Today our servers began using an updated version of the Apache web server software that adds a new security feature: it collapses and ignores consecutive slashes in URLs it receives (among other security fixes).
For example, this URL (note the two slashes between “admin” and “options”):
https://www.example.com/wp-admin//options-permalink.php
… would now be treated exactly as if the web server had been sent:
https://www.example.com/wp-admin/options-permalink.php
This feature ensures that “hackers” cannot add extra slashes to bypass rules intended to restrict access to certain URLs. (The example above is a real security problem in WordPress from 2009 — it allowed hackers to access the permalink screen because the access restrictions were only applied to the exact pattern “/wp-admin/options-permalink.php”, and not to variations like “/wp-admin//options-permalink.php”.)
This change should not cause any problems, and our customers should not notice any change.
However, in the unlikely event that you have intentionally written script code that behaves differently when it sees two consecutive slashes in a URL instead of one slash, you would need to change your code to not rely on that behavior. (Two consecutive slashes in the path of a URI are not valid anyway, and other web servers will remove them by default, so relying on it would be unreliable to start with.)
As always, don’t hesitate to contact us if you have any questions or difficulties.
The PHP developers recently released versions 7.1.28, 7.2.17 and 7.3.4 that fix several bugs. We’ve upgraded the PHP 7.1, 7.2 and 7.3 series on our servers as a result.
These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.
There was a brief interruption of service for customer websites on the “web11” server this morning (March 20, 2019) between 7:24 AM and 7:34 AM Pacific time. (Other servers were not affected.)
This problem was caused by a bug in a script that resulted in a configuration error. The bug has been fixed so that it will not recur.
We apologize for the trouble this caused customers who were affected.
We’ve supported IPv6 on customer websites for many years, but it didn’t default to “on”: customers had to explicitly enable it in our account management control panel.
Starting today, IPv6 is on by default for all new accounts signed up with us (although you can turn it off if you want).
In addition, we’re beginning a gradual process of slowly enabling IPv6 for existing sites if they haven’t chosen to disable it. If you don’t want IPv6 to be enabled for your site in the future, you should use our control panel to disable it.
Read the rest of this entry »
The PHP developers recently released versions 7.1.27, 7.2.16 and 7.3.3 that fix several bugs. We’ve upgraded the PHP 7.1, 7.2 and 7.3 series on our servers as a result.
These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.
Our business offices will be closed on Monday, February 18 to observe the US legal holiday. As always, we’ll provide same-day support for time-sensitive issues via our ticket and e-mail systems. However, questions that aren’t time-sensitive (including most billing matters) may not be answered until the next day, and telephone support (via callbacks) will be available only for urgent problems.
The PHP developers recently released versions 7.2.15 and 7.3.2 that fix several bugs. We’ve upgraded the PHP 7.2 and 7.3 series on our servers as a result.
These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.
We’ve added a feature that allows you to do a complete “one-click” restore of your site from the control panel. The restore includes all website files, databases, and PHP settings at once, giving you a way to quickly “rollback” a site without needing to use extra tools like FTP or phpMyAdmin.
The backups page in our support section has more details.
Update 9:32 PM Pacific time: the maintenance described below has been completed, and all services are running normally.
Between 9:00 PM and 11:59 PM Pacific time on Friday, February 8, 2019, the MySQL database software on each of our servers will be upgraded from MariaDB version 10.0.37 to 10.0.38 (equivalent to MySQL 5.6.43). This will cause an approximately 60 second interruption of service on each MySQL-using customer website at some point during this period.
This upgrade is necessary for security reasons and to fix bugs in MySQL. We apologize for the inconvenience this causes.
Update 9:30 PM Pacific time: the problem described below is resolved, as Amazon is no longer sending data through the problematic route to our servers.
Original post: Our monitoring systems are showing that this evening, there have been short periods of network failures between our data center and some Amazon Web Services (AWS) data centers on the US East Coast. This appears to be due to a problem Amazon is having connecting to an intermediate “Internet backbone” connection in Virginia run by a third party.
This isn’t affecting other connections, so most of our customers are unaffected, and we see no overall drop in traffic.
Read the rest of this entry »
