Site hosting news, tutorials, tips, How Tos and more

Archive for the ‘How-to’ category


Configuring Elmah for use with ASP.NET Core

howto

Years ago, I wrote an article on how to configure Elmah to be used on Winhost.  You may have noticed that there is no official support for ASP.NET Core, however, you can use ElmahCore by barestan to perform the same logging to a database, and this blog provides an example on how to set that up.

First, we’ll start by creating a New Project in Visual Studio:

 

 

 

 

services.AddElmah<SqlErrorLog>(options =>
{
    options.ConnectionString = @"connection_string";
});
app.UseElmah();

That’s it.  If you want to know if it’s working, you can generate a sample exception like this:

app.Run(async (context) =>
{                
    await context.Response.WriteAsync("Hello World!");
    int[] numbers = new int[5];
    await context.Response.WriteAsync(numbers[6].ToString());
});

That will generate an “Index was outside the bounds of the array.” exception which will be logged into the database.  You can query the dbo.ELMAH_Error table to see the results.



How to Keep WordPress Safe and Secure

This little factoid should freak you out: More than 80,000 websites are hacked every day.

That’s almost one every second, or about 29 million every year. Those numbers translate to a lot of pain and inconvenience for a lot of people. Count yourself lucky if you’ve never been one of them.

There are a quarter of a billion domains with active websites. If 29 million sites are hacked every year, that means we’re living in a world where more than 1 in 10 websites are likely to be compromised. Every year.

How does this happen?

Security starts at home. It’s an old saying, but it applies to a lot of website compromises. We see a lot of hacks that aren’t actually website hacks at all, because the perpetrator is using valid FTP login credentials that were harvested by logging keystrokes or reading log files on a home computer or laptop that has been infected with a virus or malware.

But perhaps the most common way in to a website or server is through old, unpatched third-party software. And a large percentage of that old, unpatched third-party software is WordPress, or WordPress plugins.

Before I give you some tips on locking up your WordPress site, I’d be remiss if I didn’t mention that Winhost has a fully managed WordPress hosting, security and hardening service. The service includes WordPress hardening for maximum security, WordPress-specific support and personalized assistance, and maybe most importantly, monthly updates of WordPress core, Plugins and Themes. The monthly updates consist of one of our in-house WordPress security experts personally examining your WordPress installation for malicious files and signs of compromise. If we discover that your WordPress installation is compromised or hacked, we’ll clean up the mess.

Okay, that’s it for the sales pitch. But if you’ve ever had to clean up a WordPress compromise, I’m pretty sure that you’ll be able to see the value in that service.

Locking down WordPress

The first step in WordPress security doesn’t have anything to do with WordPress itself, but rather site backups. If you always have a current backup, it’s much easier to bounce back from a compromise. Simply identify your most recent “clean” backup, delete everything on your site and upload the clean backup.

We do periodic backups of our entire network for disaster recovery purposes, so if you are compromised you could just request a backup from us. The problem with that approach is we back up every day, and we only retain one copy of those backups. So if you don’t notice that your site has been compromised for a few days, our backup will likely be a copy of the compromised site. That’s not going to be of much help.

So we recommend a cloud backup service. There are a lot of them out there, or you can set one up from your Winhost Control Panel with a few clicks. Our SiteBackup service backs up your website files and databases on a schedule that you choose, retaining as many versions of the backup as you want to keep.

Okay, so that’s a good place to start, with a daily backup of your WordPress site and database. Next are a number of things that you should do to prevent a compromise of your WordPress site.

Update, update, update
How often do you log in to the admin section of your WordPress site? If it’s less than every week – or even every month – you need to start checking in more regularly and updating both the core WordPress files and all of your plugins. If you use a plugin and can’t remember ever updating it, check out the plugin’s page on WordPress.org and make sure it hasn’t been abandoned. If it seems like it has, uninstall it. Chances are there’s a well-maintained plugin out there that will do the same thing.

