BuyHTTP Company Blog

Unlimited hosting is here!

So what is unlimited hosting? is it really unlimited? is it for me?

As we pointed out in a previous post, unlimited hosting is for the most part a marketing term for the same old hosting plan but with a little twist.

Hosting is not about disk space and bandwidth only it’s more about server resources like CPU, RAM, Disk Space, Network, etc… and like every other host out there that offer unlimited hosting, there’s always a limit hidden somewhere, if it’s not disk space it’ll be inodes (number of files), CPU, Memory, number of processes, number of connection or a combination of them.

How our unlimited hosting is different

What we did is we created the right mix of server resources using the right combination of server hardware, limiting the number of accounts hosted on each server to provide a good performance and not overload the server, the new plan include unlimited disk space and bandwidth, large number of inodes, CPU and RAM enough to run just about any personal website.

Is unlimited hosting right for me?

If you’re running a non critical personal site that doesn’t requires high level of server resources or top of the line server hardware and performance you’ll be fine with unlimited hosting but if you’re running a business critical website that requires an enterprise class hardware, the best performance and uptime possible then you’re better off with a business hosting plan like our GIGA and the newly added GIGA+

WordPress has released version 2.8.2. This releases fixes an XSS vulnerability with URLs not being fully sanitized when viewing in the admin. It is recommended that you upgrade to protect yourself from this issue.

WordPress has released version 2.8.1 of their popular blogging software. Along with 51 fixed bugs there was a possible security issue addressed with unprivileged users able to access admin pages for some plugins. For that reason this upgrade is strongly recommended. If you don’t want to do the upgrade yourself you can order our upgrade service.

Some highlights of this release:

• Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
• Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
• The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
• A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
• Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
• Translation of role names fixed.
• wp_page_menu() defaults to sorting by the user specified menu order rather than the page title.
• Upload error messages are now correctly reported.
• Autosave error experienced by some IE users is fixed.
• Styling glitch in the plugin editor fixed.
• SSH2 filesystem requirements updated.
• Switched back to curl as the default transport.
• Updated the translation library to avoid a problem with mbstring.func_overload.
• Stricter inline style sanitization.
• Stricter menu security.
• Disabled code highlighting due to browser incompatibilities.
• RTL layout fixes.

Hackers love to use dictionary or brute force attacks to try to get admin logins into sites. What they do is find your admin login page and continue to try hundreds or thousands of passwords until they find yours. There are 3 pretty easy ways to prevent this from working:

1. Change your admin username.
2. Use a hard to guess password.
3. Install Login LockDown

Changing your admin username

To do this you will need to login to cPanel and go to phpMyAdmin. Select your WordPress database and browse the wp_users table. Edit the first entry which should have the username “admin” and change the value to something else.

Use a hard to guess password

Your password should be at least 8 characters with a mix or upper case letters, lower case letters, numbers and special characters. If you would like a secure password generator you can find one here.

Install Login LockDown

Login LockDown allows you to set a threshold for failed login attempts before a user is blocked. From their WordPress plugin directory description:

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

Installing Login LockDown is just like any other plugin. Download the .zip file from the plugin directory. Go to your WordPress admin dashboard and navigate to Plugins > New > Upload. Upload the zip file and activate the plugin. You can the setup your rules.

I’ve installed the MiaCMS 4.9 beta to get a look at the new features and am liking what I’m seeing so far. The two big differences you’ll notice are the new bookmarking system (I wrote one back in the Mambo 4.5 days so it’s nice to see functionality like this in the core) and the tag cloud module. I didn’t dig into the code on the tag cloud but from what I can tell it searches all articles to create it, I didn’t see any way to create tags when adding or editting content. This sould slow things down with thousands or articles, but maybe they have a caching feature in it to prevent that (and knowing these developers it wouldn’t surprise me).

There were also several updates behind the scene, not the least of which is that MiaCMS now requires PHP5. This is good news since there are functions only available in PHP5 that will help the code execute faster, and no host should be running PHP4 anymore.

I didn’t notice any bugs while I was playing around which is always a good sign. I wonder if this will be the last major release before we see joint Aliro/MiaCMS code?

Now that it’s been about a year since the last Mambo release (June 24th, 2008) it’s time to wonder about the future of the project. At one point it was hailed as the best open source project in the world, but now it seems to be dying a rather quiet death.

A Little Mambo History

The project started back in 2003 when Miro released an open source version of it’s commercial CMS, also known as Mambo. Many people have theorized they were just looking for coding ideas for their commercial CMS and seeing their actions a couple years ago it really wouldn’t surprise me. For a couple of years after being released Mambo was the most popular CMS available and beat our Firefox for the 2005 LinuxWorld Best Open Source Solution award. That was certainly a major feat.

