Charlottezweb

Recent Posts

Pages: [1] 2 3 ... 10
1
Server Updates & Outages / Re: Imunify360 added to all servers - June 2017
« Last post by Jason on June 12, 2017, 06:39:52 PM »
Greetings,

I wanted to clarify a few points as I've had customers reach out with questions today.  :)

We run ModSecurity on all of our servers and have had that in place for at least 1-2 years.  

Imunify360 uses ModSecurity for a *part* of what it does but it works on top of it.  For example, if ModSecurity blocks a function on your site that it thinks is suspicious, Imunify360 may display a warning message and/or an option to unblock yourself.  This isn't Imunify360 blocking you, it's ModSecurity.

That being said, I think Imunify360 (or perhaps ModSec) is driving a more agressive set of security rules.  I've had to whitelist a lot of rules in the past few days that weren't an issue previously.

If you experience any errors in your website that you didn't have before (for example, updating your site via WordPress), please reach out to me.

I appreciate your patience as we try to optimize this solution.  I know it's frustrating when things don't work as expected but I'm hopeful that the security provided by these solutions will outweigh the issues we may see upfront.

Regards,
Jason
2
News & Announcements / Charlottezweb deploys Imunify360
« Last post by Jason on June 11, 2017, 04:55:57 PM »
Please visit this thread to learn more: https://www.charlottezweb.com/forums/index.php?topic=2121.0

3
Server Updates & Outages / Imunify360 added to all servers - June 2017
« Last post by Jason on June 11, 2017, 04:55:02 PM »
June 2017:  Charlottezweb announces Imunify360 deployment.

I'm pleased to announce that Charlottezweb has now deployed Imunify360 to all our shared servers.

I will create a new page on our site as part of our website relaunch in the next 1-2 months with full details but if you're interested now, please visit their site to read full details:

http://imunify360.com/

Cheers,
Jason
4
Script Chat / Joomla Security Notice :: May 18, 2017
« Last post by Jason on May 18, 2017, 08:26:45 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Joomla! Security News


[20170501] - Core - SQL Injection
Posted: 17 May 2017 07:00 AM PDT
Project: Joomla!
SubProject: CMS
Severity: High
Versions: 3.7.0
Exploit type: SQL Injection
Reported Date: 2017-May-11
Fixed Date: 2017-May-17
CVE Number: CVE-2017-8917

Description
Inadequate filtering of request data leads to a SQL Injection vulnerability.

Affected Installs
Joomla! CMS versions 3.7.0

Solution
Upgrade to version 3.7.1

Contact
The JSST at the Joomla! Security Centre.
5
Script Chat / SMF 2.0.14 Released :: May 14, 2017
« Last post by Jason on May 14, 2017, 08:13:20 PM »
Please visit SMF's release post from tonight:

https://www.simplemachines.org/community/index.php?topic=553855


Quote
Dear Members,

Simple Machines Forum has released a new patch to the 2.0.x line, bringing our latest release version to 2.0.14.

This patch adds both security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly. You can view the changelog for this release, per usual, on the downloads page.

The quick summary of changes is as follows:
  • Added PHP 7 support.
  • Ported image proxy support from SMF 2.1.
  • Also added HTTPS for avatars.
  • Accept email addresses with long TLDs.
  • See the changelog for more.

If you are running version 2.0.13, you can upgrade your forum to the latest version by using the package manager. As usual, you should see the upgrade notification in the admin panel notifications and in the package manager, which will allow you to download and install the patch seamlessly.  If you do not see the notification about the upgrade patch, please run the scheduled task "Fetch Simple Machines files" from the Scheduled Tasks page (Admin > Maintenance > Scheduled Tasks > Fetch Simple Machines Files (check the "Run Now" checkbox and click the "Run Now" button)).

If you use older versions of SMF, you can upgrade directly to 2.0.14 from whichever version you are currently using by using the "full upgrade" archive from the downloads page. Be aware that using this upgrade method will require you to reinstall any customizations that you have added to your forum, so if you are running a version of the 2.0.x series, it is recommended that you apply the successive patches instead of using the full upgrade.

