Author Archives: forty

Two common WordPress plugins have been exploited

You have probably heard of Easy WP SMTP and Social Warfare and may even be using them. There were exploits found in each plugin which allowed hackers to compromise websites by creating administrative accounts and redirecting traffic. Updates for each plugin have been released; version 1.3.9.1 of Easy WP SMTP and 3.5.3 of Social Warfare.

If you are using either or both plugins, please make sure to either disable the plugin or update it to at least the version(s) mentioned above. You will then want to check your site for additional administrative users that may have been created and remove them. If you find extra administrative users you did not create or your site is redirecting unexpectedly, please let us know and we’ll take a look!

If you are redirected from your site to a page that looks like warnings, errors, or other messages from your Operating System, do not click any of the links and exit the page.

More information about the exploit can be found at:

https://arstechnica.com/information-technology/2019/03/two-serious-wordpress-plugin-vulnerabilities-are-being-exploited-in-the-wild/

As always, please do not hesitate to reach out if you have any questions, especially when site vulnerabilities are involved!

BCH Managed WP Services FAQ

If you were part of our beta testing this past summer, you already know the wonders that is our BCH Managed WP Service. Let us help you manage those mundane WordPress tasks for you! From offsite backup management to extra security scans, let us worry about the nitty gritty so you can focus on content creation and interacting with visitors.

Here are some common questions regarding our BCH Managed WP Services but if you don’t see a specific answer here, let us know!

If we don’t use this plugin, will we not have backups of our site(s)?

We do take backups for disaster recovery, however, they should not be relied upon as a viable backup solution as they may not include everything from your site. Depending on how far back or what day you need to restore from, we may not have that specific day or timeframe available.

Per our terms of service, backups are the customer’s responsibility:

Courtesy Services for Customers
All services such as backup and cPanel are provided for the courtesy of the subscriber. It is the sole responsibility of the subscriber to maintain the subscriber’s own backup of any data. Black Chicken Host is not responsible for lost data or for lost data due to third-party software that is not maintained by Black Chicken Host staff (cPanel, Softaculous, WordPress, et cetera, are not associated with Black Chicken Host.).

With WordPress, there are many backup plugins that you can use to back up your site either locally on the server in your account or they can even be sent to a remote location like Dropbox, Google Drive, or other locations. If you are interested in using a different backup plugin/solution, you are definitely more than welcome to choose that option. While we wouldn’t be managing that plugin/solution, we can definitely assist with any questions you may have regarding it and get you pointed in the right direction.

What is the fee for these services?

The pricing of these services can be found on the BCH Managed Services product page.

Don’t forget to check the “Bundled Savings” category for occasional savings!

How many backups are retained?

Backups are stored for 90 days, so the answer to this depends on what backup schedule you choose. For example, if you choose daily backups, you will have 90 backups available. If you choose 4x daily backups, 360 restore points from the past 90 days will be available for restoration.

What if I need a backup restored?

Open a ticket and let us know! We’ll get the backup restoration started and let you know when it’s complete.

What does the security scan do?

The security scan checks for various malware and exploits, as well as to see if your domain is on any blacklists. If there is anything found, you can receive a notification.

What is updated with the updates service?

In short: everything. You can choose to update all or only some plugins or themes. The WordPress software itself is a yes or no. There is also a great feature that will roll back an update if an issue is detected.

How is this all performed?

We utilize a very small plugin that we can actually hide from your list of plugins in the administration area of your site. Out of sight, out of mind! Let us manage the software so you can create more content!

As always, let us know if you have any questions about our BCH Managed WP Service by emailing us at support@blackchickenhost.com.

PHP 7 and why you should be using it

New and Improved PHP

The long-awaited next version of PHP, version 7.0, was released at the end of 2015 and has been since receiving regular updates. With this new version of PHP, amazing speed and new features came along with it. Because it was released over three years ago now, PHP 7.0 itself is actually nearing End of Life status (this means it will not receive updates in any capacity) and PHP 7.3 or 7.2 are the more preferred versions of PHP to have your site use.

