Some “.js” files in e-mail are now blocked

For a long time, our mail system has blocked many malicious filename extensions.

Recently, we’ve seen an increase in “.js” files that spread various forms of malware. These change their “patterns” often enough that they’re sometimes not detected by virus scanners.

Legitimate “.js” files are common in e-mail, so it’s impossible to block them outright. (They’re often sent as part of a package of website files — for example, a zipped copy of the WordPress files contains them.)

However, legitimate “.js” files almost always occur as part of an archive containing other files. They almost never occur alone, as they do in the malware versions.

Because of that, our e-mail system now blocks “.zip” files that contain only a single “.js” file, on the assumption that they’re almost certainly malicious.

We don’t expect this to cause any problems, but as always, don’t hesitate to contact us if you have any questions or trouble.

Brief MySQL scheduled maintenance February 5, 2016 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday February 5, 2016, the MySQL database software on each of our servers will be upgraded from version 5.5.46 to 5.5.47. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 11:04 PM Pacific time: The maintenance was completed as planned and all services are running normally.

We now offer free SSL certificates from Let’s Encrypt

Our hosting customers can now get free SSL certificates to secure their site.

What’s an SSL certificate? It activates the “padlock” icon for your site in a Web browser, showing that the connection is encrypted for security. You should use an SSL certificate if your visitors type sensitive data such as usernames, passwords or credit card numbers, because it ensures that “hackers” can’t intercept that data.

SSL certificates used to cost a lot of money, but an organization called Let’s Encrypt is now providing them for free, trying to encourage the widespread use of encryption on the modern Internet.

We believe that encryption should be widely available, so we’ve changed our SSL certificate system to provide free Let’s Encrypt certificates to our hosting customers. You can get one now in our “My Account” control panel.

Read the rest of this entry »

Protection against a critical Joomla < 3.4.6 security bug

The authors of the Joomla software announced today that every version of Joomla below 3.4.6 has a critical security bug that allows “hackers” to take over a site.

The bug was in use by hackers for two days before the Joomla authors patched it, and we found several Joomla customer sites that had been modified as a result. We’ve restored backups of those sites and notified those customers directly, but we recommend that all Joomla users change their password to be safe, even if we didn’t notify you of a problem.

The best solution for Joomla users is to update to version 3.4.6 immediately. However, we also added a rule to our servers this morning to block any more attacks until our customers can update. The rule should ensure that if you use our hosting service, and your site hasn’t already been modified, hackers won’t be able to take advantage of this bug.

Preventing PHP scripts from running in /wp-content/uploads

We write a lot about how out of date WordPress plugins or themes can cause your site to get “hacked” due to security bugs.

Interestingly, many of these bugs have a near-identical flaw: They intentionally allow strangers to upload files to your site (intending to allow image uploads and so on), but they don’t sufficiently screen out malicious script files. The bugs allow a malicious PHP script somewhere under the site’s “/wp-content/uploads” directory, then the “hacker” simply runs that script in a web browser.

To help our customers, we’re doing something to minimize the impact of these security vulnerabilities: By default, we’re now blocking PHP scripts from running in “/wp-content/uploads”.

This will improve security because very few sites use this feature legitimately (and none should do so, really; relying on being able to run uploaded PHP scripts without moving them to a safe location is a security risk). Disabling PHP scripts in this directory is recommended by well-known WordPress security companies like Acunetix and Sucuri.

Read the rest of this entry »

Brief MySQL scheduled maintenance October 30, 2015 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday October 30 2015, the MySQL database software on each of our servers will be upgraded from version 5.5.44 to 5.5.46. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 10:25 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Protection against a critical Joomla security bug

The authors of the Joomla software announced today that every version of Joomla between 3.2.0 and 3.4.4 has a critical security bug that allows hackers to take over a site (the bug is known as “CVE-2015-7857”).

The best solution for Joomla users is to update to version 3.4.5 immediately. However, we’ve also added a rule to our servers to protect our customers until they do this. The rule should ensure that if you use our hosting service, “hackers” won’t be able to take advantage of this bug.

Read the rest of this entry »

Brief MySQL scheduled maintenance August 7, 2015 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday August 7 2015, the MySQL database software on each of our servers will be upgraded from version 5.5.43 to 5.5.44. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:58 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Our servers are compatible with 2015 and 2016 PayPal security upgrades

Recently, PayPal has been sending notifications to merchants who use the “PayPal API”, discussing some changes they’re making. If you are one of our customers and you have received this e-mail from PayPal, you may be wondering if you need to do anything. The short answer is that you don’t; the change is being made entirely on the PayPal servers, and our service is fully compatible.

Read the rest of this entry »

Cleaning compromised sites while moving them to Tiger Technologies

One issue we (unfortunately) have lots of experience with is fixing a WordPress site after we discover it’s been “hacked”. But while it’s one thing to try to clean a Web site after it got infected on our servers, it’s essentially impossible to try to clean a Web site that was infected on another server and is being transferred to our servers.

We have a page with more information, including:

  • why this is a problem, and the related risks of not fixing it
  • why the normal way of fixing a site isn’t sufficient
  • how to fix the problem