Our Blog

PHP Upgraded on all Servers

PHP logoWe are pleased to introduce upgrades to our servers and services.

To ensure optimal server reliability and security, we strive to keep our server software up-to-date.

What’s Changed

The following new versions of PHP have been installed on all servers:

  • PHP 5.5 upgraded to 5.5.18
  • PHP 5.4 upgraded to 5.4.34
  • PHP 5.3 upgraded to 5.3.29

If you would like to learn how to select the version of PHP you would like to run for your domain, please see our knowledgeable article at http://help.edikon.com/kb/php-and-mysql/what-version-of-php-is-available.

If you have any questions about this upgrade, please do not hesitate to contact us.

Posted in announcements | Leave a comment

POODLE Update: SSLv3 Support Removed

Recently, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plaintext using a man-in-the-middle attack.

For us, the window for exposure was quite small. We acted quickly to secure our infrastructure by removing support for SSLv3. If as a result of this change you are unable to access your web properties, updating your browser to the latest version should do the trick.

If you have any questions or concerns, do not hesitate to contact support at support@edikon.com. You can also read the official security advisory on the openssl.org website.

Posted in announcements | Leave a comment

The Bash Shell Vulnerability

A newly discovered security bug in a widely used piece of Linux software, known as Bash, could pose a bigger threat to computer users than the Heartbleed bug that surfaced in April.  Bash is the software used to control the command prompt on many Unix computers.

The Bash shell vulnerability being referred to by some as ‘Shell Shock’ allows an attacker to run a wide range of malicious code remotely. It was discovered by security researchers at RedHat, and is described in detail in a blog post.

The Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple’s Mac OS X.

All servers at Edikon have been patched and secured against the Bash shell vulnerability.  If you have any questions or concerns, please feel free to contact our support team.

Posted in announcements | Leave a comment

Stop Spam Emails from Reaching Your Inbox

We at Edikon have been fighting spam restlessly for the past several years.  The ongoing battle has meant many an hour spent utilizing and configuring tools such as SpamAssassin, custom filtering rules, and the use of real time blocking lists.  These remedies have not been the most effective solution nor did they give our customers the type of control we wanted.  Also, sometimes we managed to be too aggressive with our spam filtering, and other times too soft.  But such is the life of system administrators!

During the past two months we tested a new anti-spam service called SpamExperts on our server cluster.   We worked closely with early adopter customers that had a large number of spam emails reaching their inboxes.  We asked these customers to simply enable SpamExperts from within the hosting control panel and to let us know their impressions of the number of spam emails they received.

The feedback we received was that SpamExperts has ended the days of them having to worry about spam reaching their inboxes!  In some cases, early adopters went from hundreds of spam emails a day to absolutely none.  In the month of August we saw that approximately 70% of all emails sent to our SpamExperts users was in-fact spam, with very few false positives reported.

Therefore, today we are happy to announce the general availability of the SpamExperts solution to stop spam emails from reaching your inbox.  All our shared and enterprise hosting plans have the SpamExperts option available for those that wish to enable the service.

The price for the SpamExperts spam solution is $2 per month, or $24 per year, per domain.

To enable SpamExperts, simple login to your account and click on the SpamExperts icon.  Upon clicking the icon you will be brought to the management page and have the ability to login to our SpamExperts interface where you can customize several options for each enabled domain.  We recommend that you simply enable SpamExperts and leave it be before you perform any customizations.

Once enabled all email sent to your domain first passes through SpamExperts servers.  If it finds the email sent to you has no spam it then passes it along to your account.  If it finds the email was in fact spam then it quarantines it which is viewable from our SpamExperts panel.  This allows you to if necessary teach the system an email that was flagged as spam was in fact not spam.  No longer will there be any question about an email that was marked as spam since you can retrieve any quarantined emails if necessary.

We’re confident that our partnership with SpamExperts is going to benefit all of our current and future customers greatly.  Email is a big part of the internet and every spam email you have to delete yourself hurts your productivity.  The question of whether an email arrived in a users inbox is something you should never have to worry about.  With all that being said we continue to work with SpamExperts on improvements and welcome any customer feedback.

Posted in announcements | Leave a comment

Securing against WordPress Brute Force Attacks

You may be aware of a change we made to our servers this week in order to globally protect from WordPress Brute Force Attacks. This change means that just before accessing your WordPress login page, you are greeted with a popup asking you for a username and password.  You can read our knowledge base entry for more information on the change.

