Protection against a critical Joomla < 3.6.4 security bug

The authors of the Joomla software announced that Joomla versions 3.4.4 through 3.6.3 have a critical security bug that allows “hackers” to take over a site by adding new administrative users (CVE-2016-8869).

The best solution for Joomla users is to update to version 3.6.4 immediately. However, we also added a rule to our servers this morning to block this attack. The rule should ensure that if you use our hosting service, hackers won’t be able to take advantage of this bug.

(And a tip o’ the hat to security researcher Melvin Lammerts, who published detailed technical information of the bug that allowed us to do this more quickly than usual.)

Brief scheduled maintenance October 25, 2016 (completed)

Between 10:00 PM and 11:59 PM Pacific time on Tuesday, October 25 2016, each of our hosting servers will be restarted. This will cause a brief interruption of service (less than 5 minutes) for each site at some point during this 2 hour period.

Read the rest of this entry »

SSL certificate errors October 13, 2016 (resolved)

We’re receiving reports that some people visiting some SSL sites (including our site) are seeing security errors saying a “certificate has been revoked”.

This is an Internet-wide problem caused by an issue with one of the main Internet “certificate issuers”, a company called GlobalSign, and isn’t specific to us or sites we host. It’s affected many large Internet sites, such as Wikipedia. (Internet news site “The Register” has a report here.)

GlobalSign says the problem will soon be fixed. In the meantime, if your browser allows you to “click past” the warning about a “revoked certificate”, it is safe to do so.

Update 3:13 PM Pacific time: The problem is slowly resolving itself as the bad certificate information expires from “caches” around the Internet, but we’ve temporarily replaced our SSL certificates with new ones to make it stop immediately. This problem should now be resolved.

Brief MySQL scheduled maintenance September 18, 2016 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Sunday, September 18, 2016, the MySQL database software on each of our servers will be upgraded from version 5.5.50 to 5.5.52. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 10:48 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Brief MySQL scheduled maintenance August 12, 2016 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday, August 12, 2016, the MySQL database software on each of our servers will be upgraded from version 5.5.49 to 5.5.50. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 10:43 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Our servers are not vulnerable to the “httpoxy” security bug

Recently, security researchers announced a bug that affects many web scripts, called the httpoxy bug.

Sites hosted on our servers are not vulnerable to this bug, because we’ve added a security rule blocking all HTTP requests that contain a “Proxy:” header. This completely blocks all malicious “httpoxy” requests, and our customers don’t need to do anything else.

Brief MySQL scheduled maintenance May 4, 2016 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Wednesday, May 4, 2016, the MySQL database software on each of our servers will be upgraded from version 5.5.47 to 5.5.49. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:06 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Some “.js” files in e-mail are now blocked

For a long time, our mail system has blocked many malicious filename extensions.

Recently, we’ve seen an increase in “.js” files that spread various forms of malware. These change their “patterns” often enough that they’re sometimes not detected by virus scanners.

Legitimate “.js” files are common in e-mail, so it’s impossible to block them outright. (They’re often sent as part of a package of website files — for example, a zipped copy of the WordPress files contains them.)

However, legitimate “.js” files almost always occur as part of an archive containing other files. They almost never occur alone, as they do in the malware versions.

Because of that, our e-mail system now blocks “.zip” files that contain only a single “.js” file, on the assumption that they’re almost certainly malicious.

We don’t expect this to cause any problems, but as always, don’t hesitate to contact us if you have any questions or trouble.

Brief MySQL scheduled maintenance February 5, 2016 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday February 5, 2016, the MySQL database software on each of our servers will be upgraded from version 5.5.46 to 5.5.47. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 11:04 PM Pacific time: The maintenance was completed as planned and all services are running normally.

We now offer free SSL certificates from Let’s Encrypt

Our hosting customers can now get free SSL certificates to secure their site.

What’s an SSL certificate? It activates the “padlock” icon for your site in a Web browser, showing that the connection is encrypted for security. You should use an SSL certificate if your visitors type sensitive data such as usernames, passwords or credit card numbers, because it ensures that “hackers” can’t intercept that data.

SSL certificates used to cost a lot of money, but an organization called Let’s Encrypt is now providing them for free, trying to encourage the widespread use of encryption on the modern Internet.

We believe that encryption should be widely available, so we’ve changed our SSL certificate system to provide free Let’s Encrypt certificates to our hosting customers. You can get one now in our “My Account” control panel.

Read the rest of this entry »