Site hosting news, tutorials, tips, How Tos and more

Archive for the ‘Internet’ category


Chrome Browser v68 – Will your site be “Not Secure”?

Earlier this year, Google announced that their Chrome browser v68 update will warn users that any non-HTTPS site is “Not Secure”.  The release date for this update is slated for July 2018 – this month!

Check out what the Chrome browser will display (from the Chromium Blog):

 

non-HTTPS site warning

 

Over the past years, Google has been slowly pushing all sites to be under SSL. Their efforts thus far shows that over 60% of Chrome traffic is now protected. Now that a majority of sites are protected, Google is moving to their next phase, which is to use their large install base of the Chrome browser to push even further.  From our research, the update hasn’t made it out yet but it is slated for this month.

 

RapidSSL Flash Sale
So it is time to consider securing your site. And to help you out we are having a Flash Sale on RapidSSL SSL certificates.

For the rest of July we are reducing the RapidSSL pricing to:
1 Year: $29
2 Years: $50

Customers can order RapidSSL through their Control Panel and they can get this special pricing during this time period.

 

Other SSL Options
Please also note that you can use an SSL certificate that was purchased/obtained elsewhere with your Max and Ultimate hosting plan.

 

If you have any questions, please contact our technical support team.

 

 

 

 



How we celebrate World Backup Day

I just found out that March 31st, 2018 is World Backup Day!

We had a quick meeting and decided to celebrate this special day by checking our backup system to make sure its functioning and continuing to backup our customer’s site/data like we do every day for disaster recovery.

If you haven’t done so in a while, we do recommend that you take the time to backup your websites and databases. March 31st would be a good day as any but it’s a good idea to make a schedule for backups at whatever time interval works for you and your needs. If you have any questions about backups, please contact our technical support team.

And if you want to celebrate World Backup Day everyday like us, then you can check out our SiteBackup service, which will automatically perform a daily backup of your website and databases for any of your websites hosted at Winhost or even websites and databases that are hosted at another hosting provider.

Happy World Backup Day!

 

 

 



The Chrome Browser and Symantec SSL Certificates

You may be aware of the problem that Symantec has been having with Google over issuing of a large number of SSL certificates for major domains to individuals who were not associated with the domains. It’s a long story, but the result was Google informing Symantec that the Chrome browser would no longer trust SSL certificates issued by Symantec. The revocation of trust was to occur gradually over certain dates.

As a result, Symantec sold their SSL certificate business to another company that Google does trust. It becomes a little confusing though, since the new company is keeping the Symantec name for the certificates they issue.

If you bought an SSL certificate from us, you have either a RapidSSL, GeoTrust QuickSSL or GeoTrust True BusinessID certificate, and those are Symantec certificates.

Are you affected?

If, like most users, you renew your SSL certificate every year, this issue should not affect you. When you renew, the certificate will still be issued by Symantec, but it will be issued by the new incarnation of Symantec which Google trusts.

If you purchased a multi-year SSL certificate, check this timeline to see if there are any important dates that you should be aware of:

Certificates issued before June 1st, 2016

The Chrome browser will no longer trust this certificate after March 15, 2018. In order to retain trust by the Chrome browser, you need to replace this certificate.

Certificates issued after June 1st, 2016

The Chrome browser will no longer trust this certificate after September 13, 2018.

If you have a multi-year cert and aren’t quite sure if you’re affected, open up a support ticket and we’ll help you out.



How SSL certificates work

SSL certificates are necessary if you do credit card transactions on your site, or if you simply want to make your site available via an HTTPS URL (such as: https://example.com). If you visit that URL without the HTTPS prefix, you’ll notice that there’s no security “lock” displayed in your browser. That lock icon means your connection to a site is encrypted.

If you’ve never cared about HTTPS, it’s probably time to start. The days when you could avoid using HTTPS are rapidly coming to an end, and Google and the other big web browser makers are more or less forcing the change on everyone. So it’s a change we’re all going to have to make, or one day in the not-too-distant future, security warnings could be greeting every visitor who loads our sites.

With that in mind, here’s a high level overview of what SSL is and how it’s implemented. Think of it as an introduction to the concepts and a peek at the inner workings for anyone who is new to the subject.