Kill the admin user
If you installed WordPress some time ago, it may have created a user named “admin” by default. Most brute-force WordPress hacks attempts are on the “admin” username, so you don’t want it to be there. To check, go to your Users page (/wp-admin/users.php) and see if admin is listed there. If it is, create another user or give another existing user the administrator role and delete the default admin user.

Don’t use the default WordPress MySQL table prefix
If the bad guys do manage to find a vulnerability within your site and one of their attempts is to query a table or insert into a table and you used the default table prefix, you could be in trouble. When you’re installing WordPress it’s best to change the table prefix from the default “wp_” to something different. One easy way to do that is to insert random characters after “wp_” – for example wp1od02l_ or wp5434fs_.

Change the WordPress login error
By default, WordPress gives hints about your login when a login fails. One of the steps in our hardening service is to change the login error to “You have entered the wrong Username or Password!” That way someone trying to compromise your site will never know if the username or password is incorrect, making it much more difficult to force or guess a login.

Remove the WordPress version information
It really helps the bad guys to know which WordPress version you’re using. Once they know the version, they can try known vulnerabilities giving them a better chance of getting into your site. They’ll also use Google to find WordPress blogs running a specific version of WordPress that’s easily hackable. You can use a plugin to remove version information.

Disabling Theme and Plugin Editing
The theme editor within WordPress is there to allow you to make quick changes to the code within a theme’s files. Chances are you won’t ever use that feature, but you can be pretty sure that the bad guys will make use of it to enter malicious code. In fact, that is how a lot of WordPress sites get hacked. To prevent that, enter the following rule in your Wp-config.php file, right before the “Stop Editing” tag:

/** Disable File Theme and Plugin Editing */
define('DISALLOW_FILE_EDIT', true);

What else?
The Winhost hosting environment goes the extra mile by disabling executable files from running within the uploads folder, as well as IP restriction of the wp-admin directory. That way the wp-admin directory can only be accessed from IP addresses you specify.

Last but not least, install a Security plugin
If you haven’t already done so, we would highly recommend installing one of the WordPress security plugins. As part of our hardening service we make the security plugin a “Must Use” plugin. That means the plugin can’t be disabled from the admin section of WordPress. The only way to disable it is by deleting the plugin via FTP.

That’s a lot to install, configure and keep track of, but following these recommendations will make your WordPress installation much less susceptible to compromise. If it all sounds good but you don’t really have the time or inclination to do it yourself, let us do it for you.



Deploying an ASP.NET Core 2.0 (Orchard Core) Site on Winhost

The great thing about ASP.NET Core is that it’s portable, allowing you to run your Core application on any OWIN-compatible server. So, even if a particular version of .NET Core is not installed on the server, you can still deploy your Core app in “self-contained” mode.

In this example, we’re going to use the Orchard Core application. Orchard Core is a re-write of the original Orchard application (the thing that runs all the MSDN blogs) in ASP.NET Core. As of the time of this writing, Orchard Core is using ASP.NET Core 2.0. And, at the time of this writing, we have not yet updated our servers with the newest .NET Core to support ASP.NET Core 2.0 natively, but, to repeat: you can still deploy your Core app in “self-contained” mode.

First, some house-keeping. Make sure you have the .NET Core 2.0 SDK installed and Visual Studio is updated.

Orchard Core supports different databases, SQL, SQLite, MySQL and Postgres. I’m going to use SQL, which is included with all Winhost plans. This is a good time to create the SQL database in your Winhost control panel.

Onto the instructions:

  1. Download the Master Branch of Orchard Core from GitHub.
  2. Unzip the file and open the OrchardCore.sln solution file in Visual Studio 2017.
  3. Wait for Visual Studio to restore all the Nuget packages.
  4. Set OrchardCore.Cms.Web as the startup project (right-click OrchardCore.Cms.Web and select “Set as Startup Project”)

  1. Open the OrchardCore.Cms.Web.csproj project file (right-click OrchardCore.Cms.Web and select “Edit OrcOrchardCore.Cms.Web.csproj”)

By default, Orchard Core is Framework-dependent. We have to change that to make it self-contained. We have to specify the target platform (tell the application what kind of server it’s going to be running on). In my case, my Winhost site is running on Windows 2012/IIS 8. You can find this information in your Winhost control panel, under the Site Info section. The Runtime Identifier for Windows 2012/IIS 8 is: win8-x64.  If you’re site is running on a different server, you can check out the full catalog of Runtime Identifiers here.

