Apache 2.4 web server upgrade (complete)

Update May 3, 2018: The change described below is complete on all servers.

Over the next few days, we’ll be updating the software used on each web server from the Apache 2.2 series to the 2.4 series.

Customers should not notice any changes or downtime. We’re mentioning it here just so that customers who do notice a change for some reason will know about it.

While the Apache 2.4 series has some changes and new features, we’ve intentionally kept things compatible with older versions. In particular, we’re using mod_access_compat to ensure that existing “Allow / Deny” authorization directives work, and we’re using SSILegacyExprParser on to ensure that existing Server Side Includes work.

The Apache 2.4 series brings changes we’re using to improve our customers’ websites. For example, we’re already using OCSP stapling to speed up the initial connection to SSL sites in many browsers, and in the future we’ll be adding support for the newer HTTP/2 protocol. Neither of these were possible with older versions of Apache.

As always, don’t hesitate to contact us if you have any trouble.

Protection against critical Drupal security bug SA-CORE-2018-004

The authors of the Drupal CMS software today announced yet another “highly critical” Drupal security bug (SA-CORE-2018-004).

This vulnerability is likely to be widely exploited soon. If you use Drupal 7 or 8 without updating it, your site will be compromised (taken over by “hackers”).

To protect our customers who have installed Drupal, we have “patched” the vulnerable files on every copy of Drupal on our servers, blocking the attacks that we expect to see in the future. We used these patches:

So our customers are protected against this particular problem. But that doesn’t mean you shouldn’t upgrade Drupal: older versions also have other security bugs. If you’ve installed the Drupal software on your site, please make absolutely sure you’ve upgraded to the latest version today.

Small change to SSL ciphers (April 24, 2018)

We’ve made a small technical change to the way our servers handle SSL connections. The change shouldn’t affect anyone, but we’re describing it here just for the record.

The technical description of the change is that we’ve removed the DES-CBC3-SHA (aka TLS_RSA_WITH_3DES_EDE_CBC_SHA) cipher suite from the “Medium security, good compatibility: Disable SSLv3 but enable TLS 1.0” option in the SSL section of our control panel, because PCI scanning companies have started flagging the existence of that cipher suite as a “fail”. (We told you it was technical!)

This change may make “medium security” SSL connections show errors for some very old browsers running on Windows XP. (Most such browsers already failed anyway with “medium security”, and they can’t connect to most major sites on the Internet, so almost nobody uses them.) In the unlikely event that you do need a very old browser like that to connect to an SSL-enabled site, you can choose Low security, excellent compatibility: Enable SSLv3 and TLS 1.0 in our control panel to allow it.

Brief MySQL scheduled maintenance April 20, 2018 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday, April 20, 2018, the MySQL database software on each of our servers will be upgraded from version 5.6.39 to 5.6.40. This will cause an approximately 60 second interruption of service on each MySQL-using customer website at some point during this period.

This upgrade is necessary for security reasons and to fix bugs in MySQL. We apologize for the inconvenience this causes.

Update 9:44 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Wildcard Let’s Encrypt certificates now available

Let’s Encrypt recently started offering wildcard SSL certificates that work with any subdomain, without forcing you to get a new SSL certificate every time you change the hostnames you use.

If we host your site’s DNS nameservers (which is true for almost all of our hosting customers), we can now automatically provide you with a wildcard certificate, for free. We’ve already updated every existing Let’s Encrypt certificate to be a wildcard wherever possible.

If you’re still paying GoDaddy $349.99 a year for a wildcard SSL certificate, or paying Network Solutions $579 a year for it, now might be a good time to switch to our service. 😉 (In the last week, we’ve provided several million dollars worth of wildcard certificates to our customers even at GoDaddy’s introductory prices. You’re welcome!)

We’re using Let’s Encrypt wildcard certificates ourselves, too

We’re now also using these certificates on everything related to our own services, too, including our website, blog, FTP servers, and mail servers.

Almost all customers shouldn’t notice any change, but if you use secure connections with old or unusual programs that don’t handle SSL connections properly, you might be asked to “accept” the new certificate.

Read the rest of this entry »

PHP 7.2 series now available

We’re now providing support for PHP 7.2 (in addition to the 5.6, 7.0 and 7.1 series), so PHP 7.2.4 is available in our control panel.

We believe it’s stable (it’s used for the blog you’re reading now), but we don’t yet recommend it for most customers. It’s fairly new and some third-party scripts are not yet compatible with it. If you want to try it anyway:

  1. First, update your site’s PHP scripts, including WordPress, Joomla, any plugins or themes you use, and so on
  2. Login to our My Account control panel
  3. Click PHP Settings
  4. Click PHP 7.2 series
  5. Click Save Settings

After updating, test your site carefully to make sure there aren’t any problems.

By the way, if all this seems confusing, we have a page explaining more about PHP versions and updates.

PHP 7.1 is now the default for new accounts

The somewhat older PHP 7.1 series has been out long enough that all modern script software should be compatible with it. Because of that, we’re making PHP 7.1 the default for new customers.

We haven’t changed the version for any existing accounts, but we recommend that all customers use at least PHP 7.1 if possible (the instructions above explain how to choose the version your site uses). PHP 7.1 is slightly faster than PHP 7.0 and almost twice as fast as PHP 5. If you care about your site’s speed (and you should), always use the newest version of PHP that’s compatible with your scripts.

PHP 5.6.35, 7.0.29 and 7.1.16

The PHP developers recently released versions 5.6.35, 7.0.29 and 7.1.16 that fix several bugs. We’ve upgraded the PHP 5.6, 7.0 and 7.1 series on our servers as a result.

These changes should not be noticeable, but as always, don’t hesitate to contact us if you have any trouble.