Site hosting news, tutorials, tips, How Tos and more

Archive for the ‘Feature of the Week’ category


Getting Started with SiteBackup

SiteBackup is a set-it-and-forget-it backup service that will automatically backup your website and database. Backups are stored in a remote location and previous versions can be restored to the web server with just a click. Here are instructions on how to order and set up SiteBackup.

You can order SiteBackup through your Winhost Control Panel. We offer three plans, each with different storage amounts. You only need one SiteBackup plan to back up all of your sites, so just pick the plan with enough storage to cover your sites. Click the orange button to select the plan you want, then click the Submit My Order button on the next page.

It takes a few minutes for our system to provision the service. You can click the Back button or the SiteBackup tab, and if the service is ready, you’ll see this page, where you can add a site:

Click the Add Site button and on the next page you can select the sites you want to back up.

Select which site(s) you want to back up, click the Submit button, and our system will automatically pass along the required info. On the next page, you can click the SiteBackup Management Tool link to get to the SiteBackup Dashboard interface.

On the SiteBackup Dashboard, you can configure your backup schedule. By default, there will be a daily backup scheduled. You can keep that, change the backup time, change the backup frequency, and run an immediate backup.

You can also back up your databases (the example in that Knowledge Base article is an MS SQL database, but SiteBackup can also back up your MySQL databases).

The system will email you if a backup fails (like when you change the FTP password). So just keep an eye out for those emails. But other than that, it’s set and you can forget it.



Introducing fully managed WordPress hosting, security and hardening

If you use WordPress and are worried about being hacked or compromised, or you just don’t have time to keep up with the frequent updates and maintenance, we just launched a service made for you.

Our Managed WordPress Hosting service includes:

  • WordPress hardening for maximum security.
  • Monthly updates of WordPress core, Plugins and Themes.
  • One of our in-house WordPress security experts will personally examine your WordPress installation for malicious files and signs of compromise every month. If your WordPress installation is compromised or hacked, we’ll clean it up.
  • Configuration of automatic WordPress site and database backups.
  • WordPress-specific support and personalized assistance.

And if you need it:

  • Free website migration from your old host for a quick, smooth transition
  • WordPress installation, including database set up, Plugins and Themes

You can learn more about Managed WordPress Hosting and find a link to sign up here.

The Managed WordPress Hosting service includes the Winhost Max Plan, so if you are an existing Winhost customer and already have a hosting plan, contact us for pricing or open a helpdesk ticket and we’ll take it from there.

Every day we clean up compromised WordPress sites for our customers. For them it’s an inconvenience and an expense that they weren’t expecting and don’t welcome. But since WordPress is the most popular blog/CMS application in the world, it’s a natural target for hackers. If everything in your WordPress installation is not up to date, you are at risk.

And unfortunately, even if everything is up to date, you can still be vulnerable. That’s why Managed WordPress Hosting includes a WordPress hardening service, to increase security and reduce the chance that you will become a victim.

So if you love WordPress but could live without the constant maintenance and security tasks, let us do it for you!



Using the Secondary Web and FTP URLs

When you open an account at Winhost we set up your website space immediately so you can start uploading files right away. But if you have an existing site hosted elsewhere, you will most likely want to get everything set up here and test the site before you actually point the DNS to Winhost. The Secondary URLs make that possible.

Your permanent FTP URL is ftp.HostingAccountDomain.com (where HostingAccountDomain.com is your domain name). But of course that URL won’t connect to the server here until your domain points to our servers, so we set up the Secondary URLs, both for FTP and web access.

The Secondary URLs can be found in the Site Info section of Control Panel:

So the Secondary FTP URL (ftp.w12.wh-2.com in the example here, yours may be different) is what you use in the “host” field of your FTP software to make the connection.

Then when you want to view your uploaded files, you would visit the Secondary Web URL, in this example, http://winhostc.w12.wh-2.com.

Another use for the Secondary Web URL

After your domain’s DNS is pointed to Winhost and your site is up and running, you can use the Secondary Web URL for troubleshooting purposes.

For example, if it seems that your site is unavailable, try entering the Secondary Web URL into your browser. If the site comes up, there’s a good chance that domain registration or DNS issues are the culprit.

When a site is unavailable, domain related-issues aren’t usually the first thing we think of as being the source of the problem, but even the most diligent among us can let a domain registration lapse, or make a mistake in DNS settings that takes our domain off line.

When NOT to use the Secondary URLs

Once your domain has been updated to point to our servers, remember to update your FTP software to use ftp.HostingAccountDomain.com (your domain name) as the host. And you should never use the Secondary Web URL as a link to your site from another site or social media platform, or hard code it anywhere in your site.

