Site hosting news, tutorials, tips, How Tos and more

Archive for the ‘Technical’ category


Do You Trust Me? More Email Filtering Tips

howto

In my previous blogs, I showed you how you can tighten up the settings in SmarterMail to help prevent too much spam from ending up in your Inbox:

Tweaking Spam Settings

Content Filtering, the other Spam Crime Fighter

But what happens if legitimate email messages are being marked accidently as spam, and you know it’s from a legitimate email address?  Fortunately, there is a way to rectify this problem by using the Trusted Senders feature in SmarterMail.  This feature allows you to whitelist email addresses or domains, thus bypassing the spam/content filtering rules you have setup.  And here are instructions on how to set it up:

1. Log into SmarterMail with the email account you want to apply this setting to.
2. Click the Settings icon (2 cogs) on the menu to your left.
3. Expand the My Settings folder and click on Trusted Senders.
4. Click on the New button.

TrustedSenders

1. Enter the email addresses/domains you want to whitelist, line by line.
2. Click on the Save button, and you’re done!

TSWindow

If you want this setting to be applied to all the email accounts in your domain, log in with the postmaster account instead, and use the Trusted Senders under Domain Settings.



Joomla Vulnerabilities

howto

For those of you who use Joomla on your web site, here are some tips to maintain the security of your Joomla web application.

Every application is susceptible to exploit.  Therefore it is very important to maintain an updated application and install all the latest security patches.

This link will take you to the known vulnerabilities within Joomla.  It is a comprehensive list, so you should carefully read through it.  If you find that you meet any of these criteria, there should be a link next to the criteria to help you patch up the exploit.

To those who have already had their Joomla site hacked, try downloading a tool to help you clear your  site.  I found this web tool that will audit your site and clean up your files:  http://myjoomla.com/

Now, from my experience the most common exploits to a web site start from the users own personal computer.  If your computer contracts a trojan or malware where a key logger is installed, your account login credentials will be recorded. No matter what security patches you have implemented in your web application, it will be compromised because an unauthorized party will have direct access to your web site.

You should always have an antivirus software installed on your computer and the latest updates installed.



Surprise! Firefox and Chrome display passwords in plain text

howto

Did you know that Mozilla Firefox and Google Chrome like to display your passwords in plain text? No? Well, they sure do.

If you want to see what I’m talking about, follow the steps below.

Open Firefox.

Click on the Firefox Menu at the top left corner.

FirefoxMenu

Select Options, then click on Options.

FirefoxOptions

Click on the Security tab at the top.

FirefoxSecurityButton

Click the Saved Passwords… button. This will open up the Saved Passwords box. Now click on Show Passwords Button.

Example Below:

FirefoxShowPassword

Surprise!

Did your jaw just hit the floor? I know mine did the first time I saw what Firefox was hiding from me all this time.

Is Google any better?

Now let’s open up Google Chrome and click Settings.

ChromeSettings

Once you get into your settings, scroll all the way to the bottom and click on Show advance settings…

ChromeShowAdvanceSettings

Look for the section Passwords and forms and click the Manage saved passwords link.

Select the site where you saved your password and click Show button.

ChromeShowPassword

Okay, I’m done with the surprises.

So how did Firefox and Google Chrome get my passwords in the first place?

To get the answer you must also answer this question: Have you ever seen the following notification in your web browser?

Mozilla Firefox:

FirefoxPasswordNotification

Google Chrome:

ChromePasswordNotification

Whenever you clicked on the shiny button “Remember Password” in Firefox or “Save Password” in Chrome, the site username and password are saved within the web browser – and as you also saw – displayed in plain simple text.

So what’s the big deal?

Anyone can walk up to your computer and take a quick look at your web browsers history/settings. Just imagine you’re at the office and you step away from your computer and a nosy/curious coworker gets the chance to take a look. That is why it’s important to always lock down your computer before you step away from your desk.

Additionally, say you’re unlucky enough to have some malicious software installed on your computer which happens to allow the hacker gain remote control of your desktop. The hacker will only have to wait until you are away from your computer to check your saved passwords.

