We have seen a growing number of web hosting accounts being hacked and when investigating and tracking down the reasons for the hacks, we are finding most of those accounts are hacked through weak admin passwords on their website CMSs (WordPress, Joomla!, Drupal, etc).

One thing you should understand, if you are using a weak admin password for anything tied to your web hosting account then you share some of the blame for it’s hacking. That may seem harsh to say that, but it is the truth. Being an administrator of your web hosting account you are responsible for practicing good security on your web hosting account. Sure, it sucks that there are malicious users and hackers out there taking advantage of your web hosting account – but there is also some level of responsibility on you for allowing a weak password to be used.

How do I choose a secure password?

A good password will use a combination of upper and lower case letters, numbers, and non-alphanumeric characters. I like to use the Password Strength meter at

http://www.passwordmeter.com

to determine how strong a password might be. I generally aim for something above 80% and the closer you can get to 100% the better.

I also encourage the user of local password managers. I’m less thrilled by online password managers, because if those get hacked, then all of the passwords you have stored there could then potentially be hacked as well. I like the portable version of KeePass. The portable version allows you to run it from a USB thumb drive – this way the database is not installed on your local computer. If you have a password manager installed on your local computer, and your local computer gets infected with malware, a virus, or a keylogger then the information stored in the installed password manager could potentially be compromised.

Putting a password manager – like KeePass – on a USB thumb drive and keeping it near your computer insures that your passwords are safe from any malware infections you might have on your local computer, and also available to be used whenever you need it.

To download the portable version of KeePass, see:

https://keepass.info/download.html

Instructions for setting up the portable version of KeePass is at:

https://keepass.info/help/v2/setup.html#portable

Why do hackers hack into my site?

The simple answer is because they can. You might think that you have a small web site that doesn’t really garner a lot of attention. But if you are using a weak password, outdated script/plugin, or otherwise have something in place that would allow malicious users to take advantage of your web hosting account – you’d better bet that they will eventually.

Commonly hackers and malicious users will hack into a web hosting account to setup phishing sites, send out spam, SEO Spamming, or Search Engine Poisoning.

• Phishing sites have to do with creating a look-a-like mirror of a popular with the intent of tricking visitors to disclose personal information about their real account at these popular websites. A NetFlix phishing scam recently went through this cycle, hackers had to have a place to host the NetFlix look-a-like site. They do this by hacking and exploiting other smaller websites.

• Spamming pertains to the sending of unsolicited messages. We’ve all received spam messages and we all know what spam messages look like. Most of those messages are sent out because someone allowed their web hosting account to become compromised.

• SEO Spamming or Search Engine Optimization spamming has to do with building a network of links to raise the search engine rankings of one website. That website can then monetize this popularity with ads.

• Search Engine Poisoning is similar to SEO Spamming but has to do with poisoning the content that search engine crawlers see when they crawl your website. This can have the effect of associating your website with various pharmaceuticals, gambling, or other shady businesses.

How do I keep my web hosting account safe?

• Keep your scripts, plugins, themes, components, etc. all up to date. When an update is released by it’s developers that update is not automatically applied to your installed version. You will need to update it. Sometimes this is simple, sometimes it is not. But not doing the update is dangerous to the well being of your web hosting account.

• Use reputable scripts, plugins, themes, and components. Stick to popular and well maintained scripts. When looking at plugins, themes, and addon components check to see when it was last updated. The further back this is, the less reputable this plugin is. Check to see how many active installations the plugin is said to have, the more the better. Check the plugins overall rating, the higher the rating, the better. A plugin that was last updated 3 years ago, has less than 1000 active installations, and 3 or fewer stars is probably not reputable and probably something to avoid.

• Use strong and secure passwords. The weaker a password is, the easier it is for hackers and malicious users to guess the password and log into your account. If your website is important to you, then you will want to insure that you are using strong and secure passwords.

The Joomla! developers recently released Joomla! 3.8 of their popular CMS software. Suffice it to say, there has been a lot of scrutiny with this release. There have been a lot of issues with the update process for Joomla! 3.8. On many occassions updating to Joomla! 3.8 breaks the website and it is a painstaking endeavor to get the website back up and running. To be fair, there are several other instances where updating to Joomla! 3.8 went smoothly. So to say that the update problems are an underlying problem with Joomla! is a false statement. But it still can’t be discounted that at lot of people are having issues with the Joomla! 3.8 update process.

As a web hosting provider, and one that cares about security, we have to advise you to keep the software and scripts on your website up to date. Because of this, we have to advise you to insure that you are running the latest version of Joomla! (Joomla! 3.8.2 at the time this post was published). But at the same time, we also recognize that there are issues related to some websites attempting a Joomla! 3.8 update.

All of these issues with Joomla! updates is making it very difficult for us to recommend Joomla! as a website platform. Joomla! may be great Content Management System for managing your website, but it’s updating process leaves a bit to be desired. If you are considering reworking your website altogether, you may want to look at alternative CMS software – such as, but not limited to, WordPress – to manage your website.