We make this recommendation because while it’s unlikely that the Secondary URLs will change, it is possible. They have changed for various reasons in the past. So once your domain points to our servers, only use the Secondary URL for troubleshooting purposes. Never as a link to your site.



myLittleAdmin on Winhost

myLittleAdmin is a tool that allows you to manage your SQL database through a web browser. Here at Winhost, we support SQL Server Management Studio (SSMS), which is the preferred method for managing your database (you can find out how to do that in this KB article.)

But sometimes you can’t use SSMS – maybe you’re sitting behind your corporate proxy restrictions, or you’re using a computer without SSMS installed. That’s where myLittleAdmin steps in. It’s a web-based SQL management tool that provides a friendly interface for you to edit tables, work on stored procedures, run queries and much more.

We have a license agreement for myLittleAdmin, so you can use it on our system without having to obtain your own ($590!) license. There’s nothing to install. Just go to https://sqladmin.winhost.com

Log in to your database, and get your SQL on!



How to create an FTP user that can only access a specific folder

banner-fotw

Sometimes you want to give someone FTP access to your site, but you don’t want them to have access to all of the site files. So we’re going to go through the steps to set up an FTP user that only has access to a directory that you specify.

no1The first thing we’re going to do is go to the Site Tools section of Control Panel and click on the “FTP Users” icon or link:

fotwftp-1

no2Click the “Add” button:

fotwftp-2

no3Enter a username (it will be appended to the primary FTP username, that format can’t be changed) and a password. Enter the directory name or click the “Browse” link to choose from directories on the server:

Note that entering the name of a directory that does not exist does not create that directory on the server. You must enter the name of an existing directory.

fotwftp-3

no4If you clicked the “Browse” link, select the directory (it will turn bold and the path will be automatically entered in the text field below) and click the “Select” button:

fotwftp-4

no5Make sure you leave the “Permissions” field set to “Read & Write,” since this user will be uploading files (the other option is “Read Only”). Click the “Create” button:

fotwftp-5

no6When the user is added you will see it listed in the FTP Users section. Here you have the option to update the user’s password, or delete the user. The username cannot be edited once the user is created.

fotwftp-6

no7The new user will log in to the same hostname as your existing user(s), but of course the username and password will be those that you just created.

fotwftp-7



Installing Jetpack for WordPress on Winhost

banner-fotw

Jetpack is one of the most popular plugins available for WordPress (with over 29 million downloads!), created by Automattic – the same people who made the WordPress app itself. It’s a Swiss Army knife for you site with over a dozen different functions all rolled into one plugin.

It includes essential tools like a website stats, subscriptions, social network sharing and a contact form. It will also hookup with WordPress.com to perform related posts and website uptime monitoring. And it’s free!

jetpack-logo

If you try to implement Jetpack on Winhost, it won’t work out of the box. By default, we filter requests to the xmlrpc.php file. WordPress.com will try to ping that file during the activation process and it will fail.

One of the reasons we block requests to the xmlrpc.php file is because of an exploit hackers can use to get your WordPress username and password. You can read about the exploit in this excellent Sucuri article.

If you don’t want to bother reading the article, in short, hackers can try thousands of username/password combinations with one request and try to brute force their way into your WordPress site.

But don’t worry, you can still get Jetpack to work by simply overriding our default request filtering. You just have to add this setting in your web.config file:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <denyUrlSequences>
               <clear />
            </denyUrlSequences>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

If you just have a WordPress site on our service, or if you used our App Installer to install WordPress, you might not have a web.config file on your site, so you’ll have to create one. Just follow these instructions:

  1. Open the Notepad application (or similar application) on your computer
  2. Paste the following into Notepad:
    <?xml version=”1.0″ encoding=”UTF-8″?>
    <configuration>
    <system.webServer>
    <security>
    <requestFiltering>
    <denyUrlSequences>
    <clear />
    </denyUrlSequences>
    </requestFiltering>
    </security>
    </system.webServer>
    </configuration>
  3. Save the file as web.config (not as a .txt file). If using Notepad, click File and Save As. In “Save as type”, select All Files (*.*). In “File name”, enter: web.config
  4. Click Save
  5. Upload the web.config file to your root folder through FTP

You should now be able to activate the Jetpack plugin. But before you go, there’s the pesky security issue! Your xmlrpc.php file is now susceptible to that security exploit, which may allow hackers to get your username and password. Let’s fix that!

SiteLock

The best way to prevent the xmlrpc.php brute force exploit is to get SiteLock with TrueShield CDN. You will need both SiteLock and TrueShield. TrueShield will block those suspicious requests trying to get your username and password, and protect your site from all sorts of other bad stuff not covered in this article. (If hackers were limited to just one exploit, our jobs would be so much easier!) We highly recommend getting SiteLock and TrueShield. It will block malicious bots, comment spammers, and likely make your site faster, too!

Another solution would be to use Jetpack’s own Protect function. You have Jetpack installed, now use it! Just activate the Protect feature in Jetpack in the Admin panel. The Jetpack team confirmed that it works.