Technical note: modern web servers don’t really use the SSL (Secure Socket Layer) protocol anymore, but the name has stuck to the certificates as kind of a generic identifier, so we use “SSL” in this article. The TLS (Transport Layer Security) protocol has replaced SSL for most uses. We’re also using the example of a web browser connecting to a web server, but the concept is the same no matter what kind of client is making a secure connection to a server.

What is an SSL certificate?

An SSL certificate is really just a text file that is installed on the web server. It ensures that the domain name in the certificate matches the domain name of the site, and enables a visitor’s browser to make a secure connection to the site, so that the traffic back and forth is encrypted and no third-party can listen in on the conversation.

The reason for encrypting transferred data may be obvious where financial transactions are concerned, but even if you’re not sending financial data across the web, quite a bit of private data can be passed between your site and a visitor’s browser (like usernames and passwords). That private data is valuable to unscrupulous types, so encrypting the connection protects the data. Without an SSL certificate and the HTTPS connection, that encryption doesn’t happen.

It’s worth noting here that an HTTPS connection doesn’t prevent someone from finding out which domains you’ve visited. It just makes it (theoretically) impossible for them to see any of the data that was exchanged during the visit.

What’s inside the SSL certificate?

An SSL certificate contains information about your business or organization (or simply you as a person), and a cryptographic key unique to your domain or certificate. That key is used to establish the encrypted connection. Your website presents the key to the visitor’s browser, and if the browser determines the key is valid (more on that in a minute), the encrypted connection is established.

Let’s talk about trust for a minute…

The entire SSL system is based on trust. When the HTTPS protocol was established, everyone agreed to trust certain organizations (and later companies) to issue legitimate certificates. Those organizations and companies are called certificate authorities. The certificate authority verifies who you are when they issue the certificate and the browser trusts the that the certificate authority has done that verification.

You might see a bit of a problem there if you’ve ever requested a “domain validated” SSL certificate and noticed that no one actually checked anything other than the fact that you had an email address on the domain. It wasn’t always that way. In the early days of SSL, the certificate authority did verify that you were who you said you were, and the owner of the domain you were requesting a certificate for. But as you might imagine, that time-consuming kind of validation quickly became impossible, so now that level of manual human validation is only done for expensive “extended validation” certificates.

How does the browser know when to trust an SSL certificate?

Every certificate authority issues a “root certificate,” which is like a master certificate for that authority. If the authority operates under different names or resells certificates through other companies, they issue “intermediate certificates” that are related or connected to the root certificate. Then the certificate for your domain is associated with the intermediate or root certificate, and that makes up a certificate chain. So the browser trusts the certificate for your domain because it’s associated with a root certificate.

Your certificate, any intermediate certificates and the root certificate are all installed on the web server. The same root certificates are also pre-installed in web browsers and many computer operating systems, so the browser can validate the root certificate on the web server. There are actually a few checks and validations that take place between the different certificates, but her’s a simplified diagram of the chain:

The connection is trusted if:

How does SSL work?

It’s pretty easy to get lost in the tall weeds here, because the underlying system that handles HTTPS encryption between a client (browser) and a server (your site) is quite complicated (and to add to the complication, the system is always changing, as better and stronger encryption methods are introduced).

But in a nutshell:

– The browser makes a TCP (standard Internet) connection to the site on the web server.

– The browser starts an SSL “handshake,” which is a transfer of data to the server about which version of SSL/TLS the browser is running, and which encryption methods it wants to use.

– The web server determines the highest SSL/TLS version that is supported by both the server and the browser, then sends its certificate(s) to the browser.

– If the certificate(s) meet all the criteria described above (in the “connection is trusted if” section), a cryptographic key is then exchanged and the browser tells the server that all further communication will be encrypted, and sends an encrypted authentication message to the server.

– The server verifies that the message is correct, then returns a similar message that the browser verifies.

– That’s the end of the “handshake,” and until it is broken, the browser and server can communicate securely.

Luckily all of those steps typically take place in a fraction of a second, and the browser and web serer don’t have to do them again (unless the secure connection is broken).

Well, that’s a lot of words for a “simplified” explanation, isn’t it. Sorry about that. But hopefully this has helped you to better understand what an SSL certificate is and what it does.

