We’ve had a couple of people ask if our servers are vulnerable to the recent security bug in the bash shell, also known as the “shellshock” bug.
The answer is no. All copies of bash on all our servers were updated to a fixed (patched) version yesterday, within an hour of the news becoming public.
Update September 25, 2:58 PM: We’ve also applied a later, stronger version of the fix today. This will soon be announced as Debian Security Advisory DSA-3035-1 .
Update October 14: This process described below is complete. All the updates were installed, and we’re now using only Debian wheezy on all servers.
Over the last year, we’ve been slowly upgrading our servers from Debian Linux version 6 (codename “squeeze”) to version 7 (codename “wheezy”).
All the “prominent” software (such as the Apache Web server, MySQL, PHP, the Linux kernel, and so on) was updated months ago, one piece at a time, usually with individual announcements here on our blog. Any software with security or compatibility issues has also already been upgraded.
What’s left at the end of that process are many “minor” packages, each probably used by less than 1% of our customers. We’ll be upgrading the rest of these over the next 30 days.
Read the rest of this entry »
WordPress 4.0 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.
If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.
We strongly recommend keeping your WordPress installation up to date (and using unguessable passwords)! You should first update the active theme and plugins, then delete all inactive themes and plugins, and then update the core WordPress files.
We’ve updated the default version of the Ruby scripting language on our servers from 1.8.7 to 1.9.3.
Read the rest of this entry »
If your site uses an SSL certificate from us, our servers now provide an important feature called perfect forward secrecy.
Read the rest of this entry »
Google is fairly aggressive about checking for malware on Web sites. When they find a site distributing malware, they make a note of the details and try to warn visitors.
Read the rest of this entry »
The PHP developers recently released versions 5.4.31 and 5.5.15 that fix several bugs. We’ve updated PHP 5.4 and 5.5 on our servers as a result.
Read the rest of this entry »
One of our customers asked if multiple domain names hosted with us are vulnerable to “website cross-contamination”, a nasty security problem that can happen at many hosting companies when two different sites share the same “account”.
The answer is no. We intentionally handle multiple hosted domain names differently from the way most hosting companies handle extra hosted domain names, avoiding the problem.
Read the rest of this entry »
Over the last few days, we’ve been tracking an ever-increasing distributed attack on the WordPress xmlrpc.php service.
We’ve previously seen and blocked attacks on this file that tried to post spam comments or act as a denial of service amplifier, but this attack is different: it tries to guess WordPress usernames and passwords.
As a result, we’ve applied more aggressive blocking than usual to the attack. It’s remotely possible that the blocking could cause legitimate third-party WordPress “apps” and services to be unable to access your blog (although it can’t cause problems when just visiting WordPress in a normal Web browser); don’t hesitate to contact us if you’re one of our customers having trouble.
Just so it’s clear, we’ve blocked this attack for all our hosting customers. But the rest of this post has some technical details that may help other people trying to do the same.
Read the rest of this entry »
We often get reports from customers saying they’ve been blocked from their WordPress sites with a strange generic error message or blank page.
When we investigate, it’s common to find that it happened because they installed a security plugin that has made a mistake — a “false positive” — and blocked the site owner.
Read the rest of this entry »
