Author Archives: AndrewT

Critical WP Plugin Vulnerabilities – All in One SEO

With more than three million active installs, All in One SEO is a very popular WordPress plugin. Two critical vulnerabilities, one privilege escalation and one SQL injection, were recently discovered in all versions of this plugin from 4.0.0 through 4.1.5.2. We have already seen exploitation of these vulnerabilities on client websites. If you are using this plugin, please urgently make sure that you have updated it to the latest version (4.1.5.3) which addresses these vulnerabilities.

Warning: cPanel Phishing Emails

Please be advised that we’ve been seeing an increase in the number of cPanel phishing emails being reported to us. Phishing emails are those that look like legitimate emails but they often contain malicious links disguised as legitimate ones in an attempt to obtain login information from the recipient.

As an example, below is a redacted copy of an email that one of our clients received just a few days ago.

These emails will include your actual domain name and at first glance, will look like a legitimate cPanel disk quota notification. The anchor text of the links even correctly points to cPanel URLs on your domain. However, if you hover over those links, you can see in the bottom left corner that their target is a third party phishing website on an unrelated domain. If you were to enter your cPanel login information at that URL, attackers would then have your login information and use it for malicious purposes.

The best way to avoid getting phished is to not click on links in emails. Instead, visit cPanel or whatever service you need to by directly entering the address into your browser. Once you login, you may find that the details in the email (disk usage in this case) don’t align with reality which can be a good indicator that this was a phishing attempt. In this particular case, though, the client’s domain was actually quite full so that alone wasn’t helpful in distinguishing a difference.

If you ever have concerns about the legitimacy of any such email notifications just submit a ticket with the full headers and source of the message and we would be happy to take a look for you. It’s always best, though, to just assume the worst and not click on any of these links. Instead, just enter your desired destination directly in your browser.

Clientexec 6.4: Redesigned Client Area & New Order Forms

A few months ago, we posted about the big changes coming in Clientexec 7. While version 7 has been pushed back, the product roadmap has changed along with it. Instead of releasing all of those big changes at once, they have opted to stagger their release across a few releases.

This lengthened release process started last month with the release of version 6.4, which included the redesigned client area and new order forms. The new client area, shown below, is a tremendous improvement and fully responsive.

Three new order forms were also added, two of which are shown below. The third is a new domain order form.

To add to these, Clientexec’s new affiliate system will be launched soon in version 6.5. The redesigned admin interface and all new reporting can be expected in version 7.

Existing Clientexec users can upgrade their instance to take advantage of these new interfaces if they haven’t already. If you’re interested in giving Clientexec a try or are looking for a cheaper alternative to WHMCS, submit a ticket and we’ll happily set you up with a free trial.

New cPanel Theme: Jupiter

cPanel’s latest theme, Jupiter, is now available on all of our servers. It is the default for all newly created packages and you can edit your existing packages to use it if so desired.

Although their development path isn’t particularly clear, you’ll notice this theme closely resembles the Glass style that was recently released for the Paper Lantern theme. They are instead moving forward with this new theme, Jupiter, and will be removing Paper Lantern entirely in Spring of 2022.

While this new theme is functional, there are a couple of things you should be aware of.

  • Customization is limited. Additional capabilities will be added in future releases.
  • The CloudLinux Resource Usage section is not currently present. This should start showing up within the next few weeks as updated stable builds of their lvemanager package are published.

In addition to this cPanel theme, they are reportedly working on a version of Jupiter for WHM as well, slated for release in cPanel version 100. Below is a low resolution teaser image that they sent out showing this.

A new look to WHM would certainly be welcome but we’ll have to wait and see for sure what their plans are. In the meantime, check out the cPanel theme and let us know what you think!

cPanel 96: New Glass Style & Updated DNS Zone Manager

With cPanel version 96 now installed on all of our servers, we wanted to take a quick moment and highlight a couple of the included changes.

New Glass Style for Paper Lantern

A new style, named Glass, has been added to the Paper Lantern theme. This is basically just a more lightweight, minimalistic version of the existing Basic style. Upon first look you might even wonder why none of the icons loaded but rest assured that is intentional.

While cPanel has tried to force this as the default for all new cPanel accounts, we’ve instead reverted back to the Basic style to avoid any confusion. You can easily change styles at any time via the “Change Style” link in cPanel. If you would like to set a default style at the WHM reseller level you can do that as well via Customization -> Customize Style in WHM.

DNS Zone Manager

A couple of very important improvements were made to WHM’s recent addition, the DNS Zone Manager. It now has the ability to manage multiple records at the same time and the ability to change a record’s type. The lack of these two capabilities had really limited the usefulness of this functionality up until now.

With the DNS Zone Manager now being more functional, the legacy “Edit DNS Zone” functionality has been removed entirely in cPanel 96. The Edit MX Entry interface has also been removed and replaced with an Email Routing Configuration page that replicates the same Email Routing functionality that is available within cPanel.