 

Still curious about SSL/HTTPS? Check out these other articles:

Ready or Not, It’s Time to Consider HTTPS
Let’s (not) Encrypt. But let’s not ignore https either.
How to Secure Your Primary Domain for Free When Ordering an SSL Certificate
Google Chrome, SSL certificates, SHA-1, SHA-2 and the “obsolete cryptography” message



How to Keep WordPress Safe and Secure

This little factoid should freak you out: More than 80,000 websites are hacked every day.

That’s almost one every second, or about 29 million every year. Those numbers translate to a lot of pain and inconvenience for a lot of people. Count yourself lucky if you’ve never been one of them.

There are a quarter of a billion domains with active websites. If 29 million sites are hacked every year, that means we’re living in a world where more than 1 in 10 websites are likely to be compromised. Every year.

How does this happen?

Security starts at home. It’s an old saying, but it applies to a lot of website compromises. We see a lot of hacks that aren’t actually website hacks at all, because the perpetrator is using valid FTP login credentials that were harvested by logging keystrokes or reading log files on a home computer or laptop that has been infected with a virus or malware.

But perhaps the most common way in to a website or server is through old, unpatched third-party software. And a large percentage of that old, unpatched third-party software is WordPress, or WordPress plugins.

Before I give you some tips on locking up your WordPress site, I’d be remiss if I didn’t mention that Winhost has a fully managed WordPress hosting, security and hardening service. The service includes WordPress hardening for maximum security, WordPress-specific support and personalized assistance, and maybe most importantly, monthly updates of WordPress core, Plugins and Themes. The monthly updates consist of one of our in-house WordPress security experts personally examining your WordPress installation for malicious files and signs of compromise. If we discover that your WordPress installation is compromised or hacked, we’ll clean up the mess.

Okay, that’s it for the sales pitch. But if you’ve ever had to clean up a WordPress compromise, I’m pretty sure that you’ll be able to see the value in that service.

Locking down WordPress

The first step in WordPress security doesn’t have anything to do with WordPress itself, but rather site backups. If you always have a current backup, it’s much easier to bounce back from a compromise. Simply identify your most recent “clean” backup, delete everything on your site and upload the clean backup.

We do periodic backups of our entire network for disaster recovery purposes, so if you are compromised you could just request a backup from us. The problem with that approach is we back up every day, and we only retain one copy of those backups. So if you don’t notice that your site has been compromised for a few days, our backup will likely be a copy of the compromised site. That’s not going to be of much help.

So we recommend a cloud backup service. There are a lot of them out there, or you can set one up from your Winhost Control Panel with a few clicks. Our SiteBackup service backs up your website files and databases on a schedule that you choose, retaining as many versions of the backup as you want to keep.

Okay, so that’s a good place to start, with a daily backup of your WordPress site and database. Next are a number of things that you should do to prevent a compromise of your WordPress site.

Update, update, update
How often do you log in to the admin section of your WordPress site? If it’s less than every week – or even every month – you need to start checking in more regularly and updating both the core WordPress files and all of your plugins. If you use a plugin and can’t remember ever updating it, check out the plugin’s page on WordPress.org and make sure it hasn’t been abandoned. If it seems like it has, uninstall it. Chances are there’s a well-maintained plugin out there that will do the same thing.

Kill the admin user
If you installed WordPress some time ago, it may have created a user named “admin” by default. Most brute-force WordPress hacks attempts are on the “admin” username, so you don’t want it to be there. To check, go to your Users page (/wp-admin/users.php) and see if admin is listed there. If it is, create another user or give another existing user the administrator role and delete the default admin user.

Don’t use the default WordPress MySQL table prefix
If the bad guys do manage to find a vulnerability within your site and one of their attempts is to query a table or insert into a table and you used the default table prefix, you could be in trouble. When you’re installing WordPress it’s best to change the table prefix from the default “wp_” to something different. One easy way to do that is to insert random characters after “wp_” – for example wp1od02l_ or wp5434fs_.

Change the WordPress login error
By default, WordPress gives hints about your login when a login fails. One of the steps in our hardening service is to change the login error to “You have entered the wrong Username or Password!” That way someone trying to compromise your site will never know if the username or password is incorrect, making it much more difficult to force or guess a login.

