Even if a Web site hosted with us doesn’t have an SSL certificate, our servers used to accept improper secure SSL connection attempts that start with “https://” instead of “http://” in the beginning of the URL (note the extra “s”). We’re changing that.
Three of our Web hosting servers (amy, flexo, and leela) experienced high load earlier today that caused some customers to see “503 errors” on their Web sites for a few minutes.
This was caused by an upgrade to the eAccelerator PHP caching system that removed all the cached files at once, which doesn’t normally happen.
The problem has been permanently resolved and will not recur.
WordPress installations handle missing image files very inefficiently by default, running the entire WordPress script to build a custom “404 Page Not Found” page rather than simply letting Apache return an immediate default “404” response. Running the WordPress script when not necessary is a huge waste of processor time. For example, WordPress might be able to only process 8 requests per second for a missing image when WordPress generates a custom “404” page, but Apache can return process over 1,000 raw “404” responses per second. If your Web site contains references to missing files, this default WordPress behavior can be driving up your CPU usage unnecessarily. We’ve seen poorly-configured Web sites spend a significant portion of their CPU time processing missing images.
The WordPress folks recently announced that next year’s planned WordPress 3.2 will require at least PHP version 5.2 and MySQL database version 5.0.15. If you use WordPress, you might be wondering if this will be a problem.
Well, “Good news, everyone!” If you use Tiger Technologies to host your WordPress blog, you’re all set: we already use later versions of PHP and MySQL than that.
Google FeedBurner is still hammering several of our customer sites with over 5,000 requests for the same URL per hour. We’ve blogged about this before. We’ve also reported it on the FeedBurner Help Group and seen similar reports from others going back to 2008.
Here’s the relevant log entries from a site that FeedBurner hit 5,836 times in one hour this morning (up to 8 times a second). There’s nothing unusual about the site: it’s on a single IP address with a single hostname, and the feed doesn’t change often.
Some sites run a PHP script for every request, so this FeedBurner problem generates high load for no useful purpose at all.
Google: Please fix this. Thanks!
One of the tools we offer our customers is the “wget” program, which can be used to fetch files from other Web or FTP servers.
It turns out that wget has a security bug that needs to be avoided. As a result, the behavior of wget has changed in some situations. If you use wget (most of our customers don’t), you should be aware of this change.
In a previous post, we talked about how increasing the WP Super Cache “Expire time” from 1 hour to 48 hours can help the performance of WordPress blogs.
Here’s another tip that can help dramatically: Remove “bot”, “ia_archive”, “slurp”, “crawl”, “spider” and “Yandex” from the Rejected User Agents box in the WP Super Cache plugin settings. (In most cases, this will leave the box completely empty.)
Update: This post is outdated. We now offer SSL certificates for free to all customers, and recommend that you make your entire WordPress blog use SSL (rather than just making the dashboard SSL using the FORCE_SSL_ADMIN trick described below).
Do you login to your WordPress blog securely? Are your username and password encrypted so that “hackers” can’t steal them and then break into your blog? (Probably not!)
By default, each WordPress blog is configured to send the login username and password as plain (unencrypted) text. If a hacker can see what you are sending during your login, they can easily steal your username and password. This can happen if you have a virus installed on your computer. It can also happen if your computer is virus-free but connects via WiFi. If your main computer uses a wireless connection, or if you or other users of your blog ever login with their laptops — blogging from a coffee shop, anyone? — remember that these connections can be insecure, and could be susceptible to revealing your password.
You can protect your blog by installing an “SSL certificate” and configuring WordPress to require secure logins. Your browser will then encrypt your username and password so that no one can intercept them.
In the last few days, there’s been a lot of talk on the Internet about the security of WordPress blog software.
Several shared hosting companies apparently allow customers to view the text of other customer’s files by default, and that allows malicious customers to discover the database password of another site (from the “wp-config.php” file) and alter the site.
We recently added the Spamhaus Domain Block List (dbl.spamhaus.org) to our spam filters.
The Domain Block List is an extremely reliable list of domain names that are used only in spam. Blocking most mail that advertises these domain names improves our spam filtering: we’re now blocking about 1% more spam as a result.
That may not sound like much, but it represents about 150 more blocked spam messages per year for each customer. (We block an average of over 15,000 spam messages per year per customer.)
