Site hosting news, tutorials, tips, How Tos and more

CTB-locker ransomware now affecting websites

Do you know what ransomware is? It’s a computer compromise, typically spread via a macro in a Microsoft Word file. Those spam “invoices” you get, with a .doc attachment? They’re almost always ransomware. If the macro is run, most of the document and image files on your computer are encrypted, and the hacker then extorts money out of you to get the key. The longer you wait, the higher the price.

Right about now you’re probably thinking, “Not a problem for me, I have backups for all my important files!” Which is good. You can reformat your computer, restore your backups and be done with it. Lesson learned. If you’re not backing up your computer files, now’s the time to start, right? Right? Get started. Seriously.

Ransomware reaches the web

If that wasn’t bad enough, the people who write ransomware have now figured out how to encrypt your website files and hold them for ransom, and compromises are spreading rapidly across the web. The compromise is done through vulnerabilities in third party applications or your own scripting (out-of-date WordPress sites are a common target – update your WordPress site, plugins and themes!).

At the time we’re writing this, that ransom starts at around $175, and goes up from there the longer you wait. The best way to guard against that is the same way you’ve guarded against site compromise forever: keep your third party application updated, and examine your own code for vulnerabilities.

But if the bad guys do get in and your site files are encrypted and held for ransom, what can you do?

Well, we make site and database backups every day, so we may be able to help you restore the unencrypted version of your files. But our backups are meant for disaster recovery, so there’s often a fee involved with pulling and restoring a copy, and it will take a little time. In addition to that, we only keep a few days of backups. If you don’t notice a ransomware compromise for four or five days, all of our backups will probably be copies of the compromised files, and therefore not useful in restoring the site.

So what’s the best answer?

The best answer is maintaining a tight ship, as far as your site is concerned. But a really good standby strategy is our SiteBackup service. It allows you not only to back up website and database files, but to keep multiple versions of those backups for long periods of time. That increases the likelihood that you will have a “clean” backup to restore to defeat the ransomware goons. The best part is you control the backups, they’re available to you immediately any time you need them.

Another cool thing that SiteBackup can do is alert you if Google flags your site as compromised, and automatically disable any further backups. That means you can rest easy that you’ll always have a clean backup for restoration.

Any way you slice it, it’s better to be safe than sorry, so we really recommend checking out SiteBackup. It’s inexpensive (starting at $2.95 a month for 10GB of backup space!), extremely easy to use, and – we think – some of the best peace of mind money can buy.

Activate SiteBackup in Control Panel now.

Here’s what a site compromised by CTB-locker looks like:

ctb



Introducing SpamExperts Email Filtering Service

Spam filter by Spam ExpertsWe have partnered with Spam Experts to bring you the leading premium spam filtering service. Because Spam Experts filters millions of emails daily, they have the ability to detect emerging threats early, so their spam filtering engine is always up-to-date.

Not only will you get a cleaner inbox, you also get access to a feature-rich management portal called SpamPanel.  Missing an expected email? You can check your email logs. Want to whitelist or blacklist a user or an entire domain? You can do that through SpamPanel. You’ll also get a daily report listing your quarantined emails.

You can try Spam Experts spam filtering FREE for 30 days (limited time offer until March 31, 2016 free trial extended to April 15th!). After the free trial you can continue using SpamExperts for as little as $3.45 a month.

For more information on Spam Experts spam filter pricing and features, check out our website.



ASP.NET 4.6 hosting available now

asp.net hostingJust wanted to announce the availability of ASP.NET 4.6 hosting – more precisely it’s ASP.NET 4.6.1. Many of you have been asking about it, and now it’s here at Winhost!

Note that we didn’t roll out ASP.NET 4.6 on all servers, so if you are interested in using ASP.NET 4.6 and your server doesn’t have it, then contact us and we’ll move your site to a server that supports ASP.NET 4.6.

 



Getting Started with RavenDB

howto

Over the years there have been a number of customers who have asked if Winhost supports NoSQL databases. There is actually one NoSQL solution you can install in our environment, and it’s RavenDB. In this guide, I will show you how to get started with it (i.e. installed and running) if you want to try it out. The instructions have been taken from the official site and modified for our hosting environment.

First, download the .zip file from the RavenDB website and then extract it. Open up the “Web” folder and make the following changes to the web.config file in that folder:

Change line 3 from:

<add key="Raven/WorkingDir" value="APPDRIVE:\Raven\" />

To:

<add key="Raven/WorkingDir" value="APPDRIVE:\web\ftpusername" />

Replacing ftpusername with the correct value.