On a technical level this change worked brilliantly and we have seen a very large number of brute force attacks being prevented every day on each server since then. We also found that the number of attacks was far more than we expected. The login form we implemented was able to thwart what would have been a debilitating number of connections to our servers and we are pleased that we were able to keep our servers up and running without trouble.

Unfortunately, and perhaps understandably, some of you expressed your disappointment with this change.  For one, we did not communicate the change in a proactive manner.  And two, this solution is inconvenient since it requires you to login twice in order to manage WordPress.  Please know that we are committed to doing a better job of informing you of changes going forward and that we are looking for a longer-term solution to the problem of widespread WordPress Brute Force attacks.

However, there are not many options available to us to secure all WordPress installations across all servers.  The ultimate solution we all need to work towards is for each WordPress installation to use plugins or other methods that will secure each WordPress installation individually.

How do I secure my WordPress site against brute force attacks?

WordPress have done a fantastic job of creating an article about brute force attacks, but for convenience we shall review our favourite options that work on our servers.

Step 1. Change your administrator username.

Using the default username of  “admin” may be convenient and easy to remember, but it’s also the most obvious one for attackers to guess. We strongly recommend that you change your username to something else, such as your first name. An easy way to change the username from ‘admin’ to something else is to use the following plugin.

Step 2. Use a strong and unique password.
This one is perhaps common sense, but you’d be surprised at how many users sacrifice security for convenience. Using the same password you use everywhere else may be convenient for you, but if one of these other sites is compromised, it makes it even easier to compromise your blog. We recommend using a new, random and unique password.

If the password is hard to remember, then it is probably a good password!

Step 3. Rename your wp-login.php file and wp-admin folder.
This is a solution we recommend over Step 4 below, because it addresses the very source of the problem by preventing the attack from getting through to WordPress to begin with.

Brute force attacks are made against the wp-login.php file directly. If this file does not exist or has been renamed, and the attacker does not know the name of the file, then the attack will simply fail without being processed. Fortunately there’s a plugin available to make it very easy to rename this file and folder: http://wordpress.org/plugins/rename-wp-login/

Step 4. Install plugins to prevent brute force attacks.
There are many plugins available that can be used to protect your blog against brute force attacks. Our favourite of these is BruteProtect as it uses a centralised database to share IP addresses from detected attackers worldwide. This means that when a new attacker is detected, the IP address is shared with all other users of BruteProtect, preventing other blogs from being hit by the same attacker.

There are other plugins available (listed in the WordPress article at the start of this post) that can also provide quick and easy methods of blocking repeated attackers.

Important note: If you use a plugin that alerts you via e-mail when it blocks an attack, please be sure to disable these e-mails. The plugin may generate too many e-mails and cause our systems to block your website from sending out any further e-mails, which could cause problems for you.

Step 5. Enable WordPress automatic updates.
Wordpress is constantly being updated. New bugs and issues are being found and fixed all of the time. Some of these bugs are security vulnerabilities which could lead to your blog being compromised or hacked. It’s therefore critically important to keep your blog up to date and running the latest version at all times. Fortunately, with the later versions of WordPress, there is now an automatic background updater which will apply these fixes for you. To check and ensure this option is enabled, please see the following WordPress article.

If you have installed WordPress via Softaculous on our servers, you can also update it from within the control panel. You can find out how to upgrade your scripts in Softaculous by reading the following article.

If you are upgrading from a very old version of WordPress to the latest version, please be sure to check with your theme or theme developer that it will continue to work fine. Your theme may need to be updated to work correctly on the latest version.

Conclusion
Securing WordPress has become much easier over the last few years. Many plugins are now available to make the process as quick and as simple as possible, even for those with less technical knowledge than advanced WordPress users. This is, unfortunately, partly in response to the huge number of increased attacks being made against users of the software. Over time these plugins and systems will improve and this will likely become less of a problem.

It’s important to note that these attacks are, in almost every case, not directed at you and your blog personally. Your blog has simply been found in an automated search, and bots or other automated tools will indiscriminately attempt to guess your username and password. This is why the steps above will make this virtually impossible for them and significantly improve the security of your blog.

Performing the steps above are, of course, completely optional. That said, we very strongly recommend that you follow them, as increasing numbers of blogs are being compromised on a daily basis. It can take significantly longer to clean up and restore a compromised WordPress blog than it does to perform all of the steps above, so the time investment is certainly worth it.

In the meantime, we will continue to evaluate the options available to us that would allow us to implement a server-wide solution that is more convenient for you.

Posted in discussion, guides | Leave a comment