very seriously — we go to great lengths (some would say extreme lengths) to make sure this doesn’t happen. So we investigated… and it turns out that the ReputationAuthority blacklist actually has a technical problem that’s making it reject all mail from all servers, not just from ours (see complaints on Twitter [1, 2] and elsewhere). People who use that blacklist to block spam aren’t getting any mail at all.

Read the rest of this entry »