Site hosting news, tutorials, tips, How Tos and more

Ready or Not, It’s Time to Consider HTTPS

It used to be that unless your site accepted payments for products or services, you didn’t really need to concern yourself with an SSL certificate, which allows you to encrypt and secure your site traffic using the https protocol. Those days are quickly coming to an end as web security becomes a larger issue, and giants like Google are making an aggressive push to encrypt all web traffic.

Maybe you have even already received a warning email from Google: “Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as ‘Not Secure’ unless the pages are served over HTTPS.” But what does that mean?

Right now (December, 2016) Chrome shows an “information” icon on all non-https pages (Firefox also uses a similar icon):

Which seems pretty benign, unless you click that icon and get the insecure site warning:

Starting in January of 2017 Chrome is going to take that a step further and add a text warning:

Then “eventually” – which, knowing Google, could be any time  – they are going to throw the red flag at non-https pages:

At the moment those warnings only apply to http pages containing password or credit card input fields, but Google definitely plans to extend the Chrome warnings to all http pages, regardless of whether they accept user credit card or authentication input.

Why is https important?

Using https encrypts connections to prevent anyone from tapping in to the communication between your website and your visitor’s browsers. It also prevents the bad guys from exploiting your site by injecting malicious code or unwanted advertising into your user’s browser.

The https connection lets your visitors know that they’re securely connected to your site. That what they’re seeing is legitimate information. It also prevents anyone from accumulating of a lot of user data or behavior related to your site traffic. Aggregate data like that can be used for a number of malicious purposes, so blocking access to it is a good thing.

How does it benefit me?

Right about now you may be thinking, “Okay, I get it, but I’m not really concerned about someone listening in to my site traffic.” That’s understandable. Most sites run a pretty low risk of being targeted in that way. But you probably don’t want to see every page of your site displaying a red “Not secure” warning in Chrome (and eventually in other browsers as well).

That’s reason enough to take steps now to make every page of your site available via https (and redirect http requests to https). You might even consider it a priority, since the Chrome browser currently has a 56% market share, and that percentage is increasing.

But aside from avoiding the warning label, there can be other benefits to using https. In their own words:

“Google uses HTTPS as a positive ranking signal. This signal is one amongst many others, and currently carries less weight than high-quality site content; you should not expect a major SEO advantage for moving to HTTPS in the short term. In the longer term, Google may increase the strength of the HTTPS boost.”

Google is making it pretty clear that in the future they are going to give an edge in search result rankings to sites that use https. And who doesn’t want an edge where that’s concerned?

How to make the move to https

The good news is it isn’t exactly a “move.” Your site stays on the same server, you just add an SSL certificate to your account and make the necessary changes to redirect http traffic to https. This article is already pretty long, so we won’t do a tutorial here, but other than redirecting to https, there are a few other things you’ll want to watch out for:

If you use Google Webmaster Tools, after you’ve made the switch, add the https version of your URL as a new property, set the “preferred version” of that property to https and (re)submit your sitemap. Here’s a Google-centric FAQ on transitioning to https that you may also want to take a look at.

Finally, you may have heard that you can get a free SSL certificate from Let’s Encrypt. That’s true, and you can use those certs here at Winhost. But the Let’s Encrypt certificates come with some drawbacks. Make sure you’re aware of what’s involved in using such a cert before you commit to one.

We’ll have more information on this subject in the coming months. We expect that there will be a lot of questions when Google makes the changes to Chrome, and we’ll do our best to address those questions here and in our Knowledge Base.

Update: January 4th, 2017

The changes have already begun in the latest version of Chrome (55.x). They aren’t flagging insecure sites yet, but they are spelling out “Secure” now:



Recap of New Hosting Services For 2016

This is the season when everyone is doing their annual recaps, so I figured we should do one too.  We had a busy year on a lot of fronts, and here are just a few of the new features and services that we introduced in 2016.

ASP.NET Core (ASP.NET 5)
After a long wait and a naming convention change, Microsoft finally released their highly anticipated ASP.NET Core (formerly known as ASP.NET 5), and you didn’t have to wait for us to support it. We support ASP.NET Core on all our hosting plans that run on Windows 2012.

Microsoft SQL 2016
In 2016, Microsoft released their next SQL version and, of course, we made it available for you to use.

SpamExperts Email Spam Filter
You told us that you were frustrated with increasing spam, so we partnered with SpamExperts to bring you a cost-effective premium spam filter solution.

PHP 7
This year we introduced support for PHP 7. Even though we are a Microsoft-based host, we are keeping up with PHP too, so you can stay on the cutting edge of all aspects of web development.

New Top Level Domains
There are tons of new domain extensions available now, so we revamped our old domain registration system and introduced a handful of new domain extensions. We’ll be introducing even more in the future, and in the meantime we’re open to your feedback regarding other domain extensions you would like to see us offer.

Free Website Migration Services
We understand that moving a website can be a painful process and the prospects of moving can keep you stuck with a less than desirable host for longer than you’d like. We are making it easier to move your site to Winhost by offering free website migration services. Make it your new year’s resolution to finally rid yourself of your tired old host!

