As we get close to completing all of our server upgrades, I wanted to go ahead and quickly highlight a feature that is available on the new servers. We’ve permitted clients to change the version of PHP that their site uses for many years now but this has always required a modification to the domain’s .htaccess file. Although this wasn’t particularly difficult, it has been simplified even further with the inclusion of PHP Selector. PHP Selector is a CloudLinux component that sits on top of CageFS and allows each cPanel user to select their desired PHP version.
Once you’ve logged into cPanel you’ll find the “Select PHP Version” option under the “Software” menu group as shown below.
As you may have heard, the full database from LinkedIn’s 2012 compromise was posted last month, resulting in more than 150 million additional user logins having been publicized. In light of all these login credentials being leaked from LinkedIn and other services, I wanted to (again) remind everyone of the importance of maintaining secure passwords and also provide some good general guidelines to follow.
Never re-use passwords for any reason. Every login that you setup must use an entirely unique password otherwise a compromise of one service compromises your logins for other services. This is becoming more of an issue as these incidents continue to occur. The last thing you want is for an online community compromise to result in the compromise of your email or bank logins.
Do not share your login information with others if it can be avoided. Doing so increases the risk of a compromise significantly since you have no control over how or where that login might be used. If you must provide your login information to a 3rd party you should set a temporary password and then reset it once the 3rd party no longer needs access. Continue reading
We have successfully completed the migration of all clients from our old billing system (Ubersmith) to our new one that is integrated within our existing portal. For some of you, tomorrow will be the first time you’ll experience the new system when your service renews. We would love to hear any feedback you might have!
Being able to integrate our billing into our existing support mechanisms has been a tremendous help in simplifying processes both for us and our clients. We look forward to growing the available feature set going forward, including the ability for you to manage hosting plan changes without our intervention.
Earlier this month you may have heard of a new vulnerability in ImageMagick named “ImageTragick“. ImageMagick is a software suite used to create or edit many different types of images. One of the most common use cases involves their “convert” utility which is used to convert images from one type to another and resize them. cPanel, for instance, uses it as do a number of image gallery related scripts, shopping carts, etc. Because of this, the potential impact of ImageTragick was quite high.
Although it is fairly trivial to create a policy file or simply update ImageMagick to address the issues, care had to be taken to make sure all instances of ImageMagick were addressed. In many cases, our servers had two or three different versions of ImageMagick that needed to be taken care of. It’s not uncommon for it to be installed on the server as a general package in addition to the versions that both cPanel and CloudLinux provide. As always, you can rest assured that we’ve taken all possible steps to address these new attack vectors and will continue to monitor for further issues going forward.
The cPanel development cycle is constantly bringing us new features and changes that are often only visible to server administrators. Over the next couple of versions, though, there will be a couple of new features that you should be aware of as an end user. cPanel 56 was just pushed to the “Release” tier so in a few weeks it should be pushed to the “Stable” tier and shortly thereafter installed on all of our servers. Version 56 will include a utility for automating the process of converting an addon domain to its own cPanel account.
The Sender Policy Framework (SPF) is a great tool to help validate email senders and detect email spoofing. We recommend that all domains have a proper SPF record configured for this reason. However, SPF has long caused problems with forwarders and this is now no longer an issue. As of cPanel 54, which was installed on all servers earlier this month, Sender Rewriting Scheme (SRS) is fully supported out of the box. Previously some forwarded emails would get rejected by the destination mail server due to the SPF check failing. SRS now automatically rewrites the envelope sender such that forwarded emails will still pass SPF checks. You don’t need to do anything to activate SRS, it was enabled on all servers on March 9th.
Last week another batch of clients was migrated to our new billing system that is built-in to our existing portal. The response has been overwhelmingly positive as it eliminates a lot of unnecessary confusion with having a separate billing system. We hope to have all of our clients migrated within the next month or two and appreciate any feedback you might have.
Lastly, we will be resuming our server upgrades in the upcoming month (April). These took a backseat while we finished up our billing system and continued evaluating the servers that had already been upgraded. Thus far we are very pleased with these upgrades and, like you, we can’t wait to have everything migrated to pure SSD environments. You’ll receive a notification when your server is scheduled to be upgraded if it hasn’t been already. We expect to have all remaining servers upgraded by the end of August.
Over the next few months we will be migrating all clients to our new billing system that is now built-in to our existing portal. This will eliminate the need for you to login to a separate billing system to view invoices, update your credit card information, etc. All of this will now be easily accessible from within our portal.
You will receive an email and ticket notification with further details once your account has been migrated. The first batch of migrations were completed yesterday and another batch will go out around the 21st of each month until every client has been migrated. We expect this to take approximately 4 months in total.
As part of this migration there are two important items to take note of:
- Your credit card information will need to be re-entered. Your card information is currently, and will continue to be, stored in a very secure manner that cannot be retrieved. As such, it cannot be migrated automatically and you’ll need to login to our portal to re-enter it once you receive a migration notification.