What if you sent your computer out to a repair shop and they “just happened to” take a look at your saved passwords? It only takes a few seconds for them to snoop around on your computer and  do who-knows-what with your credentials.  There are a lot of different ways these passwords can be intercepted.  This just happens to be one method of interception that can be avoided.

So what’s the work-around and how do I keep my passwords safe? Fortunately there are plenty of third party plug-ins people use with their web browsers. Perhaps you can recommend what plug-in works best for you in the comment section below.

I found a plugin called LastPass. With 254,540 users and 827 reviews just for the Firefox plugin alone seems to be a great alternative. Best thing about this plugin is that it also works with the Google Chrome web browser.



How to Install OpenCart on Winhost

howto

OpenCart is an open source PHP based ecommerce solution, and in this tutorial, I will show you how to get it up and running here at Winhost.  First, I suggest you create a MySQL database through the Control Panel.

Click on the Sites tab.

WHCPSitesTabClick on the Manage link and then click on the MySQL button.

WHCPMySQLButtonClick the Add button and enter the values for Database Name, Database User, and Quota.  Click the Create button to finish creating the database.  Now click on the Manage link and record the connection information (Database Name, Database Server, Database User, and Database Password) on a piece of paper or a text editor such as Notepad.

Next, you’ll need to obtain the source download from the OpenCart website.

Extract the contents using a decompression program such as WinZip or 7-Zip.  Navigate to the upload folder of the extracted files.  Rename the php.ini file to user.ini and create a web.config file with this configuration:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!-- Set the default document -->
<defaultDocument>
<files>
<remove value="index.php" />
<add value="index.php" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

The file structure should look like this:

ExtractedContentsWe rename the php.ini file to user.ini because the php.ini settings are global and cannot be accessed by an individual user.  Please read our other blog for more information.  If you want a list of settings that you can manipulate in the user.ini file, please see these links on the official PHP site and look at the Changeable column.

http://php.net/manual/en/configuration.changes.modes.php
http://php.net/manual/en/ini.core.php

We add the web.config file so that “index.php” will load automatically.  Now upload the files to the root of your site account, preserving the directory structure as shown here:

FTPUploadNow browse to your site using either your domain name (if you have already set it up correctly) or Secondary Web URL to start the installation.

InstallStep1Check I agree to the license and the Continue button to proceed.

InstallStep2After a PHP check, click on the Continue button to proceed.

InstallStep3Enter the MySQL connection credentials you recorded earlier and fill out the information for the admin account.  Click on the Continue button to proceed.

InstallFinishedThe installation has been completed.  The last thing you should do is to delete the /install directory using FTP.

RemoveInstallYou can start developing your site or make other configuration changes.



How did my email account get “hacked”?

howto

If you’re reading this it’s likely that your email account was recently hacked and now you’re wondering how it happened, why it happened to you. Or maybe you’re just wondering how you can prevent it from happening to you.

Let me start off by saying that there are many different ways an email account can be compromised. In this article I’ll cover three of those methods.

Also note that these aren’t the only way an email account can get compromised. People are always inventing new ways of compromising an email account/system. So by the time you finish reading this article, it’s likely that they will have come up with a few new techniques.

Now lets imagine you’re at the local coffee shop sipping on some hot coffee. You open your laptop and connect to the coffee shop’s WiFi. Why not, it’s free Internet, right?

Now it’s time to check your email messages because you are expecting important news. You open the email client on your computer and start browsing the Internet for, you know, important stuff. An hour passes by and you go on your way to work, home, or school. But did you notice the person sitting across from you with their laptop? He just took your email credentials while you weren’t looking. But how did it happen?

Did it happen while you were in the bathroom?

No.

Did it happen when you went for yet another cup of joe?

Nope.

So how did that person steal your email information with out even coming close to your computer?
Compare Winhost plansEver heard of a Man in the Middle attack? To put a MITM attack in simplest terms, some malicious so and so sets up their computer to act like a router and tricks your computer into thinking that the computer actually is the router. Then the router thinks the shady computer – in the middle of the connection – is your computer.

Think of it as someone tapping into your network connection. Once this starts happening they can view all kinds of fun packets coming from your computer to the mail server (or to any server). Each time you make a connection to the mail server you are sending your authentication credentials through the bad guy’s computer.