  1. In the PropertyGroup section, add:
    <RuntimeIdentifier>win8-x64</RuntimeIdentifier>

  1. Save your changes.

Now we’re just about ready to publish.  This would be a good time to remove the parts of Orchard Core that you’re not going to use. (For this example site, I didn’t remove anything.)

Before, pre-2.0, we would have run the dotnet restore and dotnet build commands at this point. But now, those are implicit commands with publish. So you can just run the publish command (right-click OrchardCore.Cms.Web and select “Publish…”). I used FTP to publish the project directly onto the Winhost servers. Instructions for different deployment methods are available here.

Wait for the project to publish, then navigate to your site and you should see the Orchard Core setup page:

I picked the Agency Recipe. Fill out all the fields, click the Finish Setup button and you should see your new site:



Getting Started with SpamExperts

SpamExperts is a great anti-spam service. It’s easy to use, and relatively inexpensive because you just need one service to cover your entire domain. (Most other spam services require you to buy one service for each of your email addresses.) Our SmarterMail email service (included with all of our plans) comes with some spam-fighting features that allow you to set your own weights and filters. But a lot of our customers were not comfortable with tweaking those weights and filters on their own and risk losing important emails.

SpamExperts is highly effective out-of-the-box. Simply set-it-and-forget-it. In fact, we found it so effective that we switched over to using it for our own corporate emails.

This articles explains how to set up your SpamExperts service.

  1. Login to the control panel at: https://cp.winhost.com/
  2. Click on the SpamExperts button

 

 

  1. Click the green Order New SpamExperts button

 

 

  1. Select the domain name you want to buy the service for and the billing period you want, then click Continue

 

 

On the next page, you can set where SpamExperts will send your email after filtering. Our system will look up the current email servers for your domain. This will be the correct setting for most users.

 

 

  1. Click Continue
  2. Click Submit My Order

The service will only take a few seconds to set up. Now you have to set up your domain mail records (MX Records) to point to the SpamExperts service.

  1. Click the SpamExperts button
  2. Click the Manage link

 

 

On the next page, you’ll see the SpamExperts MX Records to use. If you are using our nameservers, our system will automatically set up the MX Records for you.

  1. Click the Yes, update my DNS records link

 

 

  1. Click OK on the notification to confirm

And you’re all set! Again, SpamExperts works great out of the box. If you’re so inclined, you can click the green SpamExpert Portal button to get the SpamExperts interface to make changes to the service settings.

A note about Greylisting: Greylisting is an effective anti-spam function that we enable in SmarterMail by default. Greylisting can delay when you receive new emails. Disabling Greylisting gets rid of the delay, but likely results in much getting more spam. With SpamExperts filtering out spam, you can disable Greylisting in SmarterMail. No spam, no delay. Yay!



Getting Started with SiteBackup

SiteBackup is a set-it-and-forget-it backup service that will automatically backup your website and database. Backups are stored in a remote location and previous versions can be restored to the web server with just a click. Here are instructions on how to order and set up SiteBackup.

You can order SiteBackup through your Winhost Control Panel. We offer three plans, each with different storage amounts. You only need one SiteBackup plan to back up all of your sites, so just pick the plan with enough storage to cover your sites. Click the orange button to select the plan you want, then click the Submit My Order button on the next page.

It takes a few minutes for our system to provision the service. You can click the Back button or the SiteBackup tab, and if the service is ready, you’ll see this page, where you can add a site:

Click the Add Site button and on the next page you can select the sites you want to back up.

Select which site(s) you want to back up, click the Submit button, and our system will automatically pass along the required info. On the next page, you can click the SiteBackup Management Tool link to get to the SiteBackup Dashboard interface.