- Texas residents will now pay sales tax as required. For the past several years we’ve been paying this out-of-pocket because our old billing system couldn’t properly accommodate this.
We greatly appreciate your cooperation and apologize for any inconvenience during this process. Ultimately this will be a vast improvement over our old, separate billing system. If you have any questions or concerns about this migration please submit a ticket via our portal and we’ll be happy to address them. We just wanted to post this quick update so that you would not be caught off guard or worried about phishing when the time comes for your account to be migrated.
As you may have noticed, cPanel has dropped the parent value from their displayed version number as of this latest release. For display purposes this means you will see the version change from “11.52” to “54”. This isn’t particularly important but worth taking note of going forward.
The biggest change with this new release is the deprecation of the X3 cPanel theme as we’ve posted about here previously. Paper Lantern is the replacement theme which has been a work in progress for the past couple of years and is a big jump forward. In preparation for the cPanel 54 upgrade reaching the “Stable” build tier and our servers being upgraded, we will be migrating all packages and accounts to Paper Lantern to prevent a “Retro” Paper Lantern style from being applied by default. If you feel that you must go back to the old style theme you can still revert to X3 for the time being or use the “Retro” Paper Lantern style. Please note that X3 will be removed as of version 58.
With cPanel 54 a new sidebar has been added to Paper Lantern as you can see from the two screenshots below.
Paper Lantern as of cPanel 11.52
Paper Lantern with new sidebar
On Monday, December 14th, Joomla 3.4.6 was released to address a critical remote code execution vulnerability (CVE-2015-8562) that exists in all prior versions from 1.5.0 through 3.4.5. Hotfixes are also available for the older, unsupported 1.5 and 2.5 branches. It is imperative that you update all Joomla instances immediately. This was a zero day vulnerability that was actively being exploited prior to it having been discovered and patched. As such, it is remotely possible that your Joomla was already compromised.
We posted this to our forums and in our portal on Monday to give our clients a heads up but given the critical nature of this we figured another post couldn’t hurt. At that time we also deployed mod_security rules which we believe to sufficiently protect all Joomla instances hosted by us unless you have specifically disabled mod_security on the domain, which is not the default or recommended. As always, though, it is still important that these latest patches be applied immediately in order to secure your Joomla instances.
If you have any questions or concerns please don’t hesitate to contact us and we hope everyone has a Merry Christmas!
As the holiday shopping season has begun it is more important than ever for businesses to make sure their websites are secured against attackers. Staying on top of script updates (plugins and themes included) is one of the easiest and most vital parts of securing your website. We wanted to take a moment to cover a couple of serious updates that should receive special attention this holiday season.
A Joomla update (3.4.5) was released last month to address a critical remote and unauthenticated SQL injection vulnerability that is present in all 3.2+ versions. The severity of this cannot be stressed enough as it can allow attackers complete access to your account. We’ve had mod_security rules in place to block exploitation of this vulnerability since the day it was announced. To the best of our knowledge attackers have been unable to circumvent these rules but it is in your best interest to apply this update immediately if you have not done so already. If for some reason you’ve manually disabled mod_security on your website it remains fully exposed to this vulnerability if it hasn’t been patched and has likely already been compromised in some manner. For this reason we never recommend disabling mod_security. Further details concerning this update can be found here.
Last week a vulnerability in Zen Cart was also announced and has subsequently been patched. This is an arbitrary file inclusion vulnerability that again could allow attackers complete access to your account. Details and patches are available directly from Zen Cart here. Please note that public disclosure of this vulnerability is scheduled for December 16th but since a patch has already been released it wouldn’t take much for attackers to figure out how to exploit the vulnerability, if they haven’t already. All Zen Cart users should patch their instances immediately.
As always, we will continue to stay on top of these critical vulnerabilities and address them as possible or necessary. If you have any questions please feel free to submit a ticket via our client portal and we’ll gladly assist in any way that we can.
With many hosts your account will remain on a particular server until it fails in some way or another. That’s not the way we do things here at Dathorn. We like to be proactive with upgrading or replacing our servers to help avoid failures that happen more frequently as hardware ages. This also gives us a great opportunity to deploy new configurations, operating system versions, etc. so that we can continue adding value to our services.
Over the next several months we will be going through this process once again. All of our existing shared and reseller hosting servers will be upgraded by means of migrating to a new server. You will receive a ticket notification via our client portal once your particular server has been scheduled. Aside from announcing this I wanted to quickly highlight some of the more important changes that will take place as a part of these migrations.
First up are the hardware changes and the most important of these concerns the local storage. Over the past 13 years we’ve gone from SATA storage to SAS drives to our current hybrid SSD / SATA arrays. Now we’re very excited to be migrating to pure SSD storage. All servers will be utilizing new 12Gbps LSI RAID controllers with a minimum of six 1TB SSDs in RAID 10. The performance that we’ve been able to get from these new systems is simply amazing. While other providers may charge extra for (or not even offer) such high speed storage, all of our clients are being upgraded to it free of charge.