Have a great holiday season and a happy new year.



Filezilla ENETUNREACH FTP Error with Kaspersky Anti-Virus

If you’re using the anti-virus application Kaspersky Endpoint Security 10 for Windows and Filezilla for FTP, you might have encountered an ENETUNREACH “Network unreachable” error when trying to upload your files to the server. Or, perhaps you updated Filezilla to version 3.11.0 (or above) and it stopped working, giving you the same ENETUNREACH error.

This is a known issue between Filezilla and Kaspersky. It happens because of the new way Filezilla binds IP addresses to prevent data connection stealing. You can read about the details in this forum post.

You can fix this issue by either reverting back to an earlier version of Filezilla (version 3.10) or by adding an exclusion to the Kaspersky firewall.

Follow these directions to add an exclusion for Filezilla:

  1. Open the Kaspersky application window (by clicking the Kaspersky icon in the notification area or through the Start menu)
  2. Click on the Settings tab
  3. On the left column, click the Anti-Virus protection category to expand it
  4. Click the Firewall item
  5. Click the Application Network rules… button to open the “Firewall” window
  6. Locate the “FILEZILLA PROJECT” folder (it should be under the “Trusted” folder) and click the plus (+) sign next to it to expand the folder
  7. Click on filezilla.exe
  8. On the lower split window, click the Additional… button to open the “Application control rules” window
  9. Click the Exclusions tab
  10. Check the box for “Do not inherit restrictions of the parent process (application)”
  11. Check the box for “Do not scan network traffic”
  12. Click OK on the “Application control rules” window
  13. Click OK on the “Firewall” window

You should be able to connect to the server with Filezilla now.

Of course, there are lots of other reasons why you may get an FTP error. If you do, we offer free (and excellent) technical support for our customers. You can always reach our Support team 24/7 at support@winhost.com or through our support portal at support.winhost.com.



New Rules for Domain Owner Information Updates Start Today

Starting today, December 1st, new ICANN rules are in effect that change the way some domain contact information changes are done. The change affects all generic top level domains, such as .com, .net, .org, .biz, .info, etc., (including all of the new domain extensions, like .blog, .photo, etc.). Country code domains (.uk, .TV, .co, etc.) are not affected.

When you change the first name, last name, email address or organization for the registrant (i.e., the domain name owner) you have to acknowledge the change in two separate emails. This applies to changes made to the registrant’s contact information. Changes to the admin, billing and technical contacts are not affected.

Changes to the registrant’s name, organization or email information are now treated the same way a “registrant change” was treated in the past. But in the past the registrant change was assumed to be a change of ownership from one person to another, so emailing both parties was necessary.

Now those emails are triggered any time you update your name or email address, and two emails will go to the same person. You need to approve the change by clicking the link in both emails, or the change will fail.

To avoid problems or delays

If you want to learn more about the new policy, check out this Knowledge Base article.



How to create an FTP user that can only access a specific folder

banner-fotw

Sometimes you want to give someone FTP access to your site, but you don’t want them to have access to all of the site files. So we’re going to go through the steps to set up an FTP user that only has access to a directory that you specify.

no1The first thing we’re going to do is go to the Site Tools section of Control Panel and click on the “FTP Users” icon or link:

fotwftp-1

no2Click the “Add” button:

fotwftp-2

no3Enter a username (it will be appended to the primary FTP username, that format can’t be changed) and a password. Enter the directory name or click the “Browse” link to choose from directories on the server:

Note that entering the name of a directory that does not exist does not create that directory on the server. You must enter the name of an existing directory.

fotwftp-3

no4If you clicked the “Browse” link, select the directory (it will turn bold and the path will be automatically entered in the text field below) and click the “Select” button:

fotwftp-4

no5Make sure you leave the “Permissions” field set to “Read & Write,” since this user will be uploading files (the other option is “Read Only”). Click the “Create” button:

fotwftp-5

no6When the user is added you will see it listed in the FTP Users section. Here you have the option to update the user’s password, or delete the user. The username cannot be edited once the user is created.

fotwftp-6

no7The new user will log in to the same hostname as your existing user(s), but of course the username and password will be those that you just created.

fotwftp-7



Installing Jetpack for WordPress on Winhost

banner-fotw

Jetpack is one of the most popular plugins available for WordPress (with over 29 million downloads!), created by Automattic – the same people who made the WordPress app itself. It’s a Swiss Army knife for you site with over a dozen different functions all rolled into one plugin.

It includes essential tools like a website stats, subscriptions, social network sharing and a contact form. It will also hookup with WordPress.com to perform related posts and website uptime monitoring. And it’s free!

jetpack-logo

If you try to implement Jetpack on Winhost, it won’t work out of the box. By default, we filter requests to the xmlrpc.php file. WordPress.com will try to ping that file during the activation process and it will fail.

One of the reasons we block requests to the xmlrpc.php file is because of an exploit hackers can use to get your WordPress username and password. You can read about the exploit in this excellent Sucuri article.

