The vulnerability affects the plugins WP Super Cache in version 1.2 and older as well as W3 Total Cache in version 0.9.2.8 and older. Adversaries may execute program code on servers using one of these plugins and e.g. install malicious software.

If you use WP Super Cache or W3 Total Cache, you should update the plugins immediately or disable them.

We are notifying our customers using these plugins by telephone this evening  (6:30pm CST forward) to alert them of this vulnerability. If you haven’t received a phone call from us, you are safe. Most of all, no security breach has taken place, we’re just urging people to disable or upgrade as a precaution. If we can’t reach you, we will just delete the plugin folder as a precaution.

See here for more info: http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/

The post WordPress Plugin Security Vulnerability appeared first on New Winnipeg Web Hosting.

Keep strong passwords

A strong password is the easiest and strongest move you can make.

It is our policy that all passwords should include a minimum strength score of 50% as measured using this tool: https://www.newwinnipeg.net/password/

Most tools in our Control Panel include a password generator to help you create strong passwords. Otherwise, create a password that includes a word that can’t be found in the dictionary and liberally pepper it with numbers and non-alphabetic symbols like #@$ or %.

Strong password tips:

• Avoid dictionary words
• Use a combination of letters, numbers, and special characters
• Use more characters (7+)
• Avoid using one password for all your logins
• Avoid logging in from public computers
• Change your password every few months

Regularly scan your computer for viruses

A common way for a web site to be infected is through an infected computer. Just as we scan our servers for viruses, you should be doing the same.

Here are some anti-virus software links for both PCs and Macs.

• Malicious Software Removal Tool
• Microsoft Security Essentials
• MacScan
• Sophos antivirus for Macs
• Protect your PC with the McAfee 2013 product line up – get 50% off!

Regularly update your web software

Using WordPress to manage a web site is very popular because it’s easy to use. However that popularity also makes WordPress websites a target; hackers use a variety of ways to sneak in malware, viruses and malicious scripts into a WordPress website. WordPress updates its software to plug these leaks, usually every few weeks. It is critical that you keep such software up to date.

Always keep your web software up to date – including the core software, any themes and plugins.

If you’ve installed WordPress, or any web software, through our auto-installer or we have installed WordPress for you, you should be receiving email notices from us when updates become available. Otherwise, if you login to the Control Panel or the WordPress dashboard, you’ll see a notice to upgrade. You can also use this plugin for WordPress to automatically update everything.

For customers managing several WordPress sites, we recommend using wpremote.com to regularly update several sites, plugins and themes, at once.

Another option is to use our auto-update service. For an one-time fee of $49, we will update your web software for you. 

The post How to Secure Your Web Site from Hackers appeared first on New Winnipeg Web Hosting.

Many webhosting companies seem to be unprepared for this, causing more panic among web users. We want to assure our hosting customers that we have had security measures in place since last year that have saved our customers from this concern.

Layered Bulletproof Security

Our security system includes three firewalls; a network firewall, a server firewall and a web application firewall, all of which filters illegitimate traffic of all sorts.

Our security system also includes something called ModSecurity, which filters out bad login attempts to websites, email and other web services. This is so tight it usually locks out our own customers. When customers notice that they can’t connect to our servers, 99% of the time it’s because ModSecurity has locked them out for too many failed login attempts.

Last week, we setup a ModSecurity rule to block an IP address for 15 minutes after 10 failed WordPress login attempts once we had heard about the rash of brute force login attempts on WordPress sites affecting other hosts. Other ModSecurity rules are in place to permanently block repeated failed login attempts.

We also actively monitor a mixture of traffic patterns to known attack vector strategies and providing evasive action in the event of a DDoS attack. We also have third party monitoring services setup to review all web services; including SSH, FTP, HTTP and Email.

We have balanced all of this without compromising server performance.

Weekly Server Audits

We employ extensive auditing of various web applications, configurations and patches, on a weekly basis, looking for vulnerabilities and weaknesses of our own software and hardware, preventing future attacks and issues.

Our weekly audits include scanning our servers for over 6000 known exploit script fingerprint matches, suspicious file names and types, illegal software installations and PHP/CGI/HTML upload scripts. All of our employees also follow a rigid protocol to enact a series of security measures if something odd is found.

Malware Prevention and Cleaning

We’re seeing a rise of companies offering to clean malware for a cost, often costing more than our customers’ annual web hosting bills. There are also companies that offer secure hosting as a separate hosting service, which we feel is redundant.

Even if a web site hosted on our server gets infected with malware, we utilize an Apache symlink security patch, which prevents the malware from “leaking” into other accounts.

We scan our servers weekly for malware and if found, we clean it out for free. This is one of dozens of features included for free with our web hosting services.

We are always working

The Internet is a 24-hour environment. We host hundreds of web sites for customers who do business across all time zones. Whether it’s 3am or 3pm, we are always working.

Hackers often rely on the fact that most hosting companies have available technical support during banking hours and hit servers in the middle of the night. We have always been a 24-hour business so when hackers try to get us in the middle of the night, we’ve been available to squash these attempts.

We backup our servers nightly

Even in the worst-case scenario, we have your back.

It’s a bit more work than just providing web hosting services, but this extra work is a life saver if you accidentally delete your web site without a local copy.

Many WordPress users are being advised to keep backups of their sites before installing new plugins, which is fine but in most cases unnecessary as we already have your sites backed up, every night.

There are over a dozen other initiatives we’ve undertaken in the past two years that have saved us from a lot of disasters that have struck our competitors, however for security reasons we cannot disclose what these are.

We have always been reluctant to publish details about our security system and measures, so if you are a current hosting customer of ours and you have questions about this or anything related to your hosting account with us, please contact us.

If you’re not a customer, ask your web host what they are doing about this. If you’re not happy with your current web hosting provider, consider hosting your site with us – we can migrate your web site over to us for free!

The post What We Are Doing About Web Security appeared first on New Winnipeg Web Hosting.

• Perl 5.14 
• Apache 2.4 
• Roundcube 0.8.5 
• MySQL 5.5.30
• phpMyAdmin 3.5.5
• Rails 2.3.18

Access to cPanel and Webmail may be limited during this update window.

Later this night, from 12:15am to 12:30am CDT, we will be updating the RAM on the ‘webhost’ server. We expect there may be some downtime while this occurs during this 15-minute window.

The post Hardware and Software Update appeared first on New Winnipeg Web Hosting.

The post Server Updates appeared first on New Winnipeg Web Hosting.