From there it’s easy to use a program to filter out all packets containing login credentials. This includes your Facebook, Twitter, and bank account login information as well. Everything.

So does that mean it would be better to just stay away from your local coffee shop?

Hey, no need to be drastic! You can still go and you can still surf the Internet but it may be best if you didn’t use the coffee shop’s Internet connection. Personally, I don’t trust any network that I don’t own or control.

A nice work-around would be to use the Internet connection on your smart phone. Most smart phones have the capability of turning into a password protected Wifi “hot spot.” They also have the capability to tether the smart phone to your laptop. But, of course you will be using your phone service provider’s data plan.

So if I protect myself from that shady “man in the middle,” I’m safe, right?

Not exactly.

Another way your email account could be compromised is with a virus/malware being installed on your computer without your knowledge. This method is the most common and likely way that your email account (and everything else on your computer) can be compromised. I’ve seen what some of these viruses and malware are capable of doing, and it’s scary stuff.

Some of the virus/malware infections come with a nice little tool called a keylogger. What it basically does it logs all your key strokes and sends them to a server controlled by whoever infected your computer with the virus/malware. So any time you enter a username and password, the keystrokes are logged before the login request is sent. It doesn’t matter that the connection from your computer to the mail server is encrypted.

So how did this software get onto your system, or how can you prevent it from being installed on your system?

You can start by practicing the following:

  1. Keep your system/software updated with the latest security patches.
  2. Update your Antivirus programs and run scans on a routine schedule.
  3. Avoid downloading files you don’t recognize.
  4. Don’t open any email messages you didn’t expect to receive. For example: You get an email message with the subject; “Your PayPal account has been limited,” but you don’t have a PayPal account.
  5. Avoid visiting web sites that have a bad reputation. A simple Google Search will sometimes display a warning message in the search results right below the domain name; “This site may harm your computer.

The third way an email account can be compromised is by social engineering. Some email systems come with a nifty “Forgot your password?” tool. So what’s the big deal about this feature? Well, when you were setting up your email account you weren’t thinking twice and just answered the security questions truthfully. For example the signup form has the following questions:

  1. What is your pet’s name?
  2. What is your mother’s maiden name?
  3. Which street did grow up on?
  4. Which school did you attend in the 5th grade?
  5. In which hospital were you born?

You had to pick two of them and answered the two question correctly. No harm done right?

Wrong. The question/answer that you’ve set up with your email account should actually be considered to be your second and third passwords. Why? Because the correct answers to these questions gains access to the email account.

It would be best to answer these questions kind of incorrectly. So, let’s say you chose Which street did grow up on? and What is your mother’s maiden name? and answer to the first question is Main St. and the answer to the next question is Smith.

Instead of using the correct answers, you can add a extra character befor the real answer. For example @Main St. and @Smith. If the system doesn’t allow these type of characters then you can also use a letter before the real answer. For example: QMain St. and QSmith . That way if the malicious person finds out the real information, they will still have a hard time getting into your email account.

You must be wondering how these people even get the information in order to gain access to your email account using the security questions method. The answer is very easy. In this day and age most of us use social media sites Facebook, Twitter, YouTube etc. What’s the problem with social media? Well, the problem is we like to give out to much information.

We all like to share share share. Sometimes we don’t realize it, but we give out too much information. So much information that it makes it easy for a malicious person to gain access to your email account using the security question method.

If you keep these things in mind and think about security in new ways, you will protect yourself from a lot of potential headaches.



How to Reset Your Hosting Space

howto

Sometimes you just want to tear everything down and then build it back up.  Maybe you are tired of your old nopCommerce site and want to try out WordPress.

Maybe you have an older version of an app in your hosting space and you want to upgrade, but first you need to remove the current installation.

Whatever the reason, the support department is often asked, “How do I reset my hosting space?”

Well, there isn’t a tool available in Control Panel to do this, so I have provided the following guide for you to use to clean out your hosting space and return it to “factory default” in two broad steps.

Backing up and removing your database

  1. Find your Control Panel’s MS SQL Manager (or MySQL Manager for you Linux types).
  2. Use your MS SQL Manager’s Manage link, and then the backup link to take you to the backup prompt.
  3. Back it on up!
  4. Navigate back to the first screen of your MS SQL Manager, this time use the Delete link.
  5. Confirm it, and delete your database.

