bbPress Security Vulnerability Fixed With 2.6.5


If you are using the popular WordPress plugin bbPress, please do update the plugin and install the latest version as versions from 2.6.0 to 2.6.4 contain a serious vulnerability.

Many of our customers often uses bbPress to create online forums on their WordPress-powered websites.

The discovered vulnerability allows unauthenticated normal users to escalate their privileges and become an administrator or moderator.


When the intruder gain access as an administrator,  he or she can add/remove posts, topics, and entire forum sections. 

He or she can manage the website settings, including internal spam protection.

And this obviously can lead to data loss, or the disclosure of sensitive information contained in a forum’s private sections.


The vulnerability is caused by flawed callback function bbp_user_add_role_on_register which handles the register_new_user event creates the vulnerability every time a new user is registered.

This file is located at bbpress/includes/users/signups.php.

bbp_user_add_role_on_register blindly and without validation uses the information passed through the bbp-forums-role POST operation. 

With these privileges, attackers can gain access to protected data and do whatever they want on the forum.


Our security rules has been updated to prevent bbPress users from exploiting the vulnerability, while at the same time avoiding false positives.

Please do update at once as the bbp_user_add_role_on_register issue has been fixed with version 2.6.5 now available on production systems.

It now includes a validation logic that ensures only an administrator can grant users such privileges.

When granting such privileges, remember the principle of least privilege which states "that a subject should be given only those privileges needed for it to complete its task".

If a subject does not need an access right, the subject should not have that right.

Further, the function of the subject (as opposed to its identity) should control the assignment of rights. If a specific action requires that a subject's access rights be augmented, those extra rights should be relinquished immediately upon completion of the action.

Web Application-Specific Firewall Released

To maximize Web Application Firewall effectiveness (cover as many attacks as possible), yet minimize “false-positives” for them, our WAF is been automated to be more accurate.

This web application firewall auto-configurator generates a set of rules on a per-domain basis, taking into consideration the content management system (WordPress, Joomla, etc)), that you install on the website.  

It works in the background scanning domains for the installed CMS each day.

And once it is done, it completely rebuilds the configuration based on the detected software. 

The main benefits of this feature is a complete reduce in false-positive hits caused by rules designed for applications that aren’t installed on the web site.


For now, this feature is limited to customers in Portland, Oregon using the hostname: west.cpanel.


Malware Scan on Demand Now Available In Your cPanel

Over the past several months, we have been inundated with the feature request from our enterprise customers for a way to enable scan action in cPanel so developers could run a scan at any time on their own. 

Today, we happy that as part of our test case, customers using in the Oregon region using the hostname: west.cpanel now have access to this option.

Configurable options to enable/disable the Scan action in the UI.

  • Extended real-time scan folder list
  • Enhanced coverage of the real-time scanner, including a user’s home directory, and everything it encloses.

Please note that this is still a beta feature.

So while extensive testing has been done, do let us know if you run into any issue that may have been caused by using this feature.

Customers wishing to take advantage of this may request migration from an existing region to Oregon.

CodeGuard Automated Backup Pricing Lowered

Yes, we do back up your data.

But we do this randomly on a certain days every week.

What happens if your data is compromised and you have put in tons of work the other day before this happened?

If you ask us a for a backup (which by the way is free up to 3 GB), what we have for you may be a week out of date.

We also do not back up suspended accounts.

Enter CodeGuard.

CodeGuard is a fast, reliable website backup service built for rock-solid reliability and durability and protected with AES-256 server-side encryption.

With CodeGuard automated daily backups, you can recover deleted files, overwritten files and if a site is hacked, the system will replace it with the cleaner version.

And there is more.

With CodeGuard, you will get:

  • a self service protection for recovering from accidental deletions and file overwrites.
  • 1-click restore that saves you time and heartache by getting your site back to where it was before the issue occurred.
  • built-in automated WordPress management that include WordPress plugin and auto-recovery on update failure.
  • website time machine where every backup is timestamped allowing you to rollback your site on-demand to any point in time.
  • file change alert monitoring that monitor changes to your website and alerts you when any change occur.
  • a simple & straightforward pricing where you pay only for the amount of backup storage disk space you need.