Please do not use this topic for support requests.
You will receive a much quicker and better response by posting in the 2.0.x Support Board or the Install and Upgrade Help board.


If you are having problems downloading the patch from the admin panel, you can download the patch package from the upgrade patches page and install it via the package manager, as you would any other mod package.

Please refer to the Online Manual for more details about:

Thank you for using SMF!

Regards,
Simple Machines Forum Team
6
I'd like to add a few updates after playing around with this a bit today.

Several customers (including myself) have purchased/installed new WordFence Premium licenses today which is very exciting.  I'll keep adding to this post but here are a few initial thoughts:

1. The process itself is super simple.  If you're already using the free version of WordFence (which, again, I recommend all WordPress users should do at minimum), it's a matter of going to the WordFence Options page and replacing the "API Key" with the new premium key.  You save, refresh the page and then you're good to go with newly-activated Premium features.

2. I have added an item to our shopping cart (click here for a direct link) if you'd like to purchase this.  If you'd like to order in bulk or have questions, please contact me.  

3. As mentioned above, the Premium option enables "Cell Phone Sign In."  I'd like to expand on this for purposes of understanding.  What this feature does is enable you to require the addition of a single-use code sent to your phone on top of your password in order to login to your WordPress Admin area. This is something I am exploring for the Client Area of Charlottezweb.com as well as an option you can enable.  This means that even if someone had your password due to some sort of virus, hack, or compromise, they wouldn't be able to login as you without physically having your phone where the codes get continuously updated every minute.  

I enabled this on one of my sites today via WordFence and it's great.  To be transparent however, this means that you'd have to have your cell phone with you and you'd need to install Google Authenticator (or a similar app) on your phone.  I already use this for logging into several sites/systems so this was a no-brainer for me but if you've never done this before, it may be something you want to think about.  Ultimately, it adds another layer of protection for you that's going to help keep your site even more secured if you opt to go that route.  All of this being said, there are free plugins from what I'm seeing that can integrate this into WordPress but this is one option that WordFence Premium offers built-in without needing to configure anything.  It also offers the ability to set it up on a user-by-user basis if you so choose.

More details to come as I keep exploring the Premium options.  So far they look great.

Regards,
Jason
7
News & Announcements / WordFence Premium licenses available at 35% Off
« Last post by Jason on May 03, 2017, 09:37:47 PM »
Charlottezweb is now offering WordFence Premium licenses. 

Please visit this post for full details.

https://www.charlottezweb.com/forums/index.php?topic=2117.0
8
If you use WordPress (www.wordpress.com) for your website(s), a fantastic plugin is available called WordFence.  (www.wordfence.com)

There is a Free version of this plugin that I have been recommending to customers for probably close to two years that I personally install on all WordPress sites that I manage or build myself.  It's a FANTASTIC tool that I think ALL WordPress admins should consider as part of their overall security planning.  (I also suggest subscribing to their blog/email list as they send important security news usually once a week that I think is very valuable).

They offer a paid "Premium" version that adds additional features that is $99/year for a single license/site.

They offer bulk discounting and I've opted to start purchasing these licenses and reselling them to offer my customers their Premium features at 35% off the public 1-year pricing if you were to order directly from them.

If you are a Charlottezweb hosting customer, I can offer $65/year for a WordFence Premium license key vs. you paying them $99 for the same key.

What's the catch?
This makes Charlottezweb a reseller of their product.  You won't have direct access to their support however you can raise any issues through Charlottezweb (as you do today) and if it can't be resolved in that approach, I'll open a ticket directly with them on your behalf.

Other than that, there's no catch. :)

For now, I'm extending this offer to customers with hosting accounts.  By this, I mean that I'm not currently going to offer this for purchase without an existing or new hosting purchase.  This is to prevent new customers from purchasing only this key through Charlottezweb and nothing else.  In that scenario, they should go directly to WordFence.  This may be an approach I change later but for now my goal is to pass along bulk-pricing benefits to Charlottezweb customers because I think this is a solution that's well worth the money and bulk-ordering allows me to pass along pricing discounts as a value-add to my customers.  At the end of the day, this tool protects my customer's sites individually which also protects my servers -- It's a win/win for all of us.

What's better about Premium than their Free version?
Again, their Free version is great and I highly recommend using it, especially if you're not already using any WP security plugins.

If you go to the following page, there is a "Compare Our Plans" button that will display a table that compares the differences.

https://www.wordfence.com/#features

To save you time, here are the additional Premium features not included with the Free version.

  • Real-Time Threat Defense Feed
  • Country Blocking
  • Check if Site IP is Generating Spam
  • Check if Site is Spamvertized
  • Remote Scans
  • Cell Phone Sign In
  • Audit Existing Passwords
  • Advanced Comment Spam Filter

How Do I Order This?
This is not yet added to our shopping cart but that will likely happen this coming weekend.  Additionally, as part of the complete redesign of Charlottezweb.com (coming in the next 1-2 months), there will be a page specifically dedicated to WordFence with additional information.  For now, if you'd like to take advantage of this, please email me or open a ticket and I'll update you asap.  I have licenses purchased that are ready to go!  :)


Also, if you have any questions, comments or feedback, please feel free to post them here.  As always, I love to hear directly from you on what ideas are good, bad, need improvement, etc.  :)

Cheers,
Jason


9
Script Chat / Joomla Security Notice :: April 26, 2017
« Last post by Jason on April 26, 2017, 12:00:56 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Joomla! Security News



  • [20170408] - Core - Information Disclosure
  • [20170407] - Core - ACL Violations
  • [20170406] - Core - ACL Violations
  • [20170405] - Core - XSS Vulnerability
  • [20170404] - Core - XSS Vulnerability
  • [20170403] - Core - XSS Vulnerability
  • [20170402] - Core - XSS Vulnerability
  • [20170401] - Core - Information Disclosure

[20170408] - Core - Information Disclosure
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 3.4.0 through 3.6.5
§ Exploit type: Information Disclosure
§ Reported Date: 2016-Feb-06
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-8057
Description
Multiple files caused full path disclosures on systems with enabled error reporting.
Affected Installs
Joomla! CMS versions 3.4.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Sim of tencent security

[20170407] - Core - ACL Violations
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 3.2.0 through 3.6.5
§ Exploit type: ACL Violation
§ Reported Date: 2017-March-01
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7989
Description
Inadequate mime type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Abdullah Hussam

[20170406] - Core - ACL Violations
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 1.6.0 through 3.6.5
§ Exploit type: ACL Violation
§ Reported Date: 2016-April-29
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7988
Description
Inadequate filtering of form contents lead allow to overwrite the author of an article.
Affected Installs
Joomla! CMS versions 1.6.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: T-Systems Multimedia Solutions

[20170405] - Core - XSS Vulnerability
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 3.2.0 through 3.6.5
§ Exploit type: XSS
§ Reported Date: 2016-February-28
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7987
Description
Inadequate escaping of file and folder names leads to XSS vulnerabilites in the template manager component.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: David Jardin

[20170404] - Core - XSS Vulnerability
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 1.5.0 through 3.6.5
§ Exploit type: XSS
§ Reported Date: 2017-February-22
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7986
Description
Inadequate filtering of specific HTML attributes leads to XSS vulnerabilites in various components.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fortinet's FortiGuard Labs

[20170403] - Core - XSS Vulnerability
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 1.5.0 through 3.6.5
§ Exploit type: XSS
§ Reported Date: 2017-March-21
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7985
Description
Inadequate filtering of multibyte characters leads to XSS vulnerabilites in various components.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fortinet's FortiGuard Labs

[20170402] - Core - XSS Vulnerability
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 3.2.0 through 3.6.5
§ Exploit type: XSS
§ Reported Date: 2016-December-23
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7984
Description
Inadequate filtering leads to XSS in the template manager component.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Chen Ruiqi

[20170401] - Core - Information Disclosure
Posted: 25 Apr 2017 08:30 AM PDT
§ Project: Joomla!
§ SubProject: CMS
§ Severity: Low
§ Versions: 1.5.0 through 3.6.5
§ Exploit type: Information Disclosure
§ Reported Date: 2017-Jan-02
§ Fixed Date: 2017-April-25
§ CVE Number: CVE-2017-7983
Description
Mail sent using the JMail API leaked the used PHPMailer version in the mail headers.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.6.5
Solution
Upgrade to version 3.7.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Conor McKnight

 

10
Quick Summary -- Charlottezweb is now offering free (cPanel-provided) Comodo SSL certificates for all accounts.  This is in place and active as of last week.  Customers with purchased SSL certificates were purposely skipped so as not to impact their certs. Please note - the free certs are suitable for personal/hobby sites but I still highly recommend purchased certs for customers/sites that conduct eCommerce as they have definite advantages over the free ones.  See below for details.

The longer story with background...

I've been receiving questions from customers lately around SSL and securing web sites due to the recent pushes by Google and some web browsers to promote secure connections.  

What does this mean?
At a very high level, there are basically two ways to access a website.  You can access it via http://  or https://  (note the "s" in the second example).  The first option uses non-encrypted connectivity which means the data transmitted between your computer and the destination server are not protected.  This is perfectly acceptable for viewing pages where you're not exchanging any personal information such as your name, address, payment information, logins/passwords, etc.  However, if you are on a page where you are exchanging any of the information just mentioned, it should be protected by SSL (Secure Sockets Layer) encryption.  This is where the https://  (notice the "S") comes into play. This means that all data transmitted between your computer and the destination server are encrypted to prevent an unauthorized party from intercepting and viewing it during transmission.

This is what drives the padlock icon you may see in your browser when you visit certain sites like Charlottezweb's Client Area, your bank, etc. (See below for example)



I've noticed that my site now shows a broken padlock -- What do I do if I want to fix this on my site?
As mentioned above, some browsers are starting to warn users when you try to login or when you visit them with a "broken" padlock icon next to the URL.  This is an effort by the likes of Google (Chrome), Mozilla (Firefox), etc to promote and attempt to force sites to start requiring SSL/encryption.

In order to get that secure message to go away, you have to use SSL (https) to access all pages and content on your site.

Historically to accomplish this you needed to purchase a dedicated IP address and an SSL certificate to install.  You then had to configure your site code to use all https.  Charlottezweb charges $20/year for a dedicated IP address and we offer various SSL certificates that you can view here.  

CPanel recently started offering FREE certificates (which I installed for all customers without a purchased cert) last week.   This is great for personal/hobby sites but I wouldn’t recommend it for anything eCommerce.  This means that as a customer, you can now access your site via https://www.yoursite.com and you can view that you have an SSL cert installed.  

A few considerations:
1. You may need to adjust your site's coding to use https instead of http so the padlock works.  All elements on your site will need to load via https to prevent the broken padlock.
2. The FREE certificates cPanel offers are good for 3 months and should renew automatically.
3. I've had a few customers trying to use their own domain names for SSL email (vs. using the server hostname) and it hasn't always worked.  If you're using a server hostname for email, I'd probably stick with that for now until more is learned on this.
4.  To repeat what I said at the top -- if your website is not a personal/hobby site, I would highly recommend sticking with a commercial certificate for SSL.  It will likely have a higher browser trust rate, it will show your business name/information (vs. showing your site owned by cPanel), and has additional benefits.  Feel free to contact me for details.

---

A few articles on this topic:

https://motherboard.vice.com/en_us/article/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

https://www.wordfence.com/blog/2017/01/chrome-56-ssl-https-wordpress/

Regards,
Jason
Pages: [1] 2 3 ... 10