This past week I conducted a preliminary check on all of the servers for outdated WordPress installations. I found quite a few that were old and outdated. Keeping any script on your account that is outdated is a security risk. Most of the time developers release a new version of a script or application to address a known security risk. This is not always the case and in most cases the security issue is very minor, but a minor security issue is still a security issue and should be dealt with. If you are not keeping your scripts up-to-date, then you could be open to some type of vulnerability which can lead to problems such as website defacement or information compromise where someone steals information you have stored on your website.

I think one thing that is forgotten when users install a script or application on their website is that the management of that script or application is just starting. On the Internet software has to be maintained and kept up-to-date because it is continually accessible by the outside world. If you have Microsoft Office installed on your home computer and a new exploit for Microsoft Office is discovered, you can always just turn off your home computer and it will be impossible for that exploit to do damage on your home computer. On the Internet, its not easy to turn off a server. If the web server is turned off, then your website won’t work at all. This is why the only real option on the Internet is to continually check and make sure that all of your scripts and applications are up-to-date.

I have singled out WordPress in this particular security check. It will be impossible for me to check each and every account for up-to-date script software. This is because every piece of software is different and finding out what version is installed on each account can be difficult. There could also be thousands of different scripts and applications installed on all of our hosting servers. Each script and application would require their own system-wide version checker. WordPress is just a very popular blogging script and with it being so popular it is important to keep it up-to-date.

I am working on getting a full list of the accounts that have outdated WordPress installs. I am hoping to send out a notice to those accounts that have outdated WordPress installs sometime next week. However if you know that you have WordPress installed on your account and you have not updated it, you should consider updating the install. To download the latest version of WordPress you can visit their website. The latest version of WordPress is version 2.6.1. In the mean time you should make sure that your contact information is up-to-date with us. You can update your contact information by visiting our Account Management page and clicking the Update your Contact Information link.

I am also working on an update guide for updating WordPress. I will need to complete this before I will send out notices about the outdated installations. I am also working on an experimental WordPress updater which I can run on the server to update your WordPress installation.

So if you have a WordPress installation and you have not updated and you feel comfortable updating the installation on your own, you should consider doing this as soon as possible. Otherwise, you can wait for our official notice concerning outdated WordPress installs and our guide for upgrading.

Scott

As was mentioned in a previous post, PHP 4 officially went end-of-life on Friday, August 8. This means that the PHP designers are no longer going to be issuing bug fixes for PHP 4 and it is effectively a dead language at this point. The PHP designers did release PHP 4.4.9 on Friday, which a culmination of all the outstanding bug and security fix in the PHP 4 branch. For more information on this see the PHP website.

Because PHP 4 is now end-of-life, users that are still running websites that require PHP 4 really need to be switched to PHP 5. We will be checking all of the servers to find out what accounts are still using PHP 4 and you will receive a notice concerning this. If you are running a script that still requires PHP 4, the first thing you need to do is check to see if you are running the most recent and up-to-date version of that script. Keeping your scripts up-to-date is important from a security point of view because it helps to prevent your website from being hacked and defaced. If you are running the latest version of the script and it still requires PHP 4, then you need to discuss this with the developer of the script. PHP developers should be aware that PHP 4 was going end-of-life this year and should have been making arrangements to resolve any issues with their scripts. Personally, I would think twice before trusting a script from a developer that was unaware of the PHP4 end-of-life issue.

We wanted everyone to be aware of this. From a security standpoint, we have to enforce the security models that are advised from the PHP designers. The PHP designers are saying that everyone should move towards PHP5. While we are not going to be cutting off access to PHP4 any time soon, it does not mean that we will continue to offer PHP4 indefinitely. Arrangements need to be made that adjust your scripts to work with PHP5.

Steven

It has been a relatively quiet 2 months at AMS. We have been working on some of the backend systems, testing some new systems, and making plans for new offering.

We rolled out updated versions of cPanel last month. This update went smoothly and allowed us to test some new updating procedures which proved to be much more efficient. The cPanel updates are done to insure server security and to also bring you new features.

We have also been working on updating Apache on all of our servers. We are still in the process of completing this task, but we only have a handful of servers left to upgrade. All of our servers are now running Apache 2.2, it is just a matter of upgrading the servers to the latest version of Apache 2.2.

With mentioning Apache, I should also mention that the PHP designers are readying PHP 5.3 to be released this fall. Currently all of our servers are running PHP 5.2.6, the latest version of the PHP 5.2 release. We will be updating our servers to PHP 5.3 once it is released and goes through a testing period. For more information on PHP 5.3 see the PHP website.

With that being said about PHP, we do still have a few accounts that are running PHP 4. PHP 4 is losing support from the PHP designers tomorrow (August 8, 2008). I will be running through the servers in the next few weeks to find out which accounts are still running PHP 4, and what adjustments they have made to their scripts in order to get them ready for PHP 5. If you have not already done so, you need to be looking into leaving PHP 4 and moving to PHP 5. I will not be able to support PHP 4 indefinitely and soon you will have to move off of PHP 4 and onto PHP 5. Again this only affects a small percentage of our accounts that have been set up specifically to run on PHP 4. If you have made no such request to our support team, then your account is running on PHP 5 and is not affected by this.

Most of the tasks that have been completed lately have only affected the backend of the servers. Server optimization and more efficient models. I wanted to update everyone on what we have been doing to provide you a better webhosting experience.

Scott

A new update to cPanel has been released by the cPanel developers. This update includes a few minor changes, but again the main advantage is in terms of performance. I have just updated one of our test servers to this new version of cPanel to try it out and I have seen a very significant improvement in terms of performance.

We will be working with this test installation throughout the week with an eye towards updating our production servers perhaps as early as next week. I am also following some leads from others in the cPanel community regarding some problems with the update. The developers are working on these issues as they are made aware of them, but the issues are very minor. Still I would like to be sure that there are very few, if any, known issues regarding this update before applying it to our production servers.

For end users, this update will not incur any downtime to your account and the update will go smoothly. The main thing you will notice is an increase in response time and performance on your account.

We wanted everyone to be aware of these changes.

Steven

The Apache 2.2 server upgrades have been completed on all of our shared hosting servers. I will now be focusing my attention on optimizing Apache on these servers so that they will operate in the most efficient manner. This will involve organizing the servers, researching the best options, and doing tests. I will also be focusing on upgrading Apache for our dedicated server owners.

All-in-all I thought the Apache upgrades went very smoothly, much better than I anticipated. The only real problems we experienced was the last server to be upgraded on Thursday night. We ran into some problems because there were some typos in the configuration files. This led to a little longer downtime than anticipated, but once the typos were sorted out the upgrade went smoothly.

If you are a dedicated server owner, be looking for an e-mail from our staff within the next few weeks, perhaps as early as this coming week, about upgrading your server to Apache 2.2.

Scott