Remove the WordPress version information
It really helps the bad guys to know which WordPress version you’re using. Once they know the version, they can try known vulnerabilities giving them a better chance of getting into your site. They’ll also use Google to find WordPress blogs running a specific version of WordPress that’s easily hackable. You can use a plugin to remove version information.

Disabling Theme and Plugin Editing
The theme editor within WordPress is there to allow you to make quick changes to the code within a theme’s files. Chances are you won’t ever use that feature, but you can be pretty sure that the bad guys will make use of it to enter malicious code. In fact, that is how a lot of WordPress sites get hacked. To prevent that, enter the following rule in your Wp-config.php file, right before the “Stop Editing” tag:

/** Disable File Theme and Plugin Editing */
define('DISALLOW_FILE_EDIT', true);

What else?
The Winhost hosting environment goes the extra mile by disabling executable files from running within the uploads folder, as well as IP restriction of the wp-admin directory. That way the wp-admin directory can only be accessed from IP addresses you specify.

Last but not least, install a Security plugin
If you haven’t already done so, we would highly recommend installing one of the WordPress security plugins. As part of our hardening service we make the security plugin a “Must Use” plugin. That means the plugin can’t be disabled from the admin section of WordPress. The only way to disable it is by deleting the plugin via FTP.

That’s a lot to install, configure and keep track of, but following these recommendations will make your WordPress installation much less susceptible to compromise. If it all sounds good but you don’t really have the time or inclination to do it yourself, let us do it for you.



Who needs a website?

It may be an odd thing for a website host to ask, but “Who needs a website?” is a valid question. Many of us here at Winhost have been in the hosting business since it started, more than 20 years ago. The business – and maybe more importantly, what you expect from it – has changed more than a few times over the past two decades.

In the early days you built your own website. Period. So you needed a website host. There weren’t any other options, and there certainly weren’t any social networking or social media sites where you could establish an online presence without a website.

The first generation of point-and-click website builders sprouted up in the 1990s, but for the most part they were clunky sledgehammer approaches to site building, so they never really caught on with most website owners.
In the early 2000s social networking sites came in to our lives, starting with Friendster, which was quickly eclipsed by MySpace, the dominant platform for a few years. That is until Facebook came along to make all of the other social networking sites obsolete. I’m not sure that world domination was Facebook’s plan, initially, but that’s how things played out.

But regardless of which platform you used, suddenly if you couldn’t build a website, or had no interest in building a website, you could establish an online presence. And when that particular revolution happened, the perceived necessity of a traditional, build-it-yourself website (and someone like us to host it) briefly waned. But only briefly.

Rapid advances in web technology and the increasing spread of broadband Internet connections paved the way for a new generation of website building platforms like SquareSpace and Wix. With the new platforms you could build a site without bothering with any of the behind-the-scenes nuts and bolts. A lot of small businesses flocked to the new site building and hosting platforms, and away from traditional website hosting. But over time the drawbacks of those systems became apparent.

Now we’re seeing an increasing number of people moving away from social networking sites as their primary business presence, as well as making the sometimes tough decision to leave the point-and-click site builders/hosts. They’re moving back to traditional hosting because they are realizing that those point-and-click platforms lack some fundamental and essential ingredients for a successful business site (or any site, really), mainly: flexibility, SEO (visibility), and portability.
A business site needs flexibility. The ability to scale out with different kinds of pages or applications that a platform like SquareSpace or Wix don’t necessarily offer or support, the ability to choose or change how you accept payments, and the ability to change the look and feel of the site. On some of the site building platforms you are stuck with the style or template that you chose when setting up the site. In order to change the appearance of the site you have to re-build it from scratch. Ouch. And while e-commerce is baked in to most of the platforms, you’re limited to the methods and providers that they offer. Social networking sites are even more inflexible and limited.

Every website owner eventually becomes concerned with search engine optimization, or SEO. You may not give it a lot of thought when you are building or launching your site, but when you want to expand your audience or customer base, you will have to dive in to the deep, murky waters of SEO. Much of what’s necessary to maximize a site’s SEO is done on a page level or a configuration level, and if your site lives on one of the walled-in platforms, you simply won’t have the access necessary to make many beneficial changes. So you’re limited in what you can do to make your site grow.

