Site hosting news, tutorials, tips, How Tos and more

iPhone Secure Email Setup

We support secure SSL/TLS connections to our email server. We’re going to show you how to setup a secure connection with your iPhone.

For the “Incoming mail server”, enter:

For the “Outgoing mail server (SMTP)”, enter:

You will get a certificate warning about the server identity. We installed an SSL certificate on our email server for the convenience and security of our customers. But the problem is that we can’t install a certificate for every customer domain on the server. Instead, we installed a certificate for *.internetmailservice.net. The iPhone will display the warning because of the domain name mismatch; you are trying to reach mail.HostingAccountDomain.com, but the SSL certificate was issued to *.internetmailserver.net. The certificate we installed is safe to use.

Your iPhone may set the default SMTP port to 25. Many internet service providers block port 25, so you should change the SMTP port to 587.

You’re all set! Now your iPhone now has secured, encrypted communication with our email server.



Introducing fully managed WordPress hosting, security and hardening

If you use WordPress and are worried about being hacked or compromised, or you just don’t have time to keep up with the frequent updates and maintenance, we just launched a service made for you.

Our Managed WordPress Hosting service includes:

  • WordPress hardening for maximum security.
  • Monthly updates of WordPress core, Plugins and Themes.
  • One of our in-house WordPress security experts will personally examine your WordPress installation for malicious files and signs of compromise every month. If your WordPress installation is compromised or hacked, we’ll clean it up.
  • Configuration of automatic WordPress site and database backups.
  • WordPress-specific support and personalized assistance.

And if you need it:

  • Free website migration from your old host for a quick, smooth transition
  • WordPress installation, including database set up, Plugins and Themes

You can learn more about Managed WordPress Hosting and find a link to sign up here.

The Managed WordPress Hosting service includes the Winhost Max Plan, so if you are an existing Winhost customer and already have a hosting plan, contact us for pricing or open a helpdesk ticket and we’ll take it from there.

Every day we clean up compromised WordPress sites for our customers. For them it’s an inconvenience and an expense that they weren’t expecting and don’t welcome. But since WordPress is the most popular blog/CMS application in the world, it’s a natural target for hackers. If everything in your WordPress installation is not up to date, you are at risk.

And unfortunately, even if everything is up to date, you can still be vulnerable. That’s why Managed WordPress Hosting includes a WordPress hardening service, to increase security and reduce the chance that you will become a victim.

So if you love WordPress but could live without the constant maintenance and security tasks, let us do it for you!



Email change related to the postmaster@ address for your domain

We’re rolling out a change to the email system that you should be aware of.

The “postmaster” account is set up by default when we establish email service for a domain, but you have the ability to delete that account. The problem with deleting postmaster@ is that some important messages can be addressed to that address, and that’s because the SMTP RFP says the postmaster account for a domain is required to accept mail.

The change we’ve made is implementing behind-the-scenes forwarding that makes your primary domain admin the “postmaster” account (assuming you have deleted the postmaster@ account – if you have not deleted that account, you won’t see any changes). What that effectively does is ensure that email addressed to the postmaster@ address for your domain is delivered.

The side effect of this change is that you may see an increase in spam on your primary domain admin account, since spammers sometimes send to postmaster@, assuming that it exists on every domain (because they know that it’s supposed to exist).

A possible increase in spam is an unfortunate side effect of this change, but the alternative is the possibility of missing legitimate email addressed to your postmaster@ address. Those legitimate messages can be important, so we had to weigh the value of those important messages against the possibility of an increase in spam.

It’s worth noting though that we made this change on a small group of servers a couple of weeks ago, and we didn’t receive any feedback regarding an increase in spam, so the likelihood is you won’t notice much of a change with this new configuration.

As always, if you have any questions or concerns, open up a support ticket and let us know.



ASP.NET Core 1.1 Is Available

ASP.NET Core 1.1 is now available at Winhost, as is .NET Core 1.0.3.

We will be supporting two different versions of .NET Core because Microsoft is developing two different versions: “Long Term Support” (LTS) and “Fast Track Support” (FTS).

LTS (the 1.0.3 version) is focused on stability and use on production sites, so its development will take place more slowly. FTS (the 1.1 version) is the latest and greatest version, with more new features, but potentially more new issues as well. We don’t recommend it for use on production sites, but it’s there for you to tinker with and check out the latest Core features.

We’ll always support the latest LTS and FTS versions, with the priority given to the more stable LTS versions that are intended for production. The versions run side by side, so you can use whichever you choose (or use both for different purposes).

We’ve run in to some issues already where the latest Visual Studio version supports later (newer) versions than our servers support. That is going to continue to happen from time to time, because it isn’t feasible for us to keep up with the FTS versions across all of our production servers. The development cadence is too quick. What we will probably do with Core from this point on is update quarterly. We’ll try to post in the forum when we make those updates.

Note that .NET Core is only available on the Windows 2012 servers. If your site is running on a Windows 2008 server you’ll have to migrate to a 2012 server to use .NET Core. We can do the migration for you, just contact support and we’ll take it from there.

For more information on how Microsoft is developing the versions and how the version numbering works, check out this post on the MSDN site.



Using the Secondary Web and FTP URLs

When you open an account at Winhost we set up your website space immediately so you can start uploading files right away. But if you have an existing site hosted elsewhere, you will most likely want to get everything set up here and test the site before you actually point the DNS to Winhost. The Secondary URLs make that possible.

Your permanent FTP URL is ftp.HostingAccountDomain.com (where HostingAccountDomain.com is your domain name). But of course that URL won’t connect to the server here until your domain points to our servers, so we set up the Secondary URLs, both for FTP and web access.

The Secondary URLs can be found in the Site Info section of Control Panel:

So the Secondary FTP URL (ftp.w12.wh-2.com in the example here, yours may be different) is what you use in the “host” field of your FTP software to make the connection.