How can you be better prepared for the Joomla! 3.8 update?

• Backup your account before attempting any update
If you have a Joomla! extension that can backup your site, you may be able to use that to create a backup of your account before attempting any update. If you need us to make a full backup of your account before attempting any update, we can do that for you – just open a support ticket.

• Make sure you are using a reasonably up to date version of Joomla!
From what we have been able to ascertain, if you are using a version of Joomla! that is older than 3.6.5 (meaning your Joomla! version is less than 3.6.5) then you will most definitely have issues updating to Joomla! 3.8. You will need to update to at least Joomla! 3.6.5 before attempting the Joomla! 3.8 update. How exactly you do that is uncertain – Joomla! does not provide direct instructions on how to do that, just simply stating that it’s best if you are updating from Joomla! 3.6.5 or newer.

• Make sure your components are up to date and reputable
A lot of the issues related to the Joomla! 3.8 update seems to revolve around websites using outdated, abandoned, insecure, or just poorly written extensions and components. How exactly you determine if a component or extension is reputable, up-to-date, and secure – again that is not directly provided by Joomla! But you should review all of the components and extensions you have installed prior to attempting a Joomla! 3.8 update.

• Updated and still have issues?
If you attempt a Joomla! 3.8 update and you have issues with your website, our best advice is to seek help at the Joomla! forums – whether or not if they can help you, I do not know. But they have a much better understanding of Joomla! and what might be wrong and what needs to be done to fix it. Trying to resolve the issue might become very technical, but unfortunately that is just part of running a Joomla! site.

One of the best things you can do to insure that future updates will work better for you is to insure that you are using reputable components, extensions, and themes. There are lot of components and extensions out there for Joomla!, but a lot of them are poorly written or not properly maintained. If you can avoid using components and extensions that are not reputable, this will better insure that the developers that write the components you are using are updating their components to work with updated versions of Joomla!

Is your website ready for PHP 7.1?

We are finalizing plans to switch all of our servers over to PHP 7.1 by default beginning December 1, 2017. What does this mean for you?

If your scripts are up-to-date and are being kept up-to-date, then you should not be affected by this. In fact, you will likely see a performance boost because PHP 7.1 is showing to be much faster than PHP 5.6. If you are not keeping your scripts, plugins, components, and themes up to date, then now would be a good time to be doing that.

Why are you doing this?

Currently our servers are using PHP 5.6 by default. PHP 5.6 is expected to reach end of life on December 31, 2018. While that date is still over a year away, we just want to be sure that we are ready for this deadline.

http://php.net/supported-versions.php

Switching to PHP 7.1 by default will better insure that our accounts are ready once PHP 5.6 support officially ends.

What does by default mean?

Unlike a lot of software on the server, with PHP we are able to run concurrent versions. We are able to have multiple versions of PHP available for your account to use. Currently we support PHP 5.6, PHP 7.0, and PHP 7.1 – meaning that your account can be using any of these PHP versions.

The term by default simply means that this is the version of PHP your account is using if you have not made any prior PHP version changes. Currently our default version is PHP 5.6. This means that unless you have told us or otherwise made changes to the PHP version on your account, then you are using PHP 5.6 on your account. When we change the default version to PHP 7.1, everybody that was using PHP 5.6 will switch to using PHP 7.1.

Can I continue to use PHP 5.6?

Absolutely! We are not killing support for PHP 5.6, we are merely changing the version of PHP that is assigned by default. All that being said, however, please understand that support for PHP 5.6 will be ending sometime in 2018 – before December 31, 2018. If you are depending on PHP 5.6 for your script, then you need to be making arrangements to upgrade that script or fixing the script to work with PHP 7.1 and later. The people that develop the PHP language will stop supporting PHP 5.6 on December 31, 2018. We cannot provide software that is no longer being supported by its developers on our servers. So you will need to be making arrangements to fix the script before this deadline.

When will you remove PHP 5.6 completely?

That date hasn’t been determined yet. It will be before December 31, 2018, but just when has not been determined. We will probably review our servers during the summer 2018 and see if PHP 5.6 is still being used, if it’s not being used it may be phased out at that time.

Why are you skipping PHP 7.0?

The developers of PHP voted in early 2016 to extend support for PHP 5.6. As a result of this, the lifetime of PHP 5.6 is actually longer than PHP 7.0. For this reason we decided to skip over PHP 7.0 as a default version. PHP 7.0 is still available for you to use if you specifically need it. However, we have found that most updated and actively developed scripts will work just fine with PHP 7.1, essentially making PHP 7.0 a skippable version. Our support for PHP 7.0 will follow our support of PHP 5.6 – we will review it’s usage during the summer 2018 and may phase it out at that time.

What happened to PHP 6.0?

The PHP developers also voted to skip version 6.0 in PHP. When PHP 5.0 was being developed some extensions were proposed to extend PHP, while this was being developed it was often referred to as PHP 6. However those extensions were later adopted into the core PHP 5 code. The general public probably didn’t know much about this developmental PHP 6 code, but there were books released concerning these extensions. The PHP development council voted to call PHP 5’s successor PHP 7 in order to avoid any confusion with the unreleased PHP 6 code base. Essentially PHP 5.6 is the last release of PHP 5 and it’s direct successor was PHP 7.0.

