Although we haven’t offered the long-obsolete PHP 5.2 series to new customers for some time, some who signed up long ago are still using it.
(New customers have defaulted to using PHP 5.5 for the last few months, and PHP 5.3 was the default for several years before that. We’ve also previously nagged everyone still using PHP 5.2 by e-mail, asking them to upgrade to at least PHP 5.3.)
For those customers still using PHP 5.2 despite the nagging, this is just a quick note that we’ve “rebuilt” PHP 5.2.17 for technical reasons to allow it to keep running on our systems. It now uses slightly newer versions of various libraries, including libxml, FreeType, ImageMagick, MySQL, and OpenSSL. The rebuilt version will be deployed on all our servers within the next few hours.
These changes should not be noticeable. In the unlikely event you experience any trouble, don’t hesitate to contact us.
Read the rest of this entry »
The PHP developers recently released versions 5.4.36 and 5.5.20 that fix several bugs. We’re upgrading PHP 5.4 and 5.5 on our servers as a result. This will be complete on all servers by 5 PM Pacific time on Monday (January 6).
In addition, PHP 5.3.29 has been upgraded to use ionCube Loader 4.7.3.
These changes should not be noticeable, but in the unlikely event you experience any trouble, don’t hesitate to contact us.
We’ve recently upgraded the Dovecot mail server software we use, and a new feature allows us to do something we’ve wanted to do for a long time: compress stored mail on our servers. We’ll be starting to do that over the next few weeks.
Compressing mail happens invisibly on our end. It makes no difference to what you see in your mail program, and you don’t need to do anything or worry about it.
The benefit to our customers is that it saves 20-30% of the disk space the messages use. While most of our customers don’t store very large amounts of mail on our servers, those who do will see their disk space usage drop by 20-30%.
Read the rest of this entry »
WordPress 4.1 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.
If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.
By the way, the new WordPress 4.1 Twenty Fifteen theme doesn’t display a default navigation menu, unlike earlier themes. To ensure you’ll always see a list of the pages on your site, our installer now adds a Pages widget at the top of the sidebar for new installations. If you later create a custom navigation menu, you’ll see two lists of pages in the sidebar. You can just delete the extra Pages widget if that happens to you.
Due to a problem with the Mailman list management software, some Mailman list mail sent yesterday (December 2) and this morning (December 3) was delayed (although most was delivered normally).
We’ve resolved this. All delayed list mail has been delivered, although some messages may have arrived out of order due to the delay.
Read the rest of this entry »
The PHP developers recently released versions 5.3.29, 5.4.34, and 5.5.18 that fix several bugs. We’re upgrading PHP 5.3, 5.4 and 5.5 on our servers as a result (this will be complete on all servers within 24 hours).
These changes should not be noticeable, but in the unlikely event you experience any trouble, don’t hesitate to contact us.
Internet security researchers recently announced an SSL security bug nicknamed POODLE that affects SSL version 3 (“SSLv3”) connections.
The POODLE bug sounds similar to the Heartbleed SSL bug (which is probably why it’s getting so much press), but we should mention that it’s less of a risk: For POODLE to cause a security problem, someone would need to be able to intercept website traffic between a visitor’s older web browser and a secure site to start with — i.e., an attacker would need to have first “tapped” the network traffic to the affected site. That’s not impossible, and is certainly a particular concern for large sites, but it’s a relatively low risk for most sites. This isn’t the first “man-in-the-middle” SSL bug, and probably won’t be the last.
In any case, the impact of this bug is minimized because our servers support something called “TLS_FALLBACK_SCSV”. This prevents the attack with current versions of the Google Chrome browser, even if someone is intercepting all your network traffic. It will also prevent it with forthcoming versions of other major browsers like Firefox.
Read the rest of this entry »
The authors of the Drupal CMS software recently announced a “highly critical” Drupal security bug (CVE-2014-3704). This vulnerability is being very widely exploited: If you use Drupal 7 on a server without protection, and you haven’t upgraded to Drupal 7.32, your site is soon going to be compromised (taken over by “hackers”).
To protect our customers who have installed Drupal, yesterday we added security rules to block the common attacks. And today, we “patched” the vulnerable “database.inc” file on every copy of Drupal on our servers, blocking the more complicated attacks that we expect to see in the future.
So our customers are protected against this particular problem. But that doesn’t mean you shouldn’t upgrade Drupal: older versions also have other security bugs. So if you’ve installed the Drupal 7 software on your site, please make absolutely sure you’ve upgraded to version 7.32 today.
Read the rest of this entry »
Recently, we’ve been seeing more and more WordPress sites maliciously “hacked” because our customer chose a weak password like “admin”, “password”, “temp”, “test”, or “wordpress”.
If you use a password like this, “hackers” maybe able to guess it and login before rate-limiting stops them from guessing stronger passwords.
Hackers are using automated software to try to login to millions of WordPress sites every day with these passwords. Because so many sites are being compromised this way, we’ve taken the fairly radical step of blocking all WordPress logins that use them.
Read the rest of this entry »
This post describes a significant change in the way Web browsers recognize certain kinds of SSL certificates. We’re making sure that all SSL certificates bought from us are compatible with this change, and most customers can ignore the rest of this post, which has technical details.
Read the rest of this entry »
