The WordPress plugin File Manager contains a critical vulnerability that is actively being exploited by attackers to compromise WordPress sites. We saw a handful of these incidents on September 1st as the attacks were just starting to ramp up and a few more since then. Fortunately, in these cases the solution has been relatively simple: restore from a prior backup and delete the plugin.
This particular vulnerability has been present in the plugin since version 6.4, which was released in May. It was patched with the release of 6.9 on September 1st.
Due to the rate at which these attackers were occurring, we have proactively identified every single instance of a vulnerable version of this plugin being used on our servers and have removed it. Since this plugin merely offers a file management interface within the WordPress admin section, removing it doesn’t impact the functionality of the website. Users are welcome to re-install the latest version of this plugin if so desired.
This particular incident does bring to light an important topic though. It is best practice to use as a few plugins as possible, those that aren’t needed should be deleted (not just deactivated). There is certainly an argument to be made that a file manager plugin like this should never be installed but even if you disagree with that, there really isn’t strong justification for keeping a plugin like this installed beyond its intended use. It just allows another possible point of entry for attackers to exploit should a vulnerability be found.
Please keep this in mind as you continue to develop and secure your WordPress instances. If we can help in any way, please drop us a ticket and we’ll be happy to do so.
The ability to clone scripts within Softaculous is a valuable and often overlooked feature. It can quickly and easily provide a safe place for you to test updates or create an up-to-date development environment.
To start the cloning process, you’ll want to go to the All Installations section of Softaculous. For each installation you’ll then see the clone option.
Upon selecting clone, you’ll be prompted to configure where you would like to clone the installation to. We highly recommend creating a separate subdomain for this that is outside of the current site’s document root. This helps to avoid any cross contamination between the two sites, particularly as it relates to custom .htaccess settings. Continue reading
WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.
This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.
Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised. Continue reading
An often overlooked feature of cPanel is the webmail interface, which offers far more than just a place to view your email. It is a very powerful tool that allows email users to fully manage their own email accounts. The interface was recently updated in cPanel 84 and includes a few new features as well.
From within webmail you can view device configuration information, setup filters or forwarders, change your password, configure spam filtering, manage disk usage and even track delivery of emails.
This can be a tremendous time saving tool for both you and your clients because it empowers email users to manage their own account. Simply send them to /webmail on their domain and they can login with their own email address and password.
PHP 7.4 was released last month and is now available on all of our servers! As with prior versions, you can easily change the PHP version per cPanel account via the “Select PHP Version” option in cPanel.
PHP 7.4 comes with numerous improvements and new features such as:
The migration guide is available in the PHP Manual. Please consult it for the detailed list of new features and backward incompatible changes. For 3rd party applications, it’s best to confirm that they support PHP 7.4 before making the switch. However, if you run into any issues you can quickly and easily revert back to your prior version.
We’re very pleased to announce that Node.js applications can now be deployed on all of our servers. This functionality is available within cPanel via the “Setup Node.js App” link that can be found under the software section. Upon selecting the “Create Application” button you’ll see the screen below.
When creating an application you have the following options available to you:
- Node.js Version – We currently offer the latest LTS (12.x) and prior LTS (10.x) versions. More can be added as needed though currently we plan to stick with the LTS releases (even version numbers). The desired version can be changed for any application at any time.
- Application Mode – Simply select Development or Production based on your needs.
- Application Root – This defines the file system path for the application, relative to the cPanel account’s home directory. If the cPanel user was “node” then entering “app” in this field would create the application at /home/node/app.
- Application URL – This configures the URL to be used with the application. If left blank, it will configure the root (sub)domain to load the application.
- Application Startup File – This defines your application startup file and will default to app.js if left blank.
You can also choose to define a passenger log file and setup custom environment variables if desired. Once you’ve created the application, you can visit the URL you configured for the application and see a basic test page like the one below.
Now that you have created an application, you can continue to manage it via cPanel. This includes restarting it, changing the Node.js version, switching between Development and Production, etc.
We know that many of you have been looking forward to this functionality and we’re eager to hear your feedback. Please let us know what you think here or via a ticket!
Our goal is to provide the best performing, most reliable service that we can and a lot of this comes down to the hardware that we use. Newer hardware can easily provide performance benefits but proper deployment of it is crucial as far as reliability and security is concerned. We always try to avoid any service interruption whenever possible and building redundancies into our infrastructure has allowed us to do this more easily.
Over the past five months, we’ve been working diligently to overhaul our entire hosting infrastructure. The individual server upgrades were a big part of this process and these were all completed by the end of July. Behind the scenes, though, our work has gone far beyond just the server upgrades. We’ve also upgraded every other piece of hardware that has a role in providing our services. All switches, power distribution, and even cabling has received upgrades in some form or another.
- Switches – All of our public and private network switches have been replaced which provides greater performance and continued security updates. This was done without impacting any services and zero downtime on our public network. Our private network has received an even bigger overhaul with it now being entirely 10G, allowing for even better backup performance.
- Power Distribution – All of our in-rack PDUs have been replaced with new zero U PDUs. This has saved at least 4U per cabinet and cleaned them up considerably. The new PDUs also have additional control and monitoring features. Because all of our gear has redundant power, we were able to swap these out without any power loss or downtime.
- Cabling – As a result of the PDU changes, we wanted to re-cable everything to clean it up and allow for even better airflow. New slim Cat6A cables handle 1G connectivity and most 10G connectivity is over DAC.
Many other items were upgraded over these past few months as well. I just wanted to provide a brief look behind the scenes here that you wouldn’t otherwise know about. We’re very focused on providing the best service possible and our continual hardware upgrades play a large role in this.
Back in March, we refreshed our website and blog, making them responsive and far more mobile friendly. Since then, we’ve be revamping are administrative panel and now finally our client portal. It’s taken longer than we had hoped due to all of the server upgrades taking priority but we’re now very excited to unveil our freshly updated client portal! Below is just a quick comparison of the login pages on iOS.
All of the prior functionality within the portal is still present and organized much the same so it will be very familiar. We’re hoping to add a few more features in the coming months. If you have a moment, we’d love to get your feedback either here on our blog or in a ticket.
As many of you know, we like to freshen up our servers from time to time. While some hosts will leave older hosting accounts on legacy hardware until it is nearly failing, we prefer to keep all clients on the latest iteration of our server hardware. This provides consistency across our fleet of servers and gives our clients the best possible experience. Dealing with old, failing hardware is just as a problematic for us as it is for our clients so we do our best to avoid these situations.
The new servers will have faster hardware across the board from the CPUs to RAM and SSDs. Some software updates will occur as well, starting with the OS as CloudLinux 7 will now be the default for all of our hosting servers. Currently, some of our systems are running CloudLinux 6 with their hybrid kernel. We will also be deploying MariaDB 10.3 on all servers (versus 10.1 currently). I know a few of you have been eagerly awaiting the Recursive CTE and Window Function support. Lastly, we’ll also be adding support for CloudLinux’s Node.js selector once all of the upgrades and migrations have settled down.
We expect to begin these server migrations towards the middle of June, with the first batch of notifications going out here very soon. All migrations will be completed by the end of July. You can expect to receive a ticket notification approximately two weeks before your server’s scheduled migration. There will be no downtime during this process and no changes should be necessary on your end as long as you’re using our DNS. If you have any questions meanwhile, please feel free to submit a ticket and we’ll gladly assist in any way that we can.
Over the past few months we’ve been setting up and fine tuning a new in-house monitoring solution. This new system is now live and allows us to better monitor all aspects of our hosting services. As part of this, we’ve added a live status page to our website at status.dathorn.com. This page queries our monitoring system every minute to display the most accurate information and is a great first resource if you believe there are any issues. Rest assured that we will have already been alerted of any problems reported there.
Also, as you may have noticed by now, we just completed a minor refresh of our website. It now offers a greatly improved experience for mobile and high resolution devices. Over the next few months we plan to extend this to our portal as well so stay tuned!