As far as portability is concerned, they’ve made it purposely difficult (and in some cases, impossible) to move a site from a platform like SquareSpace or Wix to another platform or to a traditional host like Winhost. Understandably, I suppose, as it’s in their interest to keep you inside their walls so you will continue to pay them every month. Making it easy to move a site would mean making it easy for their customers to leave, so they have every incentive to make it as painful as possible. And of course you can’t take your Facebook page away from Facebook.

For those and other reasons, we’re seeing a move back to traditional custom-built websites hosted on open platforms where you decide how things are going to work, rather than being at the mercy of a large company’s development and support teams. Building and maintaining your own site comes along with its own costs, of course, both in development and maintenance. But the freedom and ability to steer your own ship that are gained by creating your own site will outweigh those costs for most of us.

And if you don’t want to start from scratch, there are now a lot of platforms and frameworks that you can install in your own hosting space to give you a head start. The most popular of those, WordPress, is running on more than 26% of the world’s active websites (that’s more than 77 million WordPress sites if you’re doing the math). In fact, in 2016 Microsoft moved thousands (yes, thousands) of its sites and blogs off of their own proprietary platform and over to open source platforms like WordPress, and you can be pretty sure that wasn’t a decision that was made lightly.

The bottom line is it’s easier than it’s ever been to build a flexible and portable site that you can easily change and update to suit your needs.

So the answer to the question, “Who needs a website?” is: you do. Whether you build your own site from the ground up or base it on a solid foundation like WordPress, what it all comes down to in the end is control, control, control. Take it! Keep it! It’s your website, you should be the one who decides how it works, what it looks like and where it lives.

Of course, if you want it to live here at Winhost (and really, why wouldn’t you?), I’d be remiss if I didn’t mention that we have a fully managed WordPress service that removes a lot of the maintenance and security concerns from your plate, freeing you up to focus on the most important thing in all of this: making your site the best it can be. You’re still in control, we’re just at your service. It doesn’t get any better than that!



Ready or Not, It’s Time to Consider HTTPS

It used to be that unless your site accepted payments for products or services, you didn’t really need to concern yourself with an SSL certificate, which allows you to encrypt and secure your site traffic using the https protocol. Those days are quickly coming to an end as web security becomes a larger issue, and giants like Google are making an aggressive push to encrypt all web traffic.

Maybe you have even already received a warning email from Google: “Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as ‘Not Secure’ unless the pages are served over HTTPS.” But what does that mean?

Right now (December, 2016) Chrome shows an “information” icon on all non-https pages (Firefox also uses a similar icon):

Which seems pretty benign, unless you click that icon and get the insecure site warning:

Starting in January of 2017 Chrome is going to take that a step further and add a text warning:

Then “eventually” – which, knowing Google, could be any time  – they are going to throw the red flag at non-https pages:

At the moment those warnings only apply to http pages containing password or credit card input fields, but Google definitely plans to extend the Chrome warnings to all http pages, regardless of whether they accept user credit card or authentication input.

Why is https important?

Using https encrypts connections to prevent anyone from tapping in to the communication between your website and your visitor’s browsers. It also prevents the bad guys from exploiting your site by injecting malicious code or unwanted advertising into your user’s browser.

The https connection lets your visitors know that they’re securely connected to your site. That what they’re seeing is legitimate information. It also prevents anyone from accumulating of a lot of user data or behavior related to your site traffic. Aggregate data like that can be used for a number of malicious purposes, so blocking access to it is a good thing.

How does it benefit me?

Right about now you may be thinking, “Okay, I get it, but I’m not really concerned about someone listening in to my site traffic.” That’s understandable. Most sites run a pretty low risk of being targeted in that way. But you probably don’t want to see every page of your site displaying a red “Not secure” warning in Chrome (and eventually in other browsers as well).

That’s reason enough to take steps now to make every page of your site available via https (and redirect http requests to https). You might even consider it a priority, since the Chrome browser currently has a 56% market share, and that percentage is increasing.