Add/Insert the following in between the <system.web></system.web> XML tags to enable Full trust:

<trust level="Full" />

Once you have finished making the changes to the web.config file, save it. Then upload the entire “Web” directory into your hosting space.

Using the Winhost Control Panel, create an Application Starting Point for the “Web” folder. Open the “Web” folder using a browser (e.g.: http://www.HostingAccountDomain.com/web).

You’ll get an error regarding WebSockets. You can open up a support ticket to have it enabled and have “Overlapped Recycle” disabled in your App Pool settings, and that should complete the installation so that you can try it out.



Rainy Day Update

announcements

Looks like El Niño is finally here, but that isn’t going to stop us from keeping the app-installer up to date!



CDN in a nutshell, or: how a Content Delivery Network helps you (in more ways than you think!)

If you’ve never heard of a CDN or you’re not sure exactly what it is, CDN is an acronym for Content Delivery Network. What a Content Delivery Network does, in very basic terms, is serve your site files from multiple data centers all over the world so that your visitors download files from a server near them and experience faster page loads. As a bonus, you get to experience reduced bandwidth use due to your content being cached at the various locations on the network.

How does it work? You change your domain’s name servers to point to the CDN, which then handles the requests for your site. When a request comes in to the CDN, here’s what it does:

  1. Determines the location of the visitor and the data center location nearest to that location.
  2. Pulls the requested files from your central repository (which in this case would be your Winhost server) to that data center near your visitor and serves the files to the visitor from that local server.
  3. Requested files are cached on the local servers for a period of time, so that the next time they are requested from that location they will load from the local server for visitors in that region.
  4. Visitor interacts with the local server until a new file is requested, at which point the CDN goes back to step 2 and repeats.

That makes for a better visitor experience, since visitors are getting files from a local server. And it saves bandwidth on your Winhost account, since the files don’t have to come from the Winhost servers every time they are requested.

There are a lot of CDNs these days, and their setups vary in levels of difficulty. We’re offering a CDN that’s really easy to set up, and if you already have a SiteLock security plan for your site (and you really should, but that’s a separate article), you can add the basic CDN for free.

If you’re thinking that sounds great, but your site doesn’t contain much static content, SiteLock TrueShield CDN can also serve dynamic content from more than 25 data centers around the world via its Dynamic Content Caching system. It’s all completely automatic, but you have control over the cache and can purge files any time you need to, for instance when you update or change content on your site.

On average, sites using the SiteLock TrueShield CDN load 50% faster and use 40-70% less bandwidth.

The TrueShield CDN can also handle end to end encypted SSL (https) requests, and perfoms advanced CDN optimizing techniques, including content minification, image compression, session reuse optimization, “on the fly” file compression, TCP optimization & connection pre-pooling and progressive image rendering.

Not only speed, but protection from the bad guys too

The TrueShield CDN isn’t only about speed, it also offers a layer of protection for your web applications. Does your site use WordPress? If so, you probably know that WordPress is a common target for exploits, and if someone gets into your WordPress installation, the cleanup can be a nightmare, not to mention the probable damage to your site and your reputation.

The SiteLock TrueShield CDN protects you against many web-based exploits with a Web Application Firewall, which blocks malicious bots from accessing your site, and depending on the plan you use, can protect your site against many SQL injections and cross site scripting. Whether your site uses a third party application that runs on a database or works with a database you designed and built, the Web Application Firewall can help keep you safe.

I know this sounds like a commercial for SiteLock, but we’re big fans of their service, and we’re able to offer you some really cool and useful tools through them. We see the damaging effects of website exploits every day, and as I mentioned, cleaning up after them is no fun. It’s either going to cost you time or money – sometimes both. So prevention, as they say, is the best medicine.



How to fix broken images and links in a WordPress site

howtoBroken image links are a common problem when you move your WordPress installation to another domain name or even to another subfolder. WordPress uses absolute paths to link images and objects to the page. The absolute path is usually defined during the initial WordPress setup process when you first configure WordPress. No problem right? You understand and know what absolute paths mean, and WordPress is working with no problems.