We have seen a rapid adoption of this product by over 56% of our total customer base.

To encourage more customers to use thus service, we are lowering pricing for all CodeGuard products by 30% for monthly terms and by 70% for annual subscription immediately.

You can view our current pricing at https://dashboard.webhostingmagic.com/cart.php?gid=6

PayPal Removal, cWatch and SitePad Website Builder

PayPal


To better protect ourselves against fraudulent transactions, we are removing PayPal as a payment method.

This comes as we have discovered through not-so-pleasant experiences that PayPal is more keen on protecting these criminals than the interest of the business they serve.

Customers using it will have to switch to another method that we support.

For active users, this process only requires activating the desired payment method at the Web Hosting Magic customer dashboard via https://dashboard.webhostingmagic.com/account/paymentmethods

We support:

  • Credit and Debit Cards
  • SEPA Direct Debit
  • SOFORT
  • Giropay
  • Apple Pay


and will be adding Alipay and WeChat Pay soon.

If you are unable to effect this change yourself, please let our account team know.



cWatch


While our systems are built for active website protection, we also believe in giving customers the chance to actively participate in the security of their websites, web servers, and web applications.

Customers can either choose to use SiteLock or cWatch which we recently added as an additional option.

Comodo cWatch Web is a 24/7 managed security service (MSS) that runs on Comodo's high capacity cloud.

The Content Delivery Network (CDN) to host the protection/detection software at geographically placed servers around the globe.

There are many security delivery advantages to this architecture including:

  • the ease of deployment
  • agility in its upkeep to an ever-changing threat
  • DDoS mitigation
  • and website traffic acceleration


To learn more about cWatch, visit https://webhostingmagic.com/cwatch-sectigo.html

WARNING: Please do not use SiteLock and cWatch together as doing so may give you more grief than help. Decide on what to go with, and stick with it.



SitePad



SitePad Website Builder is now available on your cPanel.

For regions where we haven't rolled this out, it will be before Friday, the 21st of February, 2020.

SitePad is a drag-and-drop website builder with 354 Professional themes that cover a wide range of categories like blog, business, portfolio, restaurants, travel, etc.

It has 40+ widgets like image/video slider, image galleries, rich text, video, audio, service box, Google maps, contact form, social media and many more that you can add to your website.

SitePad publishes static files (HTML, CSS, JS) to your web hosting account.

And as you may know, static contents (compared to a PHP website) are faster which also means that your website loads super-fast.

SitePad is intended for developers who want to deliver a website super-fast either to their customers or to themselves.

For customers with minimal coding skills or website management experience, it is really easy to create any website of your choice without knowing much about the intricacies of how a website works.



Access SitePad Website Builder from cPanel

SitePad is enabled by default in Softaculous hence you can find a link to SitePad Website Builder in the left panel just below the search box.

Click on that link and it will take you to the overview page which will show the features of SitePad.

Click on the Get Started button which will redirect you to the SitePad editor server.



Choose a Theme

Once you are redirected to the SitePad editor server you will need to choose a theme for your website.

You can choose from 354 professional themes that cover a wide range of categories like blogs, music, business, portfolio, restaurants, travel, etc.

All the themes are fully-responsive so your website will work across all devices.



Start editing your website with drag & drop editor

After choosing a theme the default pages will be populated with demo content.

With the help of 40+ Widgets like image/video slider, image galleries, rich text, video, audio, service box, Google Maps, contact form, social media buttons, etc, you can start editing the contents, add images/videos, text.

You also create new pages as may be needed.



Publish your website

Once your website is ready, just click on the Publish button.

This will transfer static files i.e. HTML, CSS, JS to your web hosting account i.e. cPanel.

The final website will be hosted on your web server and since the files are static your website will load much faster as compared to a PHP website.

You can see how to use SitePad by visiting https://dashboard.webhostingmagic.com/knowledgebase/17/SitePad-Website-Builder

Our documentation team will be able to add all guides and tutorials to this URL before the end of this week.

Thank you.

You Can Now Use Old PHP Version For Your Website

When a new account is provisioned on our system, it defaults to the latest upstream supported version.

