PHP versions 7.4.27 and 8.0.14

The PHP developers recently released versions 7.4.27 and 8.0.14 that fix several bugs. We’ve upgraded the PHP 7.4 and 8.0 series on our servers as a result.

These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.

Protection against setting the WordPress default “role” to “Administrator”

If you use WordPress, and you allow strangers to register for WordPress accounts (which isn’t usually a good idea, but some plugins require it), it’s possible to accidentally configure it so that those new users get created as WordPress administrators. That can happen simply by doing this:

Allowing this is a serious flaw that was supposed to be fixed in WordPress itself some time ago, but the problem still exists.

We don’t think it’s reasonable to ever create new users as “Administrators” by default, regardless of whether you have “anyone can register” turned on. (Even if “anyone can register” is turned off now, it would be easy to turn it on later without remembering to change the default role back.)

To make sure our customers’ sites stay secure, we’ve added some protections against this:

  • Setting the “New User Default Role” to “Administrator” is blocked at the Web Application Firewall (mod_security) level on our servers, whether from the WordPress dashboard or from any other web request;
  • If it somehow gets set anyway, our security systems will detect it as part of the daily security scan we do of every site;
  • If your site already had this setting as of today, we’ve restored it to the default “Subscriber” role.

Nobody should notice any changes as a result of this, but as always, don’t hesitate to contact us if you have any questions or difficulties.

Our servers are not vulnerable to the December 2021 Log4Shell / Log4j security bug

Customers have asked us whether our servers are vulnerable to the recent serious security bug (called “Log4Shell”) in software named “Log4j”.

The good news is that we don’t use the Log4j software anywhere on our servers, and never have. We’ve verified in multiple ways that our servers are not vulnerable to this problem.

That said, we always believe in “defense in depth” when it comes to security, so we’ve also added rules to our web application firewall that will block any IP addresses making attempts to exploit this bug.

PHP versions 7.4.26 and 8.0.13

The PHP developers recently released versions 7.4.26 and 8.0.13 that fix several bugs. We’ve upgraded the PHP 7.4 and 8.0 series on our servers as a result.

These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.

PHP version 7.3.33

The PHP developers recently released version 7.3.33 that fixes a security bug. We’ve upgraded the PHP 7.3 series on our servers as a result.

This change should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.

PHP versions 7.4.25 and 8.0.12

The PHP developers recently released versions 7.4.25 and 8.0.12 that fix several bugs. We’ve upgraded the PHP 7.4 and 8.0 series on our servers as a result.

These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.

Seeing warnings about an expired SSL certificate?

If you’re seeing warnings in your web browser or mail program saying that an SSL certificate has expired (whether it’s for our tigertech.net site, for a site we host, or for millions of other sites completely unrelated to us, like dictionary.com), that’s happening because a “root” SSL certificate distributed as part of your computer operating system has expired.

This can happen if you’re using a computer or program that hasn’t been updated for at least five years (that’s when Microsoft, Apple and others started providing replacement certificates with their updates).

There are many pages online that talk about this in technical terms (here and here, for example), but the short answer to “how do I fix this” is to update your computer operating system if you can. That will fix everything.

If you can’t update your computer, you can use a recent version of the Mozilla Firefox web browser to avoid the problem when viewing websites. That works because Firefox includes its own updated root SSL certificates, instead of using the outdated ones that came with your computer and haven’t been updated.

If you’re using an old version of a mail program that shows an error, it may allow you to add an “exception” or check a box telling it to always trust the certificate anyway — it might look like this if you show the certificate details, for example:

If it doesn’t allow that, you can either disable SSL in the settings of that mail program (for example, by unchecking the “Use SSL” checkbox in older versions of Apple Mail), or you can use the Firefox web browser to read your mail using webmail. If you’re one of our customers, that’s at webmail.tigertech.net.

Read the rest of this entry »

PHP versions 7.3.31, 7.4.24 and 8.0.11

The PHP developers recently released versions 7.3.31, 7.4.24 and 8.0.11 that fix several bugs. We’ve upgraded the PHP 7.3, 7.4 and 8.0 series on our servers as a result.

These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.

PHP versions 7.3.30, 7.4.23 and 8.0.10

The PHP developers recently released versions 7.3.30, 7.4.23 and 8.0.10 that fix several bugs. We’ve upgraded the PHP 7.3, 7.4 and 8.0 series on our servers as a result.

These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.

MariaDB (MySQL) database server update from 10.3 to 10.5

Over the next three weeks, we’ll be updating the MariaDB (MySQL) database server software on all our servers from the MariaDB 10.3 series to the MariaDB 10.5 series (equivalent to the Oracle MySQL 8.0 series).

The MariaDB/MySQL database stores pages for WordPress and other sites that are run by scripts. Customers should not notice any difference after this change; we’re upgrading it to a more recent version simply to make sure it’s as fast, reliable and secure as possible. We’ve been using the new version on internal and test servers for some time.

At the moment the software is updated on a server, WordPress and other database-backed sites on that server will have 30-60 seconds of unavoidable “downtime”. To minimize the impact of that, we do these upgrades only on Friday, Saturday and Sunday nights between 9 PM and midnight Pacific time (midnight-3 AM Eastern time). We expect this process to be complete on all servers by September 6.

Beyond that one-time brief interruption in service, customers should not notice any difference to how their site works, as we said. But as always, don’t hesitate to contact us if you have any trouble or questions.

Update 9:24 PM Pacific time September 5: This upgrade has been completed on all servers.