But what happens when you change the domain name for your WordPress site, or you move your WordPress site to a subfolder? Now you call on your WordPress site and some links are broken, images don’t show up, or some of the pages may come up with a 404 not found error. You right click on an image or object on the page and you can see the URL address does not match with the URL address on the address bar.

What a mess. Now what?

Fear not, this is actually a fairly easy fix!

There are a few easy way to fix this. The first thing to try is logging in to the WordPress admin section and changing the values in Settings > General.  But sometimes the location change can make logging in to the admin section impossible, in which case you’ll want to try setting the new URL by either defining the SiteURL and Home variables in your configuration file, or going in to the database and changing them there.

Updating the wp-config.php file

Log into your site via FTP and look for the WordPress wp-config.php file. Open the file with a text manager such as NotePad and add these lines. Typically you should be able to add the lines under the connection string section of the configuration file.

/**Manually Define SiteURL and Home */
define(‘WP_HOME’,’http://www.newdomain.com’);
define(‘WP_SITEURL’,’http://www.newdomain.com’);

If you have just moved the WordPress files to a subfolder then the URL would look somewhat like this.

define(‘WP_HOME’,’http://www.newdomain.com/newsubfolder’);
define(‘WP_SITEURL’,’http://www.newdomain.com/newsubfolder’);

In my opinion, this is actually the easiest way to fix this. But some site owners don’t like to hard code values into the page, so the second way to solve the problem is to update the database. WordPress uses MySQL as it’s back end, and the SiteURL and HOME URL values are stored in there in plain text, so they’re easy to change.

Updating your WordPress database:

Log into your WordPress database. The table you will be looking for is wp_options. wp_ is the default prefix that WordPress will use in the initial setup. You may have used a different DB prefix during set up, but in general what you are looking for is the “Options” table.

Run this SELECT command against the Options table.

USE [Database Name];
SELECT option_name, option_value FROM wp_options
WHERE option_name="home" OR option_name="siteurl";

You should see results similar to this.

option_name option_value
home http://www.olddomain.com
siteurl http://www.olddomain.com

To update the option_value column, just run this command against your database.

USE [Database Name];
UPDATE wp_options
SET option_value="http://www.newdomain.com"
WHERE option_name="siteurl" OR option_name="home";

If you are moving the WordPress site to a subfolder, the option_value would include the path to the subfolder:

SET option_value="http://www.newdomain.com/subdomain"

That should be it. Either method will work. But don’t forget, at Winhost we can migrate your WordPress website for you. We’ll create and restore the MySQL database, update your connection string and make sure the absolute path it setup correctly. Simply contact our Support Department for more details on what we will need to migrate your site for you.



Locked out of your NopCommerce admin account?

howtoI’ve seen this before, a small or medium sized business pays a developer to build a NopCommerce website to run their online store. They pay several hundred – or even thousands – of dollars to get it up and running. Customized design and themes are added to give NopCommerce a custom look unique to the company. Everything goes well, the site is launched and the customer is happy. The developer has done their job and now they’ve moved on to their next project.

Then some months later the unthinkable happens, and the previously happy customer forgets the username or password to the NopCommerce admin account. They try to run through the NopCommerce password recovery process but it’s not working. They either don’t remember, or no longer have access to, the email address to the account. Regardless, the bottom line is that they do not know the credentials to your NopCommerce Admin account and the password recovery process is simply not working.

Luckily, if this ever happens to you there’s a work-around. You’ll need access to the SQL database that NopCommerce is using for the back end data source. You’re going to go directly to the database and change the password in the table that stores the admin account password.

But first you’ll need to create a new registered user in NopCommerce so that you will have a password that you can use to replace the admin account password. Log in to your NopCommerce site and click the “Register” link to set up a new user. You’re going to use the email address and password for this new user in the next steps.

Once the new user is created, log in to the NopCommerce database and search for the new user you just registered by running this SQL command against your database:

use [Database Name]

go

Select ID, Username, Password, PasswordSalt from dbo.Customer WHERE Username='user@domain.com'

Replace user@domain.com with the actual email address of the new user just registered. From the results of that command, copy the “Password” and “PasswordSalt” values.

Then run this update command:

use [Database Name]

go

Update dbo.Customer

Set Password='<password copied from previous query>', PasswordSalt='<password salt copied from previous query>' WHERE ID='1';

The WHERE clause specifies the admin account, which will have ID value of ‘1’ since it is the first account created when setting up NopCommerce. Now you should be able to log in to the NopCommerce Admin account with the new password.