Tag Archives: security

Is your site patched against Heartbleed? (CVE-2014-0160)

I had the 'fun' experience of patching against this vulnerability today. Although, when I rebooted one of my primary servers, it failed to reboot and caused two hours of downtime. Sorry about that to anyone who couldn't access this site.

If you're wondering if you are vulnerable, check your site for Heartbleed vulnerability.

As far as actually patching, I only did it manually on some Ubuntu 12.04 systems. It was fairly simple. Just run

apt-get update && apt-get upgrade

That should take care of it. If you want to learn more, go to Heartbleed.com.

Comic courtesy XKCD:

I Am Free To Do Whatever I Want! Will Your WordPress Host Agree With That?

Guest Post from Lilyana Yakimova, Marketing Director of SiteGround | SiteGround Reviews

When it comes to freedom, WordPress users seem really blessed. Not only they can extend their website almost infinitely with the help of thousands of WordPress themes and plugins, but they are also free to choose among more hosting options than anyone else. The range is really wide: starting from the free service at wordpress.com, going through all the standard shared web hosts*, which are perfectly compatible with WordPress, and ending with a number of managed hosts** that are highly specialized in WordPress only. There are many articles comparing the prices, the speed, or the reliability of the WordPress hosts, but what is seldom talked about is how the different hosting options compare in terms of website management freedom they give to the user.

What affects the level of freedom allowed by a WordPress host?

The easy, but not completely correct answer is that account management freedom depends on the price. Of course it is only natural that if you use a completely free service like wordpress.com, you will be limited in some ways. You will not be able to install all themes and plugins you want, or you will not be able to use your own domain, or you will not be able to call someone 24/7 to report a problem.

However, when it comes to paid hosting solutions the correlation between the price and the freedom is not so straightforward. Quite often you can do more things on a standard and cheaper host, than on a more expensive managed host. For example, you can easily get access to MySQL, 24/7 phone support, additional hosting services like email, SSH etc. on a general host, while at strictly managed WordPress hosts some or all of these features are missing. In addition, most standard hosts do not place any limitations on which WordPress versions you may host or what plugins you can add, while managed hosts often force the newest WordPress version on all of their users websites and completely ban certain plugins.

So why is there such a discrepancy? Managed WordPress hosts would probably argue that the real price of the freedom is the level of your website security. They will claim that if they are to take full responsibility for your website security, you should sacrifice some of your freedom in return. On the other hand, the standard shared hosts will leave most of the responsibility in your own hands and when something goes bad, it will be blamed on your decision to use a vulnerable plugin or your failure to upgrade your application.

So what do you choose - freedom or security? And can’t you have both?

It seems that it all comes down to the good old question: how much freedom you are willing to sacrifice in the name of security? Well I believe that in the WordPress hosting world there is a reasonable middle ground.

Let’s take, for example, the auto-upgrades. The WordPress managed host will normally upgrade compulsory all their users, whenever a new WordPress version is released. Most standard shared hosts, on the other hand, would do nothing and their customers may never realize that an important security update is released and that an upgrade is now due. A good middle ground host can do better. It can still be proactive, by providing automatic upgrade to its customers and informing them about each new version released, and, at the same time, it can be more democratic by allowing its users a way out of the auto upgrades. Thus people that would like to take over the upgrade process themselves can easily do so.

Another interesting security case is when vulnerability appears in a plugin used by the host customers. The easiest way to protect efficiently all your users, applied by WordPress managed hosts, is to simply disable all instances of the plugin installed. However, thus a functionality chosen by your users will be taken away from their websites. The contrary approach is to let the users add any plugin and deny, as a host, to take any responsibility for their choices. A good middle ground host will again look for a different way around. It will work on a solution that will fix the vulnerability on a server level. Thus it will take care of the security without punishing the user for a flaw in a plugin code, for which the user was most probably not even aware of. Of course this scenario is efficient when the host is always on top of the security and is able to provide a patch for the vulnerability almost immediately after it has been disclosed.

So to conclude: you probably can never be totally free and totally safe at the same time. However, when it comes to your WordPress hosting, I believe that you should not be forced to sacrifice too much from either your freedom or security, as in most of the situations there is a reasonable middle ground.

------

*Examples of standard shared hosts companies: HostGator, BlueHost, DreamHost, etc.

**Examples of popular managed WordPress hosts: WPEngine, ZippyKid, Page.ly