On the SiteBackup Dashboard, you can configure your backup schedule. By default, there will be a daily backup scheduled. You can keep that, change the backup time, change the backup frequency, and run an immediate backup.

You can also back up your databases (the example in that Knowledge Base article is an MS SQL database, but SiteBackup can also back up your MySQL databases).

The system will email you if a backup fails (like when you change the FTP password). So just keep an eye out for those emails. But other than that, it’s set and you can forget it.



iPhone Secure Email Setup

We support secure SSL/TLS connections to our email server. We’re going to show you how to setup a secure connection with your iPhone.

For the “Incoming mail server”, enter:

For the “Outgoing mail server (SMTP)”, enter:

You will get a certificate warning about the server identity. We installed an SSL certificate on our email server for the convenience and security of our customers. But the problem is that we can’t install a certificate for every customer domain on the server. Instead, we installed a certificate for *.internetmailservice.net. The iPhone will display the warning because of the domain name mismatch; you are trying to reach mail.HostingAccountDomain.com, but the SSL certificate was issued to *.internetmailserver.net. The certificate we installed is safe to use.

Your iPhone may set the default SMTP port to 25. Many internet service providers block port 25, so you should change the SMTP port to 587.

You’re all set! Now your iPhone now has secured, encrypted communication with our email server.



Using the Secondary Web and FTP URLs

When you open an account at Winhost we set up your website space immediately so you can start uploading files right away. But if you have an existing site hosted elsewhere, you will most likely want to get everything set up here and test the site before you actually point the DNS to Winhost. The Secondary URLs make that possible.

Your permanent FTP URL is ftp.HostingAccountDomain.com (where HostingAccountDomain.com is your domain name). But of course that URL won’t connect to the server here until your domain points to our servers, so we set up the Secondary URLs, both for FTP and web access.

The Secondary URLs can be found in the Site Info section of Control Panel:

So the Secondary FTP URL (ftp.w12.wh-2.com in the example here, yours may be different) is what you use in the “host” field of your FTP software to make the connection.

Then when you want to view your uploaded files, you would visit the Secondary Web URL, in this example, http://winhostc.w12.wh-2.com.

Another use for the Secondary Web URL

After your domain’s DNS is pointed to Winhost and your site is up and running, you can use the Secondary Web URL for troubleshooting purposes.

For example, if it seems that your site is unavailable, try entering the Secondary Web URL into your browser. If the site comes up, there’s a good chance that domain registration or DNS issues are the culprit.

When a site is unavailable, domain related-issues aren’t usually the first thing we think of as being the source of the problem, but even the most diligent among us can let a domain registration lapse, or make a mistake in DNS settings that takes our domain off line.

When NOT to use the Secondary URLs

Once your domain has been updated to point to our servers, remember to update your FTP software to use ftp.HostingAccountDomain.com (your domain name) as the host. And you should never use the Secondary Web URL as a link to your site from another site or social media platform, or hard code it anywhere in your site.

We make this recommendation because while it’s unlikely that the Secondary URLs will change, it is possible. They have changed for various reasons in the past. So once your domain points to our servers, only use the Secondary URL for troubleshooting purposes. Never as a link to your site.



myLittleAdmin on Winhost

myLittleAdmin is a tool that allows you to manage your SQL database through a web browser. Here at Winhost, we support SQL Server Management Studio (SSMS), which is the preferred method for managing your database (you can find out how to do that in this KB article.)

But sometimes you can’t use SSMS – maybe you’re sitting behind your corporate proxy restrictions, or you’re using a computer without SSMS installed. That’s where myLittleAdmin steps in. It’s a web-based SQL management tool that provides a friendly interface for you to edit tables, work on stored procedures, run queries and much more.

We have a license agreement for myLittleAdmin, so you can use it on our system without having to obtain your own ($590!) license. There’s nothing to install. Just go to https://sqladmin.winhost.com

Log in to your database, and get your SQL on!