At the time of this publication, the latest is PHP7.3.

Latest PHP versions are optimized:

- to speed up your website twice as fast than before,
- make the maintenance of large pieces of code by multiple developers significantly easier
- and give you the ability to write more robust applications by detecting early programming mistakes caused by passing values of the wrong types to and from functions.

But we know that each customer is uniquely different.

And each has different set of business needs that he or she is trying to solve.

One of the issues that 18% of our customer base (often developers) runs into is how to keep applications running old unsupported PHP online while they work behind the doors to upgrade their code.

To help with this challenge, we do offer multiple versions of PHP that a customer can select from.

When hosting your website or application with us, you can select and switch between PHP 4.4, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, and 7.0, 7.1, 7.2, 7.3 and whatever version that comes after these.

This unique needs also extends to the kind of extension that the customers wishes to use to optimize his or her web application.

That is why we also provide over 120 different PHP extensions that you can select from, giving you even greater control on what how to use PHP.

Our systems also ensure that each of these PHP version is updated fast to make the websites secure and your website visitors, happier.

Please note that the hosting packages that will enable you to run these upstream-unsupported PHP versions are uniquely different from our normal hosting packages.

If you are a new customer and wish to start off with these, all you have to do is to visit https://dashboard.webhostingmagic.com/cart.php?a=add&pid=6

The hosting plan gives you everything you need to host old PHP versions securely and highly scalable.

If you are an existing customer with a website that need to run old PHP, you can easily add this package to the new account.

We are always looking for ways to serve you better.

So please do let us know if there is a feature that you would want see by visiting https://webhostingmagic.com/feature-request.html

A Happy & Successful 2020 Hosting Discount

Phew!

Can you believe it?

It's already the 7th of January 2020.

And before you know it, it is 7th of December.

That's why in addition of wishing a great year ahead, we are throwing in a huge new year's sale hosting discount you can use to get your business website up and running.

Take a moment to get started now by claiming this offer.

Find a plan that works for you before the coupon runs out.

Visit https://dashboard.webhostingmagic.com/cart.php?gid=1 and use the coupon code SUCCESS2020 when checking out.

Your Application Is Moving To PHP 7.3

PHP 7.3 is now fully a production stack.

All major PHP frameworks have released new versions that take full advantage of the features offered by PHP 7.3 hosting.

After extensive testing to ensure complete compatibility of the integration with our hosting platform, our engineers have finalized the availability of PHP 7.3 on the platform and will be setting PHP 7.3 as default on all systems.

This means that while you may still retain the ability to select the upstream PHP supported version you want to use, any newly installed application will default to 7.3.

Moreover, the implementation may also upgrade existing applications to use 7.3.

If you are unable to switch from 7.3 to 7.2 or vice versa, please notify us so we can adjust that for you.

You can visit https://www.php.net/manual/en/migration73.php for migration guide, see the new features, view backward-incompatible changes and see deprecated features.

While doing this, please note that PHP 7.4 (the next PHP 7 minor release), is expected to be released to the General Availability on November 28th, 2019.

If you notice issues with your application after the upgrade, please:

=============

Log into your cPanel server and visit Software >> MultiPHP INI Editor.

Select the location that you wish to configure from the menu.

You can edit either the account's home directory or the domain's document root.

The PHP directives will appear.

Look at the "session.save_path" which shows you where your server stores the files that PHP creates.

Ensure that it is 7.3 and NOT 7.2, then save.

The system saves changes to the php.ini file, the user.ini file, and your .htaccess file.

=============

Please do this for every website/application that is under your hosting account.

If you want to host an old PHP version, do not select or use ALT-PHP on normal web hosting packages.

Visit https://webhostingmagic.com/old-php-version-hosting.html and use the hosting package found at that location and for more information.

If you are using our HardenedPHP packages to host your application running old PHP, you don't need to make these changes.

But please do check your cPanel's MultiPHP INI Editor to ensure that everything is the way you intended it to be.

Our beta users will continue testing our stacks/applications with PHP 7.4.

Thanks!

Host A cPanel Powered Website In Portland, Oregon

Web Hosting Magic is delighted to announce the launch of our energy-efficient data-center in Portland, Oregon.

It means that you can now start hosting your website in Portland.

Portland (Oregon’s largest city) sits on the Columbia and Willamette rivers, in the shadow of snow-capped Mount Hood.

It’s known for its parks, bridges and bicycle paths, as well as for its eco-friendliness and its microbreweries and coffeehouses.

Iconic Washington Park encompasses sites from the formal Japanese Garden to Oregon Zoo and its railway.

The city hosts thriving art, theater, and music scenes.

Portland's numerous advantages for data centers include the growing technology sector, the lower seismic threat, an aggressive tax incentives and that it is one of the best locations to reach customers in the western parts of United States if you are in Asia or Canada.

We are excited to be opening this new space and to further expand our presence in the years to come.

If you have projects that require this location or wish to take advantage of this location, please let our Infrastructure and Migration team know.

We will do our best to help you host your websites and applications in the beautiful city of Portland.

Existing accounts who wish to move their account to this region will require a slight DNS modification but done right, the changes will be barely noticeable on your website.

We Have Rolled Out New cPanel Features With 80

Web Hosting Magic has rolled these out to our cPanel customers exciting new features and improvements that came with cPanel version 80.

One-Click HTTPS Redirection of Websites

The importance of having an SSL for services and websites on your server cannot be understated.

It is for this reason why when you create a new website with Web Hosting Magic or migrate your websites to our system, we install an SSL to that website automatically.

However, there are times when resources on such website may not have been configured to serve via HTTPS.

As "how do I redirect traffic to the secure or HTTPS version of the URL" has been one of the most common support requests we get from our cPanel end-users is, we have added a new feature to make that redirection even easier.

Our server upgrades to cPanel version 80 brings a Force HTTPS Redirect toggle to cPanel's Domains interface at cPanel >> Home >> Domains >> Domains.

In the Domains interface in cPanel (Home >> Domains), there’s an option to enable Force HTTPS Redirection from the insecure version (HTTP) to the secure version (HTTPS) with a toggle switch.

When enabled, it automatically redirects website visitors who attempt to access the insecure version of a website (HTTP) to the secure version (HTTPS).

This information is stored in the account’s userdata files (/var/cpanel/userdata), and the redirection is built into the domain’s vhost configuration.

No more messing around with your .htaccess or deal with the risk that comes with editing the file manually or use WordPress plugins to redirect resources to HTTPS.

Please note that you can only enable redirection on main domains that also possess a valid SSL certificate.

Aliases (aka Parked Domains) will inherit their redirection status from their parent domain.

cPanel API Tokens

We added the Manage API Tokens interface to cPanel allowing cPanel users to issue API tokens.

Hosting resellers and third-party developers can now use these tokens to authenticate as the cPanel user and issue API calls.

You can find this cPanel >> Home >> Security >> Manage API Tokens.

SpamBox for new cPanel accounts

We are added a feature that simplifies the process of preventing spam in users' inboxes.

Each new account created now will have this created by default.

This makes the process of keeping spam out of your users' inboxes much easier.

Plus addressing mailbox creation

Our cPanel users can disable automatic mailbox creation for plus addressing in the Email Accounts interface found at cPanel >> Home >> Email >> Email Accounts.

The server still delivers plus address messages to the proper mailbox. The Automatically Create Folders setting only affects mailbox creation.

Webmail Roundcube Calendar

Webmail Roundcube interface found at Webmail >> Home >> Roundcube now ships with an internal calendar.

Roundcube's database stores the internal calendar's data.

As our cPanel customers, you can also add a CalDAV calendar to your Roundcube account.

Improved password strength check algorithm

Password strength check algorithm has now been improved to return lower scores for passwords with common dictionary words.

Using words found in the dictionary as password is really a very bad idea as it is often the first place that password crackers starts.

This feature allows you to define minimum strengths for passwords for all of cPanel & WHM's features that require password authentication.

The system rates password strength on a scale of 0 to 100, where 100 represents a very strong password.

Show Previous EntriesShow Previous Entries