Reclaim’s D.O.A. in Canada

Reclaim Hosting is happy to announce a new shared hosting server in a Digital Ocean’s Toronto-based data center. And while the Toronto data center has been around since 2015, it just got block storage in September. We named this server the pioneer political Canadian hardcore punk band D.O.A. With their first two albums Something Better Change (1980) and Hardcore ’81 (1981) you have arguably the earliest examples of the new punk style that would dominate the 1980s. D.O.A. political anthems like “Smash the State:”

Or “F**cked Up Ronnie” as an early instance of 1980s punks sonic war on Reagan:

In fact, the song has been updated for the times:

It’s pretty telling to hear both Henry Rollins and Keith Morris talk about the impact D.O.A. had on the emerging hardcore scene. 

I love Morris’s description of seeing D.O.A. open up for X in LA. 

So, it seems only fitting to christen Canada’s first Reclaim Hosting server as D.O.A. If any one would like us to move their sites to this new server for whatever reason just submit a support request and we’ll be sure to make it so. 

SSL Everywhere (Again)

It’s almost hard to believe it’s only been 2 years since Let’s Encrypt came out of beta and began providing SSL Certificates to the general public. I wrote a post at the time calling it a turning point for the web, but cPanel support was pretty much non-existent. Since then much has changed. Just 2 months after that post was written we began using a plugin that offered Let’s Encrypt support directly in cPanel for all users on Reclaim Hosting and announced general support for free SSL certificates. In August of 2016 we began employing ways of scripting the ability for domains to get certificates automatically using the plugin and hooks from our billing system and I wrote a post aptly titled SSL Everywhere where I wrote:

After testing over the past 2 weeks I’m pleased to announce that going forward every domain hosted by Reclaim Hosting will automatically be provisioned with a free and renewable SSL certificate by default.

Around that same time cPanel had also made strides to offer their own support for automatic certificate provisioning with a feature announced called AutoSSL. Initially AutoSSL only supported cPanel’s own certificates issued through Comodo but later Let’s Encrypt support was added. Rate Limits employed by both certificate providers made it difficult to truly promise SSL everywhere and one issue we found was that notifications were a real problem.

Normally receiving a notification that your domain was secure would be a good thing, however often we have found this can confuse a customer that thinks they might have been charged for something, or possibly that the email is spam, especially if they didn’t specifically issue a certificate themselves (and remember we were attempting to issue certificates for all users so that would often be the case). Our ideal scenario is one in which all domains have certificates but no one gets needless emails regarding the provisioning of them (success or failure). Our plugin offered such granular notification settings and at the time AutoSSL did not so given the conflict we decided to double down on the Let’s Encrypt plugin and disable the AutoSSL feature across the board to streamline things.

We have more recently found out that there is a key difference between what the AutoSSL feature can accomplish and the plugin we use cannot. AutoSSL can (and has in many cases) replace and renew certificates for expired domains. That is a good thing in that even if you had a self-signed certificate or previously paid for one and it had expired you’d get a new free one. What we didn’t know was that our plugin was not able to do this, so when we disabled cPanel’s AutoSSL feature we suddenly had a large number of domains with cPanel-issued certificates that the Let’s Encrypt plugin could not renew or replace leading to confusion with folks waking up and finding their sites didn’t work over https.

In the past we have pointed folks to our documentation on installing a Let’s Encrypt certificate but remember our goal was that no one was supposed to have to do that. SSL Everywhere was and still is the goal. We needed to fix this. I’ve reached out to the plugin developers who are now aware of the issue and have committed to working on a fix that could be released along with wildcard support in the next 2-3 months. But that’s a long time to continue fielding issues of certificates not renewing which can render a site inaccessible.

We decided this week that a better short term solution was to turn the AutoSSL feature back on and have it issue certificates for any domains that did not have them or were expired. We would continue to have the Let’s Encrypt plugin exist but with the goal being that users would have a certificate from one or the other automatically and either way they would be renewed automatically. Unfortunately an attempt to ensure that users didn’t receive a bunch of notifications of this failed. cPanel provides an API call to change the setting and it returned the correct response so I didn’t think to check and make sure the setting was actually changed and it wasn’t. Long story short there, many users got emails for every certificate provisioned. But we’ve fixed that now so that the emails won’t be sent in the future and meanwhile the good news overall is that I think we’re much closer to the goal of SSL Everywhere, provisioned by default and renewed automatically with no work on the part of users.

We’ll continue to keep an eye on this in case the landscape changes (with technology it always does) and as always reach out if you have any questions or concerns!

Patching Meltdown and Spectre

Patching Meltdown and Spectre

Seems like every 1-2 years we get a major security scare in the form of a global exploit that effects server infrastructure in some fashion and requires a response. We’ve had Heartbleed, Poodle, Shellshock (who comes up with these names anyway?). 2018 didn’t wait long to bring us that gift in the form of Meltdown and Spectre. https://meltdownattack.com/ has a lot of great information about these two exploits but the short story is that rather than taking advantage of any particular software configuration, these exploits expose vulnerabilities in pretty much all modern CPUs. That means not only does this require patching for server admins like me at Reclaim Hosting and across the web, but every operating system from all computers including mobile devices and personal computers are vulnerable. The vulnerability takes advantage of exploits at the hardware as well as software layer to leak data into memory that can then be read by the attacker. It’s not a question of whether or not you are affected, you are affected.

Antivirus can’t block it either, only patching the underlying systems will resolve it and thankfully companies have been hard at work at getting these patches developed since long before the news became public. Intel became aware of the exploit last fall and many major companies have been under an NDA as they developed patches to secure their systems. Due to the complexity of this exploit however, we are still awaiting patches for some systems and now it is public (which will hopefully light a fire under certain groups to get these patches out).

Thankfully when we at Reclaim became aware of the issue last week CentOS, the distribution of Linux that powers over 90% of our server infrastructure and the only supported distribution for cPanel, was already releasing patches. We had to do some testing as well as await patches by Cloudlinux which is a third party that we use for our kernel software, but by Monday we felt confident the patches were safe and we set to work to patch our entire fleet. Normally with maintenance that involves downtime we like to give customers a heads up and with this kernel update requiring a reboot sites would indeed be offline for a few minutes, however we made the judgement call to rip the bandaid off and favor getting these patches in place as soon as possible rather than risk data being exposed as a result of the vulnerability. By 6PM Monday our entire infrastructure that runs cPanel and all CentOS servers were patched for these exploits with minimal downtime across the majority of our servers.

We have a small number of Ubuntu servers that we are still awaiting a production patch on and hope to receive that sometime this week. If you want to make sure you are secure, the best thing you can do is run all updates for your operating system and browser to make sure you’re running the absolute latest version. Due to the nature of the exploit there is no way to trace whether the vulnerability has been taken advantage of (it does not log any of its actions) so it’s particular important to be proactive. I’m proud of the capacity of Reclaim Hosting as a small operation to remain aware of these events and to stay on top of them in a timely manner.

Now can we take a nice long vacation from these major exploits? My spidey sense tells me that’s likely not to be the case as we come to rely more and more on computers and specifically internet-connected devices in our lives. It’s the new normal and the best security we can hope to have is proactive patching and awareness.

Using the Import/Export Tools in WordPress

Lately, I’ve been working with clients to move their website from WordPress.com to WordPress.org. With this request, I use the Import/Export tools to move the content from one site to the other. This tool bundles the content on the site into a .zip file which you can then move to another location. Disclaimer: It isn’t perfect, you only get the content of the site, so things like posts, pages, and settings on the site. The plugins, themes, and media arent’ included, so, if your site has a lot of media, or has a ton of plugins, this tool might not work for you. (I’m writing another post about a plugin that will move everything on the site for you so stay tuned).

As I’m writing to the clients with instructions on how to set up their site using these tools, I started looking for a tutorial that would walk them through the process. And can you believe it, there are no tutorials that show the process from start to finish? So I wanted to take the time to write the process down. This article will showcase the import/export tools within WordPress (.com and .org) the process is essentially the same for both, they just look a little different.

But wait, there are two versions of WordPress? Yes, there are, but they are run in different ways.  WordPress, in a nutshell, is an open-source content management software (if you want to look at a more in-depth explanation you can read about it here).  Automattic Inc. helps develop and maintain this software. We offer this software at Reclaim and users can install an instance on their domain, in fact, you’re reading this post on a WordPress installation.

WordPress.com is Automattic Inc.’s hosting company that runs the WordPress software explicitly. They offer free accounts with subdomains like meredithfierro.wordpress.com for free or users can purchase a domain. Then users can opt-in to pay a monthly fee to get full use of the software, like you would if you installed WordPress on your domain through your hosting company.


WordPress.com

Export:

The first thing you’ll want to do is export all of the content. Also, take note of the plugins and theme the site is using (this will save time on the other side).

  1.  Click ‘Settings’ under ‘Configure’ 
  2. Click ‘Export,’ under the ‘Site Tools’ section:
  3. From here you can choose the amount of content you’d like to export, or you can export the entire content on the website. When you’ve decided what to export, click ‘Export’: 
  4. WordPress begins to package the content together. When it finishes, a banner should appear at the top of the screen. Click ‘Download’: 

Read more