Site hosting news, tutorials, tips, How Tos and more

Archive for the ‘Announcements’ category


Thanksgiving Updates

announcements

Give thanks for updated applications! Here are the App Installer updates for November:



Change is afoot


announcements

On November 11th, 2013 we are introducing some plan changes. Check your email for details. To summarize what’s happening:

Quota increases!

These increases will take place automatically on November 11th.

whatsnew

Changes to payment plans and prices

In order to make the plan changes, we are updating the pricing and payment options. You can find details in the plan change email.

While the quarterly and yearly payments will increase slightly, we have introduced a new two-year payment option that allows you to pay as little as $3.95 per month for the Basic plan. Even less than the old price.

The two-year payment option applies to every Winhost plan, so no matter which plan you use, you can decrease your monthly price by up to 20% by choosing the new two-year payment option.

And you can make the switch right now in Control Panel, before the new quotas and pricing go into effect on November 11th.

As we mentioned in the email, the price increase was a difficult decision for us. We never want to increase prices, but we want to continue to make improvements to the hosting services, and this will allow us to do that.

We hope the two-year payment option – which actually lowers current prices – and the quota increase will help ease the transition for some of you.



Google Checkout retiring November 11


announcements

Google announced that they would be closing Google Checkout over a year ago, but now they have announced the date when the service will close permanently; November 11, 2013.

If you use Google Checkout on your site they have a FAQ to help you transition to another system.

Google-Checkout



Fall Updates

announcements

Here’s our newest round of updates for our App Installer tool in the Winhost Control Panel:



Joomla security threat

announcements

One can never underestimate the importance of upkeep and routine maintenance, especially when it comes to web sites and applications. When we do not practice due diligence or neglect our web applications, hackers can find holes, weaknesses, and exploits in our so-called “secure” sites.

That holds even more true when it comes to “canned” applications such as Joomla. We have learned that Joomla version 2.5, and 3.1.x have a security hole that can allow anyone to upload malicious files through your application.

The malicious files can perform cross-site scripting (injecting a string of code to your web pages, which can redirect users to a phishing site), or distribute malware or Trojan files that can affect your visitor’s computers.

The security hole in Joomla is its Media Manager, which offers you a tool to upload files to the website. This is a necessary function in a CMS such as Joomla. Joomla comes with its own filtering mechanism that prevents anyone uploading files with specific extensions that can be malicious in nature. Files with extensions such as .exe or .php should not be uploaded as they can infect your web application.

However, the bug is that a trailing dot on a file name can circumvent the filtering mechanism. Normally Joomla will prevent the upload of files with a .php extension such as document.php. However, include a period at the end, such as document.php., and the file no longer fits the .php criteria.

Nasty bug to say the least. What is more frightening is that you do not have to be a registered user or have administrative privileges to the application to exploit the bug. If the Media Manager was set to be available to the public, anyone can inject your site with a malicious file.

The simplest way to solve this problem is to go to Joomla’s website, download the most recent version, and upgrade. This should have the latest patch to this security threat.

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626

http://www.joomla.org/announcements/release-news/5505-joomla-3-1-5-stable-released.html

If an upgrade is not an option for you, you can manually add the code that will prevent users from uploading files to your application with a trailing dot.

Navigate to /Libraries/Joomla/Filesystem and open file.php. Scour the code to find where the makeSafe function starts. Add the line:

// Remove any trailing dots, as those aren’t ever valid file names.
$file = rtrim($file, ‘.’);

If this line already exists then your Joomla application is immune to this specific security hole.

That doesn’t mean that you should not routinely follow up on the most recent news concerning your web applications. To really secure your site it is important to stay informed of the most recent patches for your web application.