The life-cycle of PHP can be found here:

https://secure.php.net/supported-versions.php

The graph from the PHP link above can be translated into this easier to read/understand text:

  • 5.6 stopped receiving Security Support at the end of 2018
  • 7.0 stopped receiving Security Support at the beginning of December 2018
  • 7.1 received regular updates until the beginning of December 2018 and will continue to receive Security Support until the beginning of December 2019
  • 7.2 will receive regular updates until the beginning of December 2019 and Security Support until the beginning of December 2020
  • 7.3 will receive regular updates until the beginning of December 2020 and Security Support until the beginning of December 2021

While version 5.6 and 7.0 recently received critical security updates, your sites really should be using PHP 7.3, if not, PHP 7.2. PHP 7.3 is available on both cPanel and WordPress Only hosting platforms!

There have been some new features added, some things taken away (for good reason), and it’s wicked fast. As PHP 5.6 and 7.0 support ended recently, and 7.1 support ending at the end of the year, we would like to start getting everyone switched over to at least 7.2 or preferably 7.3.

How to Update PHP for Your Site on cPanel

There are a couple ways you can get the PHP version for your site changed. If you or your developer would like to handle this all yourself, you can change the PHP version using the MultiPHP Manager in your cPanel account. In the search box at the top of your cPanel account, search for “MultiPHP Manager” and click the resulting icon. Now, it’s all on a site-by-site basis, so you will need to change each site to a new version of PHP. You can click the checkbox to select all and mass change them or go one-by-one and then test the site to ensure it still functions as expected.

The second option would be to have us switch the versions for you. We can do this site-by-site or all at once. If you would like to schedule this change, please visit the following URL and sign up for a timeslot, adding the domain(s) you want to be switched into the “additional info” box:

https://calendly.com/bch-status/30min

We will switch the PHP version to 7.3 and make sure the site(s) load and click a few links to see that they still work. If there are any issues, we will try 7.2, 7.1, or 7.0 if needed, and failing that change, switch you back to PHP 5.6. Once we’ve finished the testing, we’ll send you an email letting you know the outcome of the change. At that point, we highly encourage you to test all facets of your site to ensure that they function as expected. After all, you know your site best!

If there are any issues, it’s likely going to be due to a plugin that either needs to be updated within your site or the developers need to push out an update. Either way, we’ll make sure you have all the needed information to move forward.

How to Update PHP For Your Site on WordPress Only

If you are using our WordPress Only product, please visit the following URL and sign up for a timeslot, adding the domain(s) you want to be switched into the “additional info” box:

https://calendly.com/bch-status/30min

We will switch the PHP version to 7.3 and make sure the site(s) load and click a few links to see that they still work. If there are any issues, we will work our way down to a version that works with your site. Once we’ve finished the testing, we’ll send you an email letting you know the outcome of the change. At that point, we highly encourage you to test all facets of your site to ensure that they function as expected. After all, you know your site best!

If there are any issues, it’s likely going to be due to a plugin that either needs to be updated within your site or the developers need to push out an update. Either way, we’ll make sure you have all the needed information to move forward.

PHP Compatibility Checker

This plugin can be used to scan your site for potential issues with PHP 7+. It does rely on wp-cron to be functioning properly or else the scan can get stuck. While this plugin is written to detect as many problems as accurately as possible, 100% reliable detection is very difficult to ensure. Please note that this is a third-party plugin (not provided by BCH) that we found to help aid you in the transition from PHP 5 to PHP 7.

https://wordpress.org/plugins/php-compatibility-checker/

There is an option to scan only active themes and plugins which would help the scan complete sooner. Though, if you have any inactive plugins that you intend to use, you should scan them as well. Any plugins you do not plan to use should be removed (bonus: this helps save on disk space!).

If any questions arise about the version change process, PHP in general, or whatever else, please don’t hesitate to open a ticket with support@blackchickenhost.com.

Bandwidth Usage and Review

What bandwidth is and what bandwidth isn’t.

Run out of or getting close to your bandwidth limit for the month but Google Analytics doesn’t show much traffic or page views? This is possible for a couple reasons:

  • Google Analytics doesn’t track files like images being directly requested, and
  • bandwidth and traffic/page views are not the same.

Bandwidth is one of those confusing, misunderstood terms that we want to provide clarification about so you can better understand your hosting package. I think first explaining what bandwidth is not will help clarify what it is. Bandwidth is not:

  • page views
  • amount of traffic

Bandwidth is the amount of data, usually expressed in megabytes or gigabytes (MB or GB), sent by the server to the end users requesting your site. If you have a small file like an image, .5MB in size, and it’s requested directly 2000 times, you’ll have used 1,000MB (1GB) of bandwidth. If you have a large file like a PDF, 5MB in size, and it’s requested 2000 times, you’