Over the past week, we’ve seen customers falling victim to two separate scams that allowed strangers to gain access to their site by installing malicious software.
One of these involves a fake ad agency, and the other involves offers to upgrade outdated software on your site. Don’t fall for these!
Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.
How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.
We saw an interesting problem today. One of our customers’ Web sites uses WordPress with WP Super Cache to (dramatically) improve its performance. Every time the customer posts new content, though, the site is immediately swarmed by search engines, feeds, robots, and other non-humans retrieving the new post. There are a lot of unnecessary duplicate requests, but even excluding the duplicates there are hundreds of requests arriving almost simultaneously.
Unfortunately, WP Super Cache is configured by default not to serve cached results to any request that contains an “equals sign” in the query string — and the plugin that notifies the other sites of new content is including an equals sign.
So rather than being immediately served from the cache, all of the new requests were run through WordPress PHP scripts, driving up the script usage and causing “503 Service Unavailable” errors for up to two minutes on that Web site (not for other Web sites on the same Web server, though; we have protection against that).
If you use Microsoft Outlook 2007 to read mail and you installed the December 2010 Outlook update, you might find that Outlook is slow to respond when you click between folders. Sometimes it can take several seconds.
This is caused by a bug in the Outlook update, not by a problem on our servers. To fix this, Microsoft recommends uninstalling the update for now.
AOL.com had an outage lasting about 3 hours last night (from 11:24 PM Pacific time December 20 to 2:28 AM Pacific time December 21). This problem — a failure of AOL’s DNS servers — affected many people sending e-mail to AOL, and wasn’t related to our service (see this report and this one).
However, if you sent mail to an aol.com address during this time, your messages probably “bounced” with an error saying “Host or domain name not found. Name service error for name=aol.com”. If so, you should try sending the message again, and it will work normally. As always, we’ll continue to monitor AOL deliveries closely.
We got a couple of messages today from customers who sent e-mail to other people that was rejected — they got an error saying that all our mail servers are listed on the “ReputationAuthority” anti-spam blocklist.
Yikes! We take things like that very seriously — we go to great lengths (some would say extreme lengths) to make sure this doesn’t happen. So we investigated… and it turns out that the ReputationAuthority list actually has a technical problem that’s making it reject all mail from all servers, not just from ours (see complaints on Twitter [1, 2] and elsewhere). People who use that list to block spam aren’t getting any mail at all.
Many years ago, Microsoft’s “FrontPage” Web design software was a popular choice for creating small Web sites. However, Microsoft discontinued FrontPage in 2006, and you can’t buy the FrontPage program any more.
Quite a few of our customers are still using FrontPage to design and upload their Web sites, though. We’re starting to see more and more problems from customers who have upgraded to a new computer running Windows Vista or Windows 7 but can no longer run FrontPage. (Sometimes their old computer just suddenly crashes and can’t be recovered.) Their old computer probably had a copy of FrontPage installed by the manufacturer, but their new computer doesn’t.
It can be difficult or impossible to get FrontPage running on a new PC if you can’t find the original installation CDs, or you aren’t licensed to use FrontPage on the new PC. In some cases, the old FrontPage software doesn’t install or work well on the latest versions of Windows. In these situations, you can’t even open the old FrontPage files on the new computer.
We’re big fans of Futurama here at Tiger Technologies, so we’re excited about its return to the Interwaves. (We hesitate to make the “Good news, everyone!” reference, but it’s just so obvious…)
We thought the recent 2-hour movies were OK if a little, um, “uneven.” But we have high hopes (“higher than sugar cane growing on Mount Everest”) that the Futurama team will hit their stride and churn out some great episodes.
The fun starts with two back-to-back episodes tomorrow night (Thursday) at 10pm on Comedy Central. Set your TiVo’s!
Update: This post is outdated. We now offer SSL certificates for free to all customers, and recommend that you make your entire WordPress blog use SSL (rather than just making the dashboard SSL using the FORCE_SSL_ADMIN trick described below).
Do you login to your WordPress blog securely? Are your username and password encrypted so that “hackers” can’t steal them and then break into your blog? (Probably not!)
By default, each WordPress blog is configured to send the login username and password as plain (unencrypted) text. If a hacker can see what you are sending during your login, they can easily steal your username and password. This can happen if you have a virus installed on your computer. It can also happen if your computer is virus-free but connects via WiFi. If your main computer uses a wireless connection, or if you or other users of your blog ever login with their laptops — blogging from a coffee shop, anyone? — remember that these connections can be insecure, and could be susceptible to revealing your password.
You can protect your blog by installing an “SSL certificate” and configuring WordPress to require secure logins. Your browser will then encrypt your username and password so that no one can intercept them.
In the last few days, there’s been a lot of talk on the Internet about the security of WordPress blog software.
Several shared hosting companies apparently allow customers to view the text of other customer’s files by default, and that allows malicious customers to discover the database password of another site (from the “wp-config.php” file) and alter the site.