Finally, though perhaps foremost: always use a strong password for your site! Please don’t use qwerty123 or pa$$w0rd.

Actually, do all three – get SiteLock with TrueShield, activated Jetpack Protect, and keep those passwords strong!



Setting up the SpamExperts Email Filtering Service

banner-fotw

The SmarterMail system that is set up for your email by default has an array of spam fighting tools available, but admittedly, the settings can be a bit complicated to work with.

Many of you asked us to make a more user-friendly anti-spam option available, but to keep the cost low. So we partnered with SpamExperts to provide high level spam filtering services that are easy to manage and really affordable.

The SpamExperts service receives email addressed to your domain, filters it, then sends it along to the mail servers here at Winhost. The service is distributed across multiple servers all over the world, so it’s fast and reliable.

We’re going to cover the steps necessary to activate SpamExperts for your domain, which, for our purposes here, we’ll assume is hosted at Winhost (though you can set up SpamExperts service for domains hosted elsewhere too).

no1The first thing we’re going to do is go to the SpamExperts section of Control Panel and click the “Order New Spam Experts” button.

fotw-spam-experts-1

no2Next choose a domain from the dropdown menu (you can also enter a domain hosted elsewhere), choose a billing period and hit the “Continue” button.

fotw-spam-experts-2

no3The next page shows the current email server(s) for the domain you selected. Make note of any entries in the box. If you ever cancel the Spam Experts service in the future, you will have to update your DNS MX records to point back to these server(s).

Click the “continue” button.

fotw-spam-experts-3

no4If everything looks good on the billing page, hit the “Submit My Order” button.

fotw-spam-experts-4

no5Reload the SpamExperts page and click the “Manage” link.

fotw-spam-experts-5

no6In order for Spam Experts to begin filtering your email, the DNS MX records for your domain have to be updated. If your domain is hosted here, all you have to do to update your MX records is click the “Yes, update my DNS records” link.

If you are setting up SpamExperts for a domain that isn’t hosted at Winhost, this page gives you the MX settings for the domain. You’ll have to go to where the domain is managed to update the MX records.

fotw-spam-experts-6

That’s all there is to it. Your email is now set up to route through the SpamExperts system. Remember, the DNS change may take a few hours to propagate, so you may continue to see spam in your inbox until that happens.

We’ve found that the default SpamExperts settings will stop the vast majority of spam. But if you want to do further tweaking you can access the SpamExperts portal, which contains a number of very powerful tools. Use of the SpamExperts portal is beyond the scope of this article, but you can see the domain-level documentation here and the user-level documentation here.



How to order PCI scanning service

banner-fotw

Did you know you could order Payment Card Industry (PCI) scanning service from your Winhost Control Panel?

If you accept credit card payments – or plan to in the future – you will have to have regular PCI scans of your site and a review of your data handling procedures. The SiteLock PCI service can make that process much easier.

To use the SiteLock PCI scanning service, you have to first open a SiteLock Basic account. The PCI scanning will be a child service of the SiteLock Basic account. The SiteLock account comes with a bunch of great non-PCI features, so you can definitely benefit from both services.

To get started you can click on the PCI Scan tab in Control Panel:
fotwpci-1
Or go straight to the SiteLock page. Select the domain you wish to apply SiteLock to, then hit the “Continue” button:
fotwpci-2
Choose which SiteLock plan you want to use. Basic is the minimum that’s needed for the PCI service, but the other SiteLock plans have benefits you may want to take advantage of:
fotwpci-3
After selecting your plan, click the “Skip Adding TrueShield Plan” link on the next page:
fotwpci-4
(We’re skipping TrueShield in the interest of keeping this focused on the PCI scanning service, but TrueShield is also a very useful service, and you can read more about it here.)

The next page will display a summary of your SiteLock order. Click the “Submit My Order” button:
fotwpci-5
The next step is adding the PCI scanning service to your SiteLock account. Go back to the SiteLock tab and click the “Add” link in the PCI column:
fotwpci-6
The next page will display a summary of your PCI scanning service order. Click the “Submit My Order” button:
fotwpci-7
When PCI service is activated, you can access the SiteLock dashboard from the SiteLock tab in Control Panel:
fotwpci-8
SiteLock will also send you an email that includes their phone number, if you should need to call them during any part of the PCI verification/scanning process. This article covers the account set up only, the actual PCI scanning and verification process is a bit more complicated than we can get in to here. But you’ll find plenty of information on how to proceed in the SiteLock portal.

If you don’t accept credit card payments, the SiteLock service can still protect your site from hackers, vulnerabilities, spam, spyware and viruses. It can scan your site daily to detect threats, and also offers TrueShield service that can protect your website from malicious traffic while speeding it up with a Content Delivery Network (CDN)