Over the next month or so, we’ll be upgrading the POP and IMAP software we use for e-mail mailboxes. We don’t expect customers to notice any change (except possibly improved speed) or experience any service interruption at all; we’re mentioning it just for completeness.
A popular piece of software called “TimThumb” (aka “timthumb.php”) was recently found to have a security bug that allows “hackers” to take over Web sites that use it (more info here).
Some popular custom WordPress themes include TimThumb as part of their features, making those themes vulnerable to this problem. (Just so it’s clear, TimThumb isn’t specific to WordPress, but that’s probably where it’s most commonly used.)
If you use WordPress and your Dashboard tells you to update your theme, you should do so right away (in fact, you should always update an outdated theme or plugin right away).
However, we’ve also added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.
We’ve updated phpMyAdmin to the latest version, 3.4.3.1.
We’ve installed a PHP 5 security update. Customers should not notice any changes; the update just fixes several security issues in PHP 5.
WordPress 3.2 was released a couple of days ago, and it looks like a great update. (We even contributed a little bit of performance-improving code to it ourselves.)
Our WordPress one-click installer automatically installs the latest version for new installs.
If you’ve previously installed WordPress, you can upgrade it from within your WordPress Dashboard. You should always do that when WordPress tells you there’s a new version available.
Many, many years ago, some e-mail programs didn’t use a password when sending outgoing mail. That meant they didn’t work with many mail servers, including ours. To help customers with that problem, we used to allow a horrible alternate method called “POP before SMTP”, although it was never recommended or officially supported (it was unreliable and made it harder for us to prevent spam).
Well, here we are in a new millennium (“welcome!”). No popular mail program has needed “POP before SMTP” for more than a decade, and only a small handful of our customers are still using it. But spammers are continually trying to take advantage of the security problems it creates for all e-mail addresses, making it just as much of a nuisance on our end as it ever was.
Because of that, we no longer allow e-mail addresses to send mail using “POP before SMTP” unless they were previously doing so. In other words, if an address wasn’t using “POP before SMTP” before now, it won’t be able to start using it in the future.
We’ve updated our servers with a Perl security bug fix. This won’t affect most customers, but read on if you know you use Perl scripts on your site.
Microsoft FrontPage was once a popular Web design program. Microsoft stopped selling FrontPage in 2006, though, and we’ve been warning about the end of FrontPage support for a while now (on both our support pages and our blog).
That time has now arrived. Our FrontPage support for new sites will end on September 1, 2011, and support for existing sites will end a year after that.
World IPv6 Day is now in progress (it started at midnight UTC, which was 5:00 PM Pacific time). For the next 24 hours, many sites on the Internet, including our own www.tigertech.net, are fully IPv6-enabled.
If you have trouble connecting to www.tigertech.net, check other sites like Google, Yahoo and Bing. If you have problems with any of those, you should test your IPv6 connection and notify your ISP or network administrator about any problems.
For more information about IPv6 (and how sites hosted with us can participate), see our previous post: Now We Are Six: IPv6 support.
Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.
How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.