While not groundbreaking by any means, these changes may alter your workflow a little bit. If you have any questions about the new interfaces or require any other assistance please don’t hesitate to reach out to us.

Clientexec 7 & WHMCS Price Increases

WHMCS is a popular web hosting billing platform and like cPanel, is a WebPros brand. Earlier this month, WHMCS sent out notifications concerning upcoming price increases effective July 1st. Instead of a flat fee, WHMCS license pricing is now based on the number of active clients and starts at $18.95 per month for up to 250 clients, $29.95 for up to 500 clients and $44.95 for up to 1,000 clients.

For those familiar with WebPros, this was not a surprise. Since 2017, WebPros has been adding web hosting related brands to their portfolio and altering their pricing structures to be considerably more costly to their user base. This includes changing cPanel license pricing from a flat fee to per cPanel account, which has increased our own cPanel licenses costs by 900%.

Given that cPanel pricing has increased significantly each of the past two years, it would not be unexpected to see further WHMCS price increases in the future. Growing frustration industry wide has led to many abandoning WebPros brands entirely. It’s difficult to trust a business with this pattern of behavior.

Fortunately for WHMCS users, there are alternatives available. One of these is Clientexec, which we have offered for $4.00 per month for the past 15 years. With Clientexec 7 coming this quarter, now is a great opportunity to take advantage of this very attractive discounted pricing.

Clientexec 7 will feature a completely refreshed admin area, client area and order forms utilizing Bootstrap for a fully responsive experience. It will also include a new, fully fledged affiliate system. Further details concerning the upcoming improvements can be found on their coming soon page here. For those looking to migrate their WHMCS data over to ClientExec, documentation concerning this process is available here.

If you would like to add a Clientexec license to your account or need any assistance getting it setup please submit a ticket via our portal and we’ll be happy to help.

PHP 8.0 Now Available

We’re pleased to announce that PHP 8.0 is now available on all of our servers. You can easily change the PHP version per cPanel account via the “Select PHP Version” option in cPanel.

PHP 8.0 comes with numerous improvements and new features such as:

  • Union Types
  • Named Arguments
  • Match Expressions
  • Attributes
  • Constructor Property Promotion
  • Nullsafe Operator
  • Weak Maps
  • Just In Time Compilation

Additional information concerning the version 8.0 release can be found on PHP’s website here and the migration guide is also available. Please consult these for a detailed list of new features and backward incompatible changes. For third party applications, it’s best to confirm that they support PHP 8.0 before making the switch. However, if you run into any issues you can quickly and easily revert back to your prior version.

Please note that only a limited number of extensions are currently available for PHP 8.0. We will continue to make new ones available as soon as they are offered. We now offer secure versions of PHP 5.4 through 8.0 which are all easily selectable from within cPanel. Version 7.4 is now the default for all new cPanel accounts while existing accounts will continue to retain their prior settings.

Critical WP File Manager Plugin Vulnerability

The WordPress plugin File Manager contains a critical vulnerability that is actively being exploited by attackers to compromise WordPress sites. We saw a handful of these incidents on September 1st as the attacks were just starting to ramp up and a few more since then. Fortunately, in these cases the solution has been relatively simple: restore from a prior backup and delete the plugin.

This particular vulnerability has been present in the plugin since version 6.4, which was released in May. It was patched with the release of 6.9 on September 1st.

Due to the rate at which these attackers were occurring, we have proactively identified every single instance of a vulnerable version of this plugin being used on our servers and have removed it. Since this plugin merely offers a file management interface within the WordPress admin section, removing it doesn’t impact the functionality of the website. Users are welcome to re-install the latest version of this plugin if so desired.

This particular incident does bring to light an important topic though. It is best practice to use as a few plugins as possible, those that aren’t needed should be deleted (not just deactivated). There is certainly an argument to be made that a file manager plugin like this should never be installed but even if you disagree with that, there really isn’t strong justification for keeping a plugin like this installed beyond its intended use. It just allows another possible point of entry for attackers to exploit should a vulnerability be found.

Please keep this in mind as you continue to develop and secure your WordPress instances. If we can help in any way, please drop us a ticket and we’ll be happy to do so.

Cloning Scripts With Softaculous

The ability to clone scripts within Softaculous is a valuable and often overlooked feature. It can quickly and easily provide a safe place for you to test updates or create an up-to-date development environment.

To start the cloning process, you’ll want to go to the All Installations section of Softaculous. For each installation you’ll then see the clone option.

Upon selecting clone, you’ll be prompted to configure where you would like to clone the installation to. We highly recommend creating a separate subdomain for this that is outside of the current site’s document root. This helps to avoid any cross contamination between the two sites, particularly as it relates to custom .htaccess settings. Continue reading

Beta: Dathorn WordPress Scanner

WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.

This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.

Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised. Continue reading