Some time in 2006 Miro decided that the project had enough exposure that they wanted back in. A highly political (and apparently not very well liked) Mambo Steering Committee and Mambo Foundation was formed. This consisted of core developers, Miro staffers and Mambo community members. It was shortly after this that all core developers decided as a group to leave the project and start Joomla.

Fast forward to 2008 and there is a lot of work being done by the new developer group at Mambo. But the politics must have gotten to this group as well because they left and formed another new project, MiaCMS. Core developer Chad Auld wrote on his blog “We felt that the policies, processes, and priorities of the official Mambo Foundation were having a negative impact on the code and the community. Innovation, creativity, and team spirit have all but been eliminated. Trolling the internal forums has become depressing and de-motivating to say the least. Trying to push new code or even fixes to existing code into the core results in nothing except for long drawn out fights.” MiaCMS now appears to have a good future backed by very strong developers especially with their recently announced merger with Aliro.

Where Does Mambo Appear to be Headed?

There are still 6 people who appear to have write access to the Mambo core project on their file repository, so I guess it’s not officially dead. That being said I doubt we’ll see another Mambo release. I’d like to see it revived, but politics and code rarely mix.

Full Disclosure

In the sake of giving a little context to who I am, I have served as a Mambo core team member on the 3rd Party Standards and Guidelines team. I also started mambo-hosting.com almost 6 years ago and it was the first company in the world dedicated to hosting Mambo sites. I have had components I’ve written in the top 5 most popular downloads at the old MamboServer site. I have a lot of personal history tied into this project and really am saddened to see it come to an end like this. The good news is Joomla and MiaCMS are both going strong and appear to have bright futures.

The Joomla team is hard at work on Joomla 1.6. We thought this would be a good time to think of features that one might want to see in this new version.

Here are some ideas we’d like to see:

• Improved ACL. I know they are working on this and it’s the big news of the new release, but it still deserves mentioning.
• Improved search with suggested terms. When you accidentally search for “wbesite” on google you get asked if you meant to search for “website”. I actually wrote a keyword system back in the Mambo 4.5 days that had this feature. It was easier in that system because I was just working with lists of keywords and not all possible words (and languages), but with new technologies and the skills of the developers this could be doable.
• Improved extension installation. WordPress really blows everyone away on this. Their automated installer can’t be beat with anything out there now and it would be nice to see Joomla take a step in that direction.
• Improved upgrading. Again, WordPress has done this one well. Their one-click upgrade is a thing of beauty (other than the reported bug) and to see Joomla with something like this would be amazing. And no more migrating to go to a new version, that should just be common sense.
• Complete code security audit. This would be incredibly expensive, I realize, and probably not in the budget of an open source system like Joomla, but the number of issues Joomla sees compared to other systems is unusual. This is certainly due in part to the fact that Joomla is one of the more widely used systems, but also in part to the coding. Too many Joomla releases are fixing medium or high level security issues.

So that’s what we’d like to see. How about you?

There is a great plugin called WP Security Scan that will check several possible security issues on your WordPress installation, automatically fix some, and let you fix others. After installation there will be a new link in the wp-admin sidebar called Security. Click that and you’ll get your recommendations.

Right now WP Security Scan covers:

-passwords
-file permissions
-database security
-version hiding
-WordPress admin protection/security

Future releases will also address:

*one-click change file/folder permissions
*test for XSS vulnerabilities
*intrusion detection/prevention
*lock out/log incorrect login attempts
*user enumeration protection
*.htaccess verification
*doc links

There is a possible error when using the automated upgrade tool to upgrade to WordPress 2.8.

The Problem

If you get far enough in the upgrade process that the archive has been downloaded from WordPress and extracted and then hit an error (like bad permissions) WordPress is supposed to delete the new files. Instead it appears that it deletes all the files rendering your blog unusable.

Should BuyHTTP Customers Worry?

Thanks to our fully managed ownership/permissions system you should not run into this issue. Upgrading our blog using the automated tool could not have been easier. If you do run into this issue, thanks to BuyHTTP Data Vault you can restore all of your files in a matter of a few minutes and be back up and running. Then you can run a manual upgrade.

Follow this bug: Trac ticket # 10140

Found via WPEngineer.

Several Joomla template designers (here and here) are announcing their plans to stop supporting IE6 in their designs by Jan 1st, 2010.

We certainly welcome this news and congratulate these developers. IE6 is way past it’s prime (if it ever had one) and with Windows 7 being released soon fewer and fewer people use it every day.

If you’re still using IE6 we recommend Firefox, or even upgrading to IE8 that’s been out for a while now.