But aside from avoiding the warning label, there can be other benefits to using https. In their own words:

“Google uses HTTPS as a positive ranking signal. This signal is one amongst many others, and currently carries less weight than high-quality site content; you should not expect a major SEO advantage for moving to HTTPS in the short term. In the longer term, Google may increase the strength of the HTTPS boost.”

Google is making it pretty clear that in the future they are going to give an edge in search result rankings to sites that use https. And who doesn’t want an edge where that’s concerned?

How to make the move to https

The good news is it isn’t exactly a “move.” Your site stays on the same server, you just add an SSL certificate to your account and make the necessary changes to redirect http traffic to https. This article is already pretty long, so we won’t do a tutorial here, but other than redirecting to https, there are a few other things you’ll want to watch out for:

If you use Google Webmaster Tools, after you’ve made the switch, add the https version of your URL as a new property, set the “preferred version” of that property to https and (re)submit your sitemap. Here’s a Google-centric FAQ on transitioning to https that you may also want to take a look at.

Finally, you may have heard that you can get a free SSL certificate from Let’s Encrypt. That’s true, and you can use those certs here at Winhost. But the Let’s Encrypt certificates come with some drawbacks. Make sure you’re aware of what’s involved in using such a cert before you commit to one.

We’ll have more information on this subject in the coming months. We expect that there will be a lot of questions when Google makes the changes to Chrome, and we’ll do our best to address those questions here and in our Knowledge Base.

Update: January 4th, 2017

The changes have already begun in the latest version of Chrome (55.x). They aren’t flagging insecure sites yet, but they are spelling out “Secure” now:



Let’s (not) Encrypt. But let’s not ignore https either.

There is a lot of talk around using https “everywhere” these days, even on websites that do not do any financial transactions or accept user data input. Google already uses https as a factor in search results (though it’s a small factor, and not universally used in results everywhere in the world). But they have made it clear that their intention is to expand the use of https as a search results ranking factor next year.

All of which has a lot of people who may have never considered using an SSL certificate before looking in to making the move to SSL/https. The main barrier for a lot of people isn’t the technical issues around implementing an SSL certificate, but rather the price. SSL certificates cost money. Some of them (like those with “Extended Validation”) cost a considerable amount of money.

A group of security-minded people thought there should be a free alternative, so they got together and the open source Let’s Encrypt project was started (by the Internet Security Research Group, with support from the Electronic Frontier Foundation, the Mozilla Foundation, Akamai, and Cisco Systems). Let’s Encrypt is now up and running, issuing free SSL certificates to anyone who wants one.

Pretty great, right? Well, yes and no.

vault

For instance, if you want one of those Extended Validation certificates, you can’t get it from Let’s Encrypt. Organization Validation, Extended Validation and wildcard certificates are not available. Let’s Encrypt does not verify sites, so if you want a security “seal” to put on your site or order form, you can’t get it from Let’s Encrypt.

That’s right, Let’s Encrypt does not verify sites, which means hackers are building malicious sites using Let’s Encrypt certificates because they’re free and the bad guys can remain anonymous. Wait a minute, though – isn’t validation the whole reason for a security certificate in the first place? And what will become of the Let’s Encrypt certificates if their system becomes overrun with malware and phishing sites?

Even if you don’t care about any of those things, the Let’s Encrypt certificates have a major convenience drawback, because the certificates are only valid for 90 days. That means that every three months you have to request a new Let’s Encrypt certificate and install it on the server, and that process is no fun. Especially on Windows servers (like those at Winhost), since there is not any server-side automation available.

But increasing security is never a bad thing. And don’t forget, Google is going to look more favorably on https sites very soon, so an SSL certificate should be on your to-do list, no matter what kind of site you run. If you want to use Let’s Encrypt on your Winhost site, you certainly can. We support it. We don’t recommend  it – for the reasons we just mentioned – but if you’re up for going through the process every 90 days, you can.

But if you’re more of a set-it-and-forget it type, we offer a full range of SSL certificates, starting at as little as $39 a year. You can register a certificate for two years as well, meaning it’s not something you have to think about every 90 days, or even every year. If you want to secure your site (and don’t want to see your Google ranking drop) you may want to get yourself an SSL certificate soon.