Disabling SSLv3 and TLS 1.0

If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.

Old protocol versions, including SSL version 3 (“SSLv3”) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.

Read the rest of this entry »

Brief MySQL scheduled maintenance May 1, 2015 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday May 1 2015, the MySQL database software on each of our servers will be upgraded from version 5.5.41 to 5.5.43. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:43 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Protection against the WordPress “large comment” security bug

The authors of WordPress today released version 4.2.1 that fixes a critical security bug.

While upgrading is always a good idea, we’ve blocked the attack for all versions of WordPress on all sites that we host. We’ve also verified using our MySQL binary logs that no sites were attacked before we started the blocking.

Read the rest of this entry »

Protection against the critical Magento “Shoplift” security bug

Researchers recently found a critical security bug in the widely used Magento e-commerce shopping cart software. If you use this software and don’t update it to fix the bug, “hackers” can easily take over your site, including potentially stealing the credit card numbers of your customers.

We’ve analyzed the Magento software our customers have installed and found that more than half is unpatched, despite the Magento team sending e-mail notices to Magento users in February.

“Hackers” are now beginning to exploit the bug. Because this is so dangerous, we yesterday added security rules to block these attacks even if you haven’t updated.

Although we’re confident that these rules block the current attacks (we’ve seen it block several live attacks, and it makes sites we host pass the useful Shoplift bug tester), you should still patch your site if you use Magento: using outdated versions of e-commerce software is always dangerous.

Read the rest of this entry »

Our servers are not vulnerable to the “FREAK Attack” SSL security bug

A couple of customers have asked if our servers are vulnerable to the FREAK attack SSL security bug.

The answer is no: we don’t use the weak “export grade ciphers suites” that are affected by the bug, so no site hosted on our servers is vulnerable. You can verify this with the FREAK attack server check tool.

Additional filename attachments, including “.exe”, now blocked in e-mail

For a long time, our mail system has blocked obviously malicious filenames like “443645787823424455.scr”, “Invoice.pdf.exe”, and so on, even if they aren’t actually flagged by the antivirus software we use (which can happen if they’re new viruses that don’t yet have matching patterns).

Recently, we’ve seen a dramatic increase in simpler names where the virus author doesn’t even try to hide the fact that it’s a program: things as simple as “Invoice.exe” in a zip file. We’ve received a couple of reports that people unzipped these, ran them, and clicked past the Windows warning saying that programs from the Internet can harm your computer — perhaps assuming that if it wasn’t flagged by either our virus scanner or the virus scanner on their own computer, it must be okay.

We want to make sure our customers never fall victim to anything like this, so we’ve expanded our blocked filename patterns to include simple “.exe” files (and other additions). This may very occasionally reject legitimate messages with an error asking the sender to rename the file and resend it, but it will solve far more problems than it causes.

We’re using the same list of filename extensions that Gmail uses — if we block it, Gmail would block it, too. You can find more information on our support page about virus scanning.

Read the rest of this entry »

Brief MySQL scheduled maintenance January 30, 2015 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday January 30 2015, the MySQL database software on each of our servers will be upgraded from version 5.5.40 to 5.5.41. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:57 PM Pacific time: The maintenance was completed and all services are running normally.

Brief scheduled maintenance January 24, 2015 (completed)

Between 10:00 PM and 11:59 PM Pacific time on Saturday, January 24, each of our hosting servers will be restarted. This will cause a brief interruption of service (less than 10 minutes) for each site at some point during this 2 hour period.

Read the rest of this entry »

Protection against WordPress “Pagelines” and “Platform” theme security bugs

The researchers at Sucuri yesterday announced that they’ve discovered a critical security bug in the widely used Pagelines/Platform WordPress themes. If you use one of these themes or their many derivatives, “hackers” can easily take over your site unless you update the theme.

Since many of our customers use these themes, so we’ve added security rules to block attacks even if you haven’t updated. And we’re glad we did: our logs show that a large Chinese botnet started attacking every WordPress site we host last night, in alphabetical order (they’re currently up to domain names starting with “e”), testing whether each site is vulnerable to the bugs.

We’re again surprised to see how many customers are using versions of these themes that haven’t been updated in years. I know we sound like a broken record, but when WordPress offers to update something you’ve installed, you must update it if you want your site to stay secure.

Read the rest of this entry »

Out-of-date WordPress sites will get hacked

I’m going to use annoyingly big type, on an annoying yellow background, because it’s important:

If you use WordPress, you MUST update your plugins and themes whenever you see that an update is available. If you don’t, your site will eventually be “hacked” because of a security bug in old software. The contents of your site will be replaced with something malicious, and your e-mail will be used to send offensive spam.

We have a page with more information, including:

  • why this is a problem
  • why it would happen to your site in particular
  • the two most common ways sites get hacked
  • the risks of not fixing it
  • the risks of inactive plugins and themes
  • the steps to update WordPress properly