Site hosting news, tutorials, tips, How Tos and more
Here’s our newest round of updates for our App Installer tool in the Winhost Control Panel:
One can never underestimate the importance of upkeep and routine maintenance, especially when it comes to web sites and applications. When we do not practice due diligence or neglect our web applications, hackers can find holes, weaknesses, and exploits in our so-called “secure” sites.
That holds even more true when it comes to “canned” applications such as Joomla. We have learned that Joomla version 2.5, and 3.1.x have a security hole that can allow anyone to upload malicious files through your application.
The malicious files can perform cross-site scripting (injecting a string of code to your web pages, which can redirect users to a phishing site), or distribute malware or Trojan files that can affect your visitor’s computers.
The security hole in Joomla is its Media Manager, which offers you a tool to upload files to the website. This is a necessary function in a CMS such as Joomla. Joomla comes with its own filtering mechanism that prevents anyone uploading files with specific extensions that can be malicious in nature. Files with extensions such as .exe or .php should not be uploaded as they can infect your web application.
However, the bug is that a trailing dot on a file name can circumvent the filtering mechanism. Normally Joomla will prevent the upload of files with a .php extension such as document.php. However, include a period at the end, such as document.php., and the file no longer fits the .php criteria.
Nasty bug to say the least. What is more frightening is that you do not have to be a registered user or have administrative privileges to the application to exploit the bug. If the Media Manager was set to be available to the public, anyone can inject your site with a malicious file.
The simplest way to solve this problem is to go to Joomla’s website, download the most recent version, and upgrade. This should have the latest patch to this security threat.
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626
http://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html
If an upgrade is not an option for you, you can manually add the code that will prevent users from uploading files to your application with a trailing dot.
Navigate to /Libraries/Joomla/Filesystem and open file.php. Scour the code to find where the makeSafe function starts. Add the line:
// Remove any trailing dots, as those aren’t ever valid file names.
$file = rtrim($file, ‘.’);
If this line already exists then your Joomla application is immune to this specific security hole.
That doesn’t mean that you should not routinely follow up on the most recent news concerning your web applications. To really secure your site it is important to stay informed of the most recent patches for your web application.
Here are links you may want to check to stay up-to-date with Joomla’s security fixes. Keep in mind that some security patches may not apply to you depending on the version you are running.
http://docs.joomla.org/Vulnerable_Extensions_List
Let me lastly say that we here at Winhost take this threat seriously. As of today, we have updated our App Installer to the most recent Joomla version (3.1.5) with the security patch installed. If you installed your Joomla application with this newest release, you are protected from this specific threat, however if you have installed an older version from us you may want to check file.php within Joomla and make sure the appropriate line is added.
Winhost is pleased to announce that the applications offered through our App Installer tool have been updated. Here’s a list of the changes:
Some of the newer versions require the ASP.NET 4.5 Framework in order to run. If you have a hosting account that is on the Windows 2008/IIS7 platforum and want to install one of these applications, please open a support ticket to have your account migrated to Windows 2012/IIS8.
We are always looking for ways to offer more value in your Winhost account, and we think that we deliver the highest quality hosting in our price class. But (you knew there was a “but,” didn’t you!) unfortunately there are some costs that we cannot control, and domain registration and renewal is one of them.
We are subject to ever-increasing domain registration and renewal prices, and while we have absorbed those increases up to now, we find ourselves at a point where we are charging you less for domain registration or renewal than we are paying for those services.
So in order to continue providing the service, we have to raise domain name registration and renewal prices. On August 30th the price will go from $10 to $12.95. We sent you an email notification of the increase and changes to our terms of service that are now required for domain name resellers.
So why are we mentioning it again here in the blog? Because we wanted to let you know that there is a way to save some money on your upcoming renewals. We have updated the Control Panel so we can now offer multi-year renewals – up to a maximum of 10 years. So if you love your domain name (and who doesn’t?) and want to secure it for a long time to come, you can do it now at the current domain renewal price of $10.
In the past you could only renew for a year at a time, but in anticipation of the price increase, we wanted to offer you a way to renew for a longer period at the current price. Remember, on August 30th that price increases, so if you want to lock in the lower price, you have to make your move in the next six weeks.
We know you have a seemingly infinite number of choices for domain renewal (and web site hosting), and we really appreciate that you have chosen Winhost. We work hard every day to earn your loyalty. Thanks!
Thousands of WordPress sites are being compromised causing havoc with their site owners and their hosting providers. The method which the hackers are using is an old method known as a Brute Force Attack. This method simply employs the process of submitting passwords until you finally happen across the right one.
The effects on the site can vary, but it will entail a slower WordPress site, and high bandwidth consumption. This will mean you may pay more for the additional bandwidth you consume even if it was caused by your WordPress site being hacked.
To counter this you need to take two basic steps.
If you want to read up on picking a good strong password, I suggest this Microsoft article that explains how to decide what a strong password entails.
An optional feature worth considering is to enable your WordPress site with the WordPress 2 Step Authentication. It is an added security on top of inputting your login and password credentials with a random generated verification code from Google Authenticator App. You can get more details on how to enable this for your WordPress site on this link. http://en.blog.wordpress.com/2013/04/05/two-step-authentication/
If you want to read up more on these recent attacks to WordPress web sites, try looking at these links.
http://www.bbc.co.uk/news/technology-22152296
If you’ve looked at your web site statistics lately you may have noticed a pretty dramatic increase in visitors on mobile devices. With 45% of American adults owning smartphones, the increase shouldn’t be a surprise.
Maybe you have been thinking that it’s time for you to provide a mobile version of your site. If so, you’re absolutely right. But if you’re like me, you don’t relish the idea of writing the responsive code for a mobile version of your site — or worse yet, a mobile version of several sites.
Well, as it happens, we have just started to offer something that may make your life a lot easier: goMobi.
goMobi is a mobile web site builder that provides a way to create a mobile version of your site with a ton of great, essential mobile features, all with a few mouse clicks.
Okay, there are more than a few clicks involved, but it’s ridiculously easy to use.
Your mobile site is hosted on goMobi’s servers, so there’s nothing to upload or configure. All you do is drop a few lines of automatically generated code into your main web site that detects mobile visitors and redirects them to the mobile version of your site.
It’s pretty cool, and we’ve partnered with goMobi to make it extra-affordable. Check out the goMobi page on our site, or order in your Winhost Control Panel right now.
Added bonus: you can buy goMobi service for a site that we host or ala carte, for use on a site hosted anywhere.
We have partnered with SiteLock to help protect your web site from hackers and other attackers. SiteLock delivers a comprehensive web site security service that scans your site to detect vulnerabilities, malware, sql injections, search engine blacklisting, cross-site scripting vulnerabilities, and more.
The Basic plan provides a daily malware scan and allows you to display the SiteLock “seal” on your site, but for really impressive protection, check out the Premium and Enterprise plans.
They provide everything the Basic plan does, but in addition, they do daily FTP scanning, automatic malware removal and file change monitoring! If you have been searching for easy-to-implement site protection, it’s here.
If you’ve looked at SiteLock before and thought it was interesting but perhaps a bit too pricey, we’ve got you covered there. The deal we’ve made allows our SiteLock pricing to be extremely low — starting at only $19.95 for a full year of Basic coverage! $79 less than buying directly from SiteLock.
We can offer equally great deals on the Premium and Enterprise plans, saving you up to $299. What are you waiting for? Log in to Control Panel to sign up for SiteLock today.
Here is a list of updated applications for the Winhost Control Panel App Installer: