Customers have asked us whether our servers are vulnerable to the recent serious security bug CVE-2022-0847 (nicknamed “Dirty Pipe”) in the Linux kernel software (explained in more technical detail here).
The good news is that we don’t use the vulnerable versions of the kernel software on our servers, and we’ve verified in multiple ways that our servers are not vulnerable to this problem.
If you use WordPress, and you allow strangers to register for WordPress accounts (which isn’t usually a good idea, but some plugins require it), it’s possible to accidentally configure it so that those new users get created as WordPress administrators. That can happen simply by doing this:
Allowing this is a serious flaw that was supposed to be fixed in WordPress itself some time ago, but the problem still exists.
We don’t think it’s reasonable to ever create new users as “Administrators” by default, regardless of whether you have “anyone can register” turned on. (Even if “anyone can register” is turned off now, it would be easy to turn it on later without remembering to change the default role back.)
To make sure our customers’ sites stay secure, we’ve added some protections against this:
Nobody should notice any changes as a result of this, but as always, don’t hesitate to contact us if you have any questions or difficulties.
Customers have asked us whether our servers are vulnerable to the recent serious security bug (called “Log4Shell”) in software named “Log4j”.
The good news is that we don’t use the Log4j software anywhere on our servers, and never have. We’ve verified in multiple ways that our servers are not vulnerable to this problem.
That said, we always believe in “defense in depth” when it comes to security, so we’ve also added rules to our web application firewall that will block any IP addresses making attempts to exploit this bug.
Between 10:00 PM and 11:59 PM Pacific time on Friday, July 16, each of our hosting servers will be restarted. This will cause a brief interruption of service (less than 5 minutes) for each site at some point during this 2 hour period.
Read the rest of this entry »Recently, Microsoft announced that their “Microsoft Exchange” email server software has several security bugs that allow “hackers” to infect it with malware. That allows the “hackers” to read private email.
Some customers have asked us whether our servers are vulnerable to this problem.
The good news is that we don’t use Microsoft Exchange (or any other Microsoft email server) software, and never have. That means our servers, and our customers who use our email services, are not vulnerable to this problem at all.
WordPress 5.5 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites. WordPress 5.5 works fine on our servers (make sure you’re using a recent version of PHP for your site).
If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.
One great new feature of WordPress 5.5 is that it adds automatic updates of plugins and themes. We strongly recommend enabling this feature to improve the security of your site. To do that, just click “Enable auto-updates” for all your plugins and themes:
That’s all it takes to prevent most “hacker” attacks on your site.
We provide free Let’s Encrypt SSL certificates for all sites hosted with our company.
Recently, Let’s Encrypt found a problem with some certificates that could cause site visitors to see security warnings if the certificate wasn’t renewed before noon Pacific time today (March 4, 2020).
Our customers don’t need to worry, though. We’ve already renewed any affected certificates, so the problem will not affect any sites we host.
There’s a website at checkhost.unboundtest.com you can use to test your certificate if you want to be sure. As always, don’t hesitate to contact us if you have any questions.
Update 10:58 PM Pacific time: the maintenance described below has been completed, and all services are running normally.
Between 9:00 PM and 11:59 PM Pacific time on Saturday, February 15, 2020, the MySQL database software on each of our servers will be upgraded from MariaDB version 10.0.41 to 10.0.44 (roughly equivalent to MySQL 5.6.47). This will cause an approximately 60 second interruption of service on each MySQL-using customer website at some point during this period.
This upgrade is necessary for security reasons and to fix bugs in MySQL.
In addition, the web14 server will be restarted during this period for a hardware upgrade, causing an approximately 3-minute additional outage for sites and email on that server only.
We apologize for the inconvenience this causes.
Some of our customers use a script called Adminer (aka adminer.php) that allows them to modify MySQL database entries. It’s similar to phpMyAdmin.
This is fine, except that old versions of Adminer have a serious security vulnerability that allows “hackers” to take control of sites that use it. If you’ve put an old version of the adminer.php script on your site, then you never updated or removed it, your site is vulnerable to hackers. A couple of our customer’s sites have been “hacked” this way in the last week.
To make sure this doesn’t happen to more customers, we’re disabling any old vulnerable versions of adminer.php (versions earlier than 4.7) and replacing them with a link to this page.
If you try to use a copy of Adminer you’ve previously installed, but you get referred to this page, you should simply install a new version from the Adminer website. Be sure to keep it updated in the future (or delete it when you’re finished using it).
We’ve previously added free wildcard Let’s Encrypt SSL certificates for all our customers who use our web hosting service. Now we’ve added free certificates to all “parked” domain names, too!
If you have a parked domain name on our servers that’s set up to redirect to another site, you can now use https:// URL addresses for the parked domain name and the redirect will work securely, with no problems.