If you don’t want to bother reading the article, in short, hackers can try thousands of username/password combinations with one request and try to brute force their way into your WordPress site.

But don’t worry, you can still get Jetpack to work by simply overriding our default request filtering. You just have to add this setting in your web.config file:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <denyUrlSequences>
               <clear />
            </denyUrlSequences>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

If you just have a WordPress site on our service, or if you used our App Installer to install WordPress, you might not have a web.config file on your site, so you’ll have to create one. Just follow these instructions:

  1. Open the Notepad application (or similar application) on your computer
  2. Paste the following into Notepad:
    <?xml version=”1.0″ encoding=”UTF-8″?>
    <configuration>
    <system.webServer>
    <security>
    <requestFiltering>
    <denyUrlSequences>
    <clear />
    </denyUrlSequences>
    </requestFiltering>
    </security>
    </system.webServer>
    </configuration>
  3. Save the file as web.config (not as a .txt file). If using Notepad, click File and Save As. In “Save as type”, select All Files (*.*). In “File name”, enter: web.config
  4. Click Save
  5. Upload the web.config file to your root folder through FTP

You should now be able to activate the Jetpack plugin. But before you go, there’s the pesky security issue! Your xmlrpc.php file is now susceptible to that security exploit, which may allow hackers to get your username and password. Let’s fix that!

SiteLock

The best way to prevent the xmlrpc.php brute force exploit is to get SiteLock with TrueShield CDN. You will need both SiteLock and TrueShield. TrueShield will block those suspicious requests trying to get your username and password, and protect your site from all sorts of other bad stuff not covered in this article. (If hackers were limited to just one exploit, our jobs would be so much easier!) We highly recommend getting SiteLock and TrueShield. It will block malicious bots, comment spammers, and likely make your site faster, too!

Another solution would be to use Jetpack’s own Protect function. You have Jetpack installed, now use it! Just activate the Protect feature in Jetpack in the Admin panel. The Jetpack team confirmed that it works.

Finally, though perhaps foremost: always use a strong password for your site! Please don’t use qwerty123 or pa$$w0rd.

Actually, do all three – get SiteLock with TrueShield, activated Jetpack Protect, and keep those passwords strong!



Don’t forget to vote

As if you could. 🙂

votedIt’s been what you might call a contentious election cycle here in the united states, but if there’s a positive spin to be put on the whole thing, it’s that we’ll likely see a large turnout at the polls. Maybe even record-breaking.

If group dynamics have taught us anything, it’s that a large enough group of people will usually make the right decision. Whatever “right” happens to be for the group at any given moment in time.

Whoever you’re voting for, it’s always an honor and a privilege to participate in a peaceful transfer of power. It isn’t something that everyone in the world gets to enjoy, so be sure to take advantage of it.

Even if a two party system leaves a little something to be desired…

 



Setting up the SpamExperts Email Filtering Service

banner-fotw

The SmarterMail system that is set up for your email by default has an array of spam fighting tools available, but admittedly, the settings can be a bit complicated to work with.

Many of you asked us to make a more user-friendly anti-spam option available, but to keep the cost low. So we partnered with SpamExperts to provide high level spam filtering services that are easy to manage and really affordable.

The SpamExperts service receives email addressed to your domain, filters it, then sends it along to the mail servers here at Winhost. The service is distributed across multiple servers all over the world, so it’s fast and reliable.

We’re going to cover the steps necessary to activate SpamExperts for your domain, which, for our purposes here, we’ll assume is hosted at Winhost (though you can set up SpamExperts service for domains hosted elsewhere too).

no1The first thing we’re going to do is go to the SpamExperts section of Control Panel and click the “Order New Spam Experts” button.

fotw-spam-experts-1

no2Next choose a domain from the dropdown menu (you can also enter a domain hosted elsewhere), choose a billing period and hit the “Continue” button.

fotw-spam-experts-2

no3The next page shows the current email server(s) for the domain you selected. Make note of any entries in the box. If you ever cancel the Spam Experts service in the future, you will have to update your DNS MX records to point back to these server(s).

Click the “continue” button.

fotw-spam-experts-3

no4If everything looks good on the billing page, hit the “Submit My Order” button.

fotw-spam-experts-4

no5Reload the SpamExperts page and click the “Manage” link.

fotw-spam-experts-5

no6In order for Spam Experts to begin filtering your email, the DNS MX records for your domain have to be updated. If your domain is hosted here, all you have to do to update your MX records is click the “Yes, update my DNS records” link.

If you are setting up SpamExperts for a domain that isn’t hosted at Winhost, this page gives you the MX settings for the domain. You’ll have to go to where the domain is managed to update the MX records.

fotw-spam-experts-6

That’s all there is to it. Your email is now set up to route through the SpamExperts system. Remember, the DNS change may take a few hours to propagate, so you may continue to see spam in your inbox until that happens.

We’ve found that the default SpamExperts settings will stop the vast majority of spam. But if you want to do further tweaking you can access the SpamExperts portal, which contains a number of very powerful tools. Use of the SpamExperts portal is beyond the scope of this article, but you can see the domain-level documentation here and the user-level documentation here.