Old e-mail programs with expired SSL certificates

Some customers using very old e-mail programs (such as Microsoft Entourage and Netscape Mail) have complained that their programs have started showing a warning that the “Certificate Authority Is Expired” or “Unable to establish a secure connection”. These old e-mail programs have certificates for common “root certificate authorities” built into them, with expiration dates that have now passed. There is no way to update the root certificates which are built into these old programs, unfortunately, so these e-mail programs will always complain that the root certificates are expired and thus no longer valid. This is not a problem with our e-mail servers, but instead is a problem with the old e-mail programs — they were never expected to be used this long.

If this is happening to you, there are three possible actions.

Read the rest of this entry »

WordPress plugin authors: Please use timeouts when contacting other servers

We occasionally hear from customers saying “my WordPress site suddenly got so slow it’s unusable”. When we look into these, the usual cause is that:

  • Our customer has installed a WordPress plugin;
  • The plugin attempts to contact another server as part of its normal operation;
  • But the other server isn’t working properly: it fails to respond to connection attempts.

Read the rest of this entry »

WP Super Cache and W3 Total Cache security

Several people have asked us about the recent WordPress WP Super Cache and W3 Total Cache plugin security vulnerability.

For the most part, sites hosted on our servers aren’t vulnerable to this because we block comments that contain the malicious code.

Read the rest of this entry »

WordPress login rate limiting (again)

We’ve talked before about WordPress login rate limiting. Attempts to guess WordPress administrator passwords are an ongoing problem, getting worse all the time.

The average WordPress site we host has received tens of thousands of malicious login attempts this month, with hundreds of thousands of different IP addresses being used in the attacks. We try to block the IP addresses that are responsible, but the ever increasing number of addresses means we can’t block all of them — an individual address often attempts a login only once a day for a given site. We need to adopt other tactics.

Read the rest of this entry »

Even my five-year-old son thinks you should always choose a .com domain name

We’re occasionally contacted by customers who report that mail isn’t arriving (when we can see that it is), or that their Web site is down (when we can see that it isn’t)…. and the mystery is eventually solved by the customer saying “Oh! Never mind. I own something.org [or something.net, or something.biz, etc.], but the person who had the problem was typing something.com”. Sometimes people even make this mistake with their own domain name.

As far as most people are concerned, “.com” means “the Internet” (and vice-versa). You can tell people “something.biz” till you’re blue in the face, but they’ll still often remember it as “something.com”. That’s a real problem if you own one but not the other.

Read the rest of this entry »

(Even more) WordPress login rate-limiting

Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.

That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.

This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.

Read the rest of this entry »

Beware of strangers asking you to install software

Over the past week, we’ve seen customers falling victim to two separate scams that allowed strangers to gain access to their site by installing malicious software.

One of these involves a fake ad agency, and the other involves offers to upgrade outdated software on your site. Don’t fall for these!

Read the rest of this entry »

Be careful installing WordPress plugins

Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.

How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.

Read the rest of this entry »

When search engines swarm new posts

We saw an interesting problem today. One of our customers’ Web sites uses WordPress with WP Super Cache to (dramatically) improve its performance. Every time the customer posts new content, though, the site is immediately swarmed by search engines, feeds, robots, and other non-humans retrieving the new post. There are a lot of unnecessary duplicate requests, but even excluding the duplicates there are hundreds of requests arriving almost simultaneously.

Unfortunately, WP Super Cache is configured by default not to serve cached results to any request that contains an “equals sign” in the query string — and the plugin that notifies the other sites of new content is including an equals sign.

So rather than being immediately served from the cache, all of the new requests were run through WordPress PHP scripts, driving up the script usage and causing “503 Service Unavailable” errors for up to two minutes on that Web site (not for other Web sites on the same Web server, though; we have protection against that).

Read the rest of this entry »

Slow folder switching in Outlook 2007

If you use Microsoft Outlook 2007 to read mail and you installed the December 2010 Outlook update, you might find that Outlook is slow to respond when you click between folders. Sometimes it can take several seconds.

This is caused by a bug in the Outlook update, not by a problem on our servers. To fix this, Microsoft recommends uninstalling the update for now.