Here are links you may want to check to stay up-to-date with Joomla’s security fixes. Keep in mind that some security patches may not apply to you depending on the version you are running.

http://www.cvedetails.com/vulnerability-list/vendor_id-3496/product_id-6129/hasexp-1/Joomla-Joomla.html

http://docs.joomla.org/Vulnerable_Extensions_List

Let me lastly say that we here at Winhost take this threat seriously. As of today, we have updated our App Installer to the most recent Joomla version (3.1.5) with the security patch installed. If you installed your Joomla application with this newest release, you are protected from this specific threat, however if you have installed an older version from us you may want to check file.php within Joomla and make sure the appropriate line is added.



New Application Installer Updates

announcements

Winhost is pleased to announce that the applications offered through our App Installer tool have been updated.  Here’s a list of the changes:

Some of the newer versions require the ASP.NET 4.5 Framework in order to run.  If you have a hosting account that is on the Windows 2008/IIS7 platforum and want to install one of these applications, please open a support ticket to have your account migrated to Windows 2012/IIS8.



New domain pricing

announcements

We are always looking for ways to offer more value in your Winhost account, and we think that we deliver the highest quality hosting in our price class. But (you knew there was a “but,” didn’t you!) unfortunately there are some costs that we cannot control, and domain registration and renewal is one of them.

We are subject to ever-increasing domain registration and renewal prices, and while we have absorbed those increases up to now, we find ourselves at a point where we are charging you less for domain registration or renewal than we are paying for those services.

inflationSo in order to continue providing the service, we have to raise domain name registration and renewal prices. On August 30th the price will go from $10 to $12.95. We sent you an email notification of the increase and changes to our terms of service that are now required for domain name resellers.

So why are we mentioning it again here in the blog? Because we wanted to let you know that there is a way to save some money on your upcoming renewals. We have updated the Control Panel so we can now offer multi-year renewals – up to a maximum of 10 years. So if you love your domain name (and who doesn’t?) and want to secure it for a long time to come, you can do it now at the current domain renewal price of $10.

In the past you could only renew for a year at a time, but in anticipation of the price increase, we wanted to offer you a way to renew for a longer period at the current price.  Remember, on August 30th that price increases, so if you want to lock in the lower price, you have to make your move in the next six weeks.

We know you have a seemingly infinite number of choices for domain renewal (and web site hosting), and we really appreciate that you have chosen Winhost. We work hard every day to earn your loyalty. Thanks!



WordPress exploit

announcements

Thousands of WordPress sites are being compromised causing havoc with their site owners and their hosting providers. The method which the hackers are using is an old method known as a Brute Force Attack. This method simply employs the process of submitting passwords until you finally happen across the right one.

The effects on the site can vary, but it will entail a slower WordPress site, and high bandwidth consumption. This will mean you may pay more for the additional bandwidth you consume even if it was caused by your WordPress site being hacked.

To counter this you need to take two basic steps.

  1. If you are using the default administrative login “Admin” for your WordPress site update it to be other than Admin.
  2. Update the password to be more sophisticated and complex. A minimum length of eight characters is recommended. Vary the password with characters (upper and lower case), numeric, and special characters such as “#”, “!”, “%”, and “&”. This will strengthen your password making it impossible to “guess” using a brute force attack.

If you want to read up on picking a good strong password, I suggest this Microsoft article that explains how to decide what a strong password entails.

An optional feature worth considering is to enable your WordPress site with the WordPress 2 Step Authentication. It is an added security on top of inputting your login and password credentials with a random generated verification code from Google Authenticator App. You can get more details on how to enable this for your WordPress site on this link. http://en.blog.wordpress.com/2013/04/05/two-step-authentication/

If you want to read up more on these recent attacks to WordPress web sites, try looking at these links.

http://www.bbc.co.uk/news/technology-22152296

http://ma.tt/2013/04/passwords-and-brute-force/

http://www.latinospost.com/articles/16654/20130415/wordpress-site-hacked-2013-massive-botnet-targets-admin-username-more.htm

http://blog.discountasp.net/wordpress-under-attack/