We are scheduling a server migration for September 13, 2017. This migration will affect some of our clients.

This migration is scheduled to start on Wednesday, September 13th at 7PM CDT. The total time to complete the migration is unknown, but we are setting aside 24 hours just to be on the safe side. IMPORTANT TO NOTE: Individual accounts will not be down for the full 24 hours. This migration is done on an account-by-account basis. Your account will likely only be down for 15 to 30 minutes (if that long) at some point in this migration window.

START TIME: Wednesday, September 13 7PM CDT
END TIME: Thursday, September 14 7PM CDT (Estimated)
IMPACT TIME: 15 to 30 minutes per account, perhaps less

This migration will consist of an IP address change. However, if your account is using our nameservers or nameservers we have designated for you, then the IP address will change automatically. This is because the IP change will be made in synch with our DNS servers. If you are not using our nameservers then we cannot make the DNS change for you automatically. We encourage you to use our nameservers or nameservers we have designated for your account for this reason.

If you are using bookmarked links to access your cPanel or Webmail, those links may no longer work after this migration. To access your cPanel and Webmail, it is always best to use the links:

cPanel – http://yourdomain.com/cpanel
Webmail – http://yourdomain.com/webmail

Replacing yourdomain.com with the domain name of the account you want to log into.

To find out if your account is affected by this migration, enter your domain name at:

https://www.amscomputer.com/maintenance091317.php

If you have any questions about this migration you can reply to this message or submit a support ticket at:

http://www.amshelp.com/support

Changes are coming to our servers later this summer. Some of these changes may require you to update the scripts you have on your website.

We will be upgrading the database service on all of our servers starting at the beginning of August 2017. This upgrade is due in part because the current versions have reached or are going to soon reach their end of life. The upgrade should also give a performance increase to scripts and services that utilize the database service.

Quick Summary: If you don’t read this full post, the main take away from this is that you need to insure that all of the scripts on your website are up to date. If you are using old, outdated, and especially end of life’d scripts, then you may encounter problems with this upgrade.

How will this affect you?
The main issue concerning your account in regards to this upgrade is going to be how up to date your scripts are. If the scripts on your website are up to date then you should not notice any change, perhaps a performance boost. If however your scripts are not being kept up to date, then you may experience your website being offline. Keeping your scripts up to date is really just a great idea in and of itself. But if you are using ancient versions of the script, then those versions may not be compatible with the new database server protocols. Extremely old versions of Joomla! are known to have issues with this. Other scripts may also have problems. If you are using plugins, components, addons, or themes tied into the script, you will want to be sure that they are up to date as well.

Newer software, such as this upgraded database service, is meant to provide better performance by optimizing the way it handles data. This means that it can’t continue to support the way older scripts handle data AND bring a performance boost. Continuing to support old and outdated software would result in a performance degradation in the database service. Likewise, new versions of scripts are developed to boost performance and by continuing to use older versions of the script you are being plagued by a performance degradation.

Keeping your scripts up to date, not only helps with the security of your account, but it also helps with the performance of your account.

I don’t want to or can’t update my script
If you can’t update the script on your account, then you need to find out why. If the task of updating the script is too technical, then you may need to hire a qualified professional to update the script for you. If you are unable to update the script because the developer or vendor is not releasing updates, then you probably should consider a different script. There are a lot of website scripts out there. Some are well written and properly maintained by the developer or a team of developers. Many others are poorly written and are never maintained. Avoid using the poorly written and unmaintained scripts.

Not wanting to update the script unfortunately is not a valid excuse. The majority of our client base keeps their scripts up to date. It is not fair to them that they cannot reap the benefits of the performance increase a database service upgrade provides just so the handful of other clients that refuse to keep their scripts up to date can keep their scripts running.

Failing to keep your scripts up to date is a dangerous proposition anyway. Security holes are published for out of date software, this is how abuse and malicious actions can happen on your account and server.

Will there be any downtime associated with this upgrade?
Our intention is to keep downtime to a minimum. There will be some downtime involved in this upgrade, but just how much is unknown. It could be 5 minutes to 2 hours, although our hope and plan is to keep this closer to 5 minutes. We really can’t do this upgrade without incurring at least a small amount of downtime.

When will my account be upgraded?
We can’t provide an exact timeline for that. Our plan is to upgrade a few servers at a time all beginning on August 1, 2017. How many servers can be done per day and how long it is all going to take is really up the air.

What are the technical aspects of this upgrade?
We will be upgrading the database server to MariaDB. MariaDB is a fork of MySQL. Much of the web hosting industry is switching to MariaDB and MariaDB is known to give real performance gains. MariaDB still uses MySQL bindings for scripts and connections, so it’s really a drop in replacement for MySQL. Nothing changes with your database structure. Just the software that maintains that database, currently MySQL, will be switched to MariaDB.