Backing up your site’s files and then removing them

You might have had to mark a few sub directories as application starting points in the past; I recommend that you unmark them first in order to avoid potential permissions issues.

  1. Navigate to the Application Starting Point tool in Control Panel.
  2. Use the delete link to unmark these directories as application starting points, we will take the actual backups next as this step does not delete any files itself.
  3. Connect to your web server with an FTP client, I recommend FileZilla, I also recommend that you use your alternative FTP address, to avoid any potential issues with DNS.
  4. Since I want to take a backup of all my files and include my database backup, I’m going to download everything to my local computer. If you don’t want a backup, or just want to backup certain files, just download the files you want.
  5. Sometimes you have to manually enter “App_Data” (the directory I backed up my database too) in the Remote Site section in order to access it.
  6. Once you have a copy of everything that you need, select all your remote directories and hit DELETE.

If you cannot delete some of your files and directories at this point, try recycling your application pool.  Sometimes web applications do not “let go” of a file or directory properly, and you will not be able to delete a file while it is in use. Recycling your application pool should remove the lock.

If you tried recycling your application pool but still cannot delete a file, open up a ticket with the support department and ask us to manually remove the files from the server.

Make sure to provide us with a copy of your FTP log, just so we know that you tried to delete the files yourself.

And there you have it, we now have a completely clean hosting space.

Your database has been backed up and removed, so we don’t have to worry about old table data conflicting with new.

Also, all of your application starting points have been removed, and you have regained all of your disk space allotment on the web server.



WordPress Tips

howto

Here are some small tips you can use to make your WordPress site a bit more secure and slightly increase performance.  Make sure the version of WordPress you’re running is the most recent version.  This will ensure any security vulnerabilities found in the Content Management System will be addressed.

To perform an in-place upgrade of WordPress:

1) Log into WordPress as the admin user.

2) On the Dashboard, it should say WordPress x.x.x is available!  Click on the Please update now link.

3) Click the Update Now button.

4) Finished!

Alternatively, you can perform a manual upgrade by:

1) Instead of clicking the Upgrade Now button, click Download x.x.x

2) Extract the .zip file’s contents.

3) Upload the files using FTP, matching the same directory structure.

4) Once you refresh the admin screen in the browser, you should get an Update WordPress Database button.  Click on it and then the Continue button to complete the process.

You can also add an extra layer of security for the admin section.  Ruslan’s Blog shows you how.

According to IIS7 Manager, you can improve the performance a bit by moving the index.php file to the top of the Default Document list.

I also suggest you disable Directory Browsing.

Take note that any changes you make through IIS7 Manager will be written to your web.config file, so you should always make a backup of it before proceeding.



Three Ways to Skin a Cat (or Deploy a CMS)

howto

Did you know there are multiple ways of installing/deploying your favorite Content Management System at Winhost?  Below, I provide 3 general guidelines and briefly explain the benefits/drawbacks of each.  (I’ll be using DotNetNuke as an example.)

Method 1: Installing the Content Management System using the App Installer tool in the Control Panel

  1. Log into the Winhost Control Panel.
  2. Click on the Sites tab.
  3. Click on the Manage link next to the Site you want to manage.
  4. Click on the App Installerbutton.
  5. Find the Content Management System and review the requirements.  If it requires a higher hosting plan, then you should upgrade.  If it requires a specific ASP.NET version, you should change it through the Control Panel.  If it requires a database, you should create it beforehand and take note of the connection string information.
  6. When you are ready, click on Select this Application >>
  7. Fill out the application parameters.  For the application path, leave it blank to install it to the root of your site account or enter a sub-directory that you want it installed to.  Fill out any database parameters as well.
  8. Click on the Install Application button to load the files on to your site account.
  9. Once you get a message that your application has installed successfully, proceed on navigating to the root/sub-directory to configure it.  (Note: Please use your Secondary URL address if you have not pointed your domain name over to us or registered one yet.)

Configuring DotNetNuke example:

  1. Select Typical and click on Next.
  2. Make sure the CMS requirement check passes and click on Next.
  3. Enter the database connection information and click on Next.
  4. The database tables will install.  Once complete, click on Next.  (If you have problems with this step, try using an empty database.)
  5. Fill out the SuperUser Account and Website Information.  Click on Next.
  6. Success!