Then when you want to view your uploaded files, you would visit the Secondary Web URL, in this example, http://winhostc.w12.wh-2.com.

Another use for the Secondary Web URL

After your domain’s DNS is pointed to Winhost and your site is up and running, you can use the Secondary Web URL for troubleshooting purposes.

For example, if it seems that your site is unavailable, try entering the Secondary Web URL into your browser. If the site comes up, there’s a good chance that domain registration or DNS issues are the culprit.

When a site is unavailable, domain related-issues aren’t usually the first thing we think of as being the source of the problem, but even the most diligent among us can let a domain registration lapse, or make a mistake in DNS settings that takes our domain off line.

When NOT to use the Secondary URLs

Once your domain has been updated to point to our servers, remember to update your FTP software to use ftp.HostingAccountDomain.com (your domain name) as the host. And you should never use the Secondary Web URL as a link to your site from another site or social media platform, or hard code it anywhere in your site.

We make this recommendation because while it’s unlikely that the Secondary URLs will change, it is possible. They have changed for various reasons in the past. So once your domain points to our servers, only use the Secondary URL for troubleshooting purposes. Never as a link to your site.



myLittleAdmin on Winhost

myLittleAdmin is a tool that allows you to manage your SQL database through a web browser. Here at Winhost, we support SQL Server Management Studio (SSMS), which is the preferred method for managing your database (you can find out how to do that in this KB article.)

But sometimes you can’t use SSMS – maybe you’re sitting behind your corporate proxy restrictions, or you’re using a computer without SSMS installed. That’s where myLittleAdmin steps in. It’s a web-based SQL management tool that provides a friendly interface for you to edit tables, work on stored procedures, run queries and much more.

We have a license agreement for myLittleAdmin, so you can use it on our system without having to obtain your own ($590!) license. There’s nothing to install. Just go to https://sqladmin.winhost.com

Log in to your database, and get your SQL on!



Winter Updates

The latest versions of the following applications are now available through our App Installer tool in Control Panel:



Ready or Not, It’s Time to Consider HTTPS

It used to be that unless your site accepted payments for products or services, you didn’t really need to concern yourself with an SSL certificate, which allows you to encrypt and secure your site traffic using the https protocol. Those days are quickly coming to an end as web security becomes a larger issue, and giants like Google are making an aggressive push to encrypt all web traffic.

Maybe you have even already received a warning email from Google: “Beginning in January 2017, Chrome (version 56 and later) will mark pages that collect passwords or credit card details as ‘Not Secure’ unless the pages are served over HTTPS.” But what does that mean?

Right now (December, 2016) Chrome shows an “information” icon on all non-https pages (Firefox also uses a similar icon):

Which seems pretty benign, unless you click that icon and get the insecure site warning:

Starting in January of 2017 Chrome is going to take that a step further and add a text warning:

Then “eventually” – which, knowing Google, could be any time  – they are going to throw the red flag at non-https pages:

At the moment those warnings only apply to http pages containing password or credit card input fields, but Google definitely plans to extend the Chrome warnings to all http pages, regardless of whether they accept user credit card or authentication input.

Why is https important?

Using https encrypts connections to prevent anyone from tapping in to the communication between your website and your visitor’s browsers. It also prevents the bad guys from exploiting your site by injecting malicious code or unwanted advertising into your user’s browser.

The https connection lets your visitors know that they’re securely connected to your site. That what they’re seeing is legitimate information. It also prevents anyone from accumulating of a lot of user data or behavior related to your site traffic. Aggregate data like that can be used for a number of malicious purposes, so blocking access to it is a good thing.

How does it benefit me?

Right about now you may be thinking, “Okay, I get it, but I’m not really concerned about someone listening in to my site traffic.” That’s understandable. Most sites run a pretty low risk of being targeted in that way. But you probably don’t want to see every page of your site displaying a red “Not secure” warning in Chrome (and eventually in other browsers as well).

That’s reason enough to take steps now to make every page of your site available via https (and redirect http requests to https). You might even consider it a priority, since the Chrome browser currently has a 56% market share, and that percentage is increasing.

But aside from avoiding the warning label, there can be other benefits to using https. In their own words:

“Google uses HTTPS as a positive ranking signal. This signal is one amongst many others, and currently carries less weight than high-quality site content; you should not expect a major SEO advantage for moving to HTTPS in the short term. In the longer term, Google may increase the strength of the HTTPS boost.”

Google is making it pretty clear that in the future they are going to give an edge in search result rankings to sites that use https. And who doesn’t want an edge where that’s concerned?

How to make the move to https

The good news is it isn’t exactly a “move.” Your site stays on the same server, you just add an SSL certificate to your account and make the necessary changes to redirect http traffic to https. This article is already pretty long, so we won’t do a tutorial here, but other than redirecting to https, there are a few other things you’ll want to watch out for:

If you use Google Webmaster Tools, after you’ve made the switch, add the https version of your URL as a new property, set the “preferred version” of that property to https and (re)submit your sitemap. Here’s a Google-centric FAQ on transitioning to https that you may also want to take a look at.

Finally, you may have heard that you can get a free SSL certificate from Let’s Encrypt. That’s true, and you can use those certs here at Winhost. But the Let’s Encrypt certificates come with some drawbacks. Make sure you’re aware of what’s involved in using such a cert before you commit to one.

We’ll have more information on this subject in the coming months. We expect that there will be a lot of questions when Google makes the changes to Chrome, and we’ll do our best to address those questions here and in our Knowledge Base.

Update: January 4th, 2017

The changes have already begun in the latest version of Chrome (55.x). They aren’t flagging insecure sites yet, but they are spelling out “Secure” now: