Author Archives: AndrewT

PHP 8.2 Now Available

We’re pleased to announce that PHP 8.2 (8.2.2) is now available on all of our servers. You can easily change the PHP version per cPanel account via the “Select PHP Version” option in cPanel.

PHP 8.2 comes with numerous improvements and new features such as:

Readonly classes
Disjunctive Normal Form (DNF) Types
New stand-alone types: null, false, and true
New “Random” extension
Constants in traits
Deprecate dynamic properties

The full change log for version 8.2 can be found on PHP’s website here and the migration guide is also available. Please consult these for a detailed list of new features and backward incompatible changes. For third party applications, it’s best to confirm that they support PHP 8.2 before making the switch. However, if you run into any issues you can quickly and easily revert back to your prior version.

We now offer secure versions of PHP 5.4 through 8.2 which are all easily selectable from within cPanel. Version 8.0 remains the default for all new cPanel accounts while existing accounts will continue to retain their prior settings.

cPanel 106 Changes

While there aren’t any significant changes in cPanel 106, we did want to quickly highlight a few changes that you might notice or find helpful.

Customizable Favorites in WHM

The Top Tools section has been replaced with a Favorites section that you can customize to more prominently show the features that you use the most.

Server and username data added to top navigation

The username, hostname, OS, cPanel & WHM version, and load average details have returned to the top navigation bar in WHM.

Empty Junk Button in RoundCube

An Empty Junk button has been added to Roundcube. This button allows you to remove all the messages in the Junk folder at once.

Password Required to Update Contact Email Address

For security, you must now provide your password to change your cPanel contact email address.

Removed the Addon Domains, Alias Domains and Subdomains sections

These sections have been removed from the Jupiter cPanel theme. All of this functionality has long been consolidated under the Domains section / interface so this is just a removal of redundant pages.

cPanel 104 Roundcube Updates

cPanel 104 has introduced a couple of useful changes to the Roundcube webmail client. First, it now has a dark mode that is easily toggled via the icon in the lower left corner. You can see what both of these modes look like below.

You can now also train SpamAssassin directly from within the Roundcube webmail client. When selecting any email outside of the Junk folder, you have the option to select “Junk” which will move the email to your Junk folder and submit it to SpamAssassin for local spam training.

Similarly, if you select an email in your Junk folder, you’ll have the option to select “Not Junk”. This will move the email to your inbox and submit it to SpamAssassin for local ham (not spam) training.

If at any point you make a mistake, you can simply locate the email and select the opposite action.

Imunify360 Now Available

We are pleased to announce that the Imunify360 security suite is now installed across all of our servers. We evaluated this product for some time and after an extended period of testing we are very confident in its ability to better protect our servers and our clients.

Security has always been at the forefront of our minds and Imunify360 has helped us to take this to the next level. Here are just a few things that Imunify360 provides:

Faster, real-time malware scanning – Each file is scanned almost as quickly as it is written. Malware uploaded via the cPanel file manager can even be blocked in real time.
Advanced Web Application Firewall – This helps to stop web application attacks before they even reach your website. From known vulnerabilities to more general protection, the WAF examines all traffic to your website for malicious requests.
Proactive Defense – Imunify360 is able to detect and block malicious code in real time as it is being executed. Malicious code is often hidden or fetched remotely and Proactive Defense is able to stop this activity in its tracks before it causes harm.
Automatic Cleanup – In many cases, Imunify360 is able to remove injected malware from infected files automatically. This is particularly useful for those moving their sites from another host where they may have been previously compromised.

While many of these functionalities were already present on our servers to a degree, Imunify360 has further improved upon these and added even greater security with a focus on prevention. Preventing issues before they occur allows you to better focus your time and resources where they are needed.

cPanel 102: Jupiter WHM Theme & cPanel Icons

Nearly four months after its initial edge release, cPanel 102 has reached the stable release tier and we’ve been slowly deploying it across our servers. The biggest and most immediate change that you’ll notice is the new Jupiter WHM theme which has replaced the old X3 theme. After receiving several updates in earlier releases, the new theme is now functionally similar to that of the old one, just with a fresh look that matches the Jupiter cPanel theme. Here’s a quick comparison look:

Overall, we think this is a nice improvement and know that the cPanel developers are still working towards improving it further. The Jupiter cPanel theme has also been updated with icons for each item:

If you have any questions or run into any issues with the new WHM theme please let us know and we’ll be happy to lend a hand or report any issues to cPanel directly.

Critical Remote Code Execution in WP Elementor

A critical remote code execution vulnerability (CVE-2022-1329) present in recent version of the WordPress Elementor plugin has been patched. This vulnerability affects versions 3.6.0 through 3.6.2. You should immediately upgrade to 3.6.3 to patch this vulnerability, which could allow an attacker complete access to your WordPress and more.

WordPress LiteSpeed Cache Plugin

For more than twelve years, our hosting servers have exclusively used the performance focused LiteSpeed Web Server (LSWS). One of the most powerful features of LSWS is LSCache, a caching solution built directly into the web server. Over the years, LiteSpeed has created several free plugins to assist with configuring popular scripts to use LSCache.

Currently, there are eleven of these plugins available and we wanted to quickly highlight the WordPress plugin, which is by far the most popular. It compares very favorably to the many other WP caching plugins out there.

LiteSpeed Cache for WordPress (LSCWP) can be quickly and easily installed from within any WordPress instance. You can simply search for the “LiteSpeed Cache” plugin within your WP, then install and active it to get started. If you’re just wanting basic caching functionality that is intended to work with most WP instances, you won’t need to do anything further though they do have a very helpful Beginner’s Guide.

For those wanting to dig a little deeper, you can adjust settings to better suit your needs and even take advantage of the optimization features offered through LiteSpeed’s QUIC.cloud. To help you get started, all domains hosted on our servers receive free QUIC.cloud credits each month, allowing you to use their image / site optimization and a small amount of CDN bandwidth.

We encourage you to give LiteSpeed Cache for WordPress a try to see how it can improve your website!

PHP 8.1 Now Available

We’re pleased to announce that PHP 8.1 (8.1.2) is now available on all of our servers. You can easily change the PHP version per cPanel account via the “Select PHP Version” option in cPanel.

PHP 8.1 comes with numerous improvements and new features such as:

Enumerations
Readonly properties
Fibers
Pure Intersection Types
never return type
First-class Callable Syntax
“final” modifier for class constants
New fsync and fdatasync functions
New array_is_list function
Explicit Octal numeral notation

Additional information concerning the version 8.1 release can be found on PHP’s website here and the migration guide is also available. Please consult these for a detailed list of new features and backward incompatible changes. For third party applications, it’s best to confirm that they support PHP 8.1 before making the switch. However, if you run into any issues you can quickly and easily revert back to your prior version.

Please note that only a limited number of extensions are currently available for PHP 8.1. We will continue to make new ones available as soon as they are offered. We now offer secure versions of PHP 5.4 through 8.1 which are all easily selectable from within cPanel. Version 8.0 is now the default for all new cPanel accounts while existing accounts will continue to retain their prior settings.

Critical WP Plugin Vulnerabilities – All in One SEO

With more than three million active installs, All in One SEO is a very popular WordPress plugin. Two critical vulnerabilities, one privilege escalation and one SQL injection, were recently discovered in all versions of this plugin from 4.0.0 through 4.1.5.2. We have already seen exploitation of these vulnerabilities on client websites. If you are using this plugin, please urgently make sure that you have updated it to the latest version (4.1.5.3) which addresses these vulnerabilities.

Warning: cPanel Phishing Emails

Please be advised that we’ve been seeing an increase in the number of cPanel phishing emails being reported to us. Phishing emails are those that look like legitimate emails but they often contain malicious links disguised as legitimate ones in an attempt to obtain login information from the recipient.

As an example, below is a redacted copy of an email that one of our clients received just a few days ago.

These emails will include your actual domain name and at first glance, will look like a legitimate cPanel disk quota notification. The anchor text of the links even correctly points to cPanel URLs on your domain. However, if you hover over those links, you can see in the bottom left corner that their target is a third party phishing website on an unrelated domain. If you were to enter your cPanel login information at that URL, attackers would then have your login information and use it for malicious purposes.

The best way to avoid getting phished is to not click on links in emails. Instead, visit cPanel or whatever service you need to by directly entering the address into your browser. Once you login, you may find that the details in the email (disk usage in this case) don’t align with reality which can be a good indicator that this was a phishing attempt. In this particular case, though, the client’s domain was actually quite full so that alone wasn’t helpful in distinguishing a difference.

If you ever have concerns about the legitimacy of any such email notifications just submit a ticket with the full headers and source of the message and we would be happy to take a look for you. It’s always best, though, to just assume the worst and not click on any of these links. Instead, just enter your desired destination directly in your browser.