Benefits: The benefit of using this method is that you do not have to upload any files.

Drawbacks: A slight drawback is that CMS version might not be the latest.  This may not be a problem as most CMS nowadays have upgrade modules which you can invoke after the install.

Please also note using the App Installer tool will wipe out any files in the installation directory.  If you have files in the root, this is not a good idea.  Make sure you make a backup copy of your site before using the App Installer tool.

If you install the application to a sub-directory, it will also mark it as an application starting point.  If you have multiple apps running on your site, you will need to take this into consideration if you need to make web.config modifications.

Method 2: Installing the Content Management System using FTP

  1. Obtain the installation files from the Content Management System vendor’s site.  (e.g. http://www.dotnetnuke.com/)  Do not get the source code version.  Get the runtime version.  It is usually in the form of a .zip file.
  2. Extract the archive file’s contents.
  3. Upload the files using an FTP client such as FileZilla.  If you deploy it to a subdirectory, you might need to mark it as an Application Starting Point using the tools in the Control Panel.  This is not necessary if you install it to the root.
  4. Now navigate to your site/sub-directory using a browser to start the installation/configuration wizard.  For PHP based applications, you might need to add index.htm or index.html to the URL because it is not set up as a Default Document.  You can then follow the CMS’ wizard to complete the installation.  (I won’t repeat myself here, but since I am using DotNetNuke as an example, you can follow step 9 and on from Method 1 if you’d like to try it out yourself.)

Benefits: The benefit of using this method is that you can use the latest version of the CMS or install a CMS that is not available through the App Installer such as OpenCart.

Drawbacks: The drawback is that you need to be more aware of the CMS’ requirements and may need to perform more steps to configure it properly.  It also may not be a viable option if the CMS is particularly large, and you have a slow Internet connection (i.e. it would take a very long time to upload the files).

Method 3: Installing the Content Management System using Microsoft Web Matrix

  1. Launch Microsoft Web Matrix.
  2. Click on App Gallery.
  3. Select the Content Management System you want to install and click on Next.
  4. You will see an Application Description page.  Click on Next.
  5. A wizard will guide you through the process of installing it on your local machine.  Click OK when you are done.  (Pay attention to the pre-requisites.  For this demo, SQL Server Express needs to be installed on your local machine.)
  6. Your default browser should launch to help you configure the application locally.  (See section Configuring Dotnetnuke example for an example.)  This will allow you to develop your website locally.
  7. Go back to Microsoft Web Matrix when you are finished with developing your site.
  8. To deploy your site to Winhost, click on the Publish icon.
  9. You will see 2 options: Import publish profile (recommended) and Enter settings.  You can enter the settings manually, and all the information you need to supply can be found in various sections of the Winhost Control Panel.  We also provide you with a basic publishing profile (web server settings, not database).  You can find it by going to Winhost Control Panel -> Sites -> Manage -> Web Deploy [Publishing Information].  Click on the link to download it.

10. For this example, I will use Import publish profile (recommended).  Below is a sample screen shot, and I’ve manually entered the database connection string (found in the Control Panel). Click on the Validate Connection button.  If it does not say Connected Successfully, then you may have entered the wrong settings or you may have antivirus/firewall software blocking the connection.  Click on Save and Continue a few times.  (Don’t worry if you get a warning about site compatibility.  It should still work.)

11. You will now see a Preview screen, and you can choose what you want to publish.  Click Continue when you are done checking the files/database you want to update.

12. You will get a Publishing – Complete message when you are done.

Benefits: The greatest benefit to this method is that you can develop your site locally.

Drawbacks: The drawback with this method is that you may need to perform a lot of prerequisite setup prior to the installation.  Configuring changes locally may also not work when you deploy to Winhost.  You may still need to make some further alterations to the web.config file.

As with Method 1, you need to be careful when publishing as files in the destination could be overwritten.  Always make a backup of your site prior to publishing.

You may also want to spend some time reading this great post from one of our customers on the forums:

http://forum.winhost.com/showthread.php?t=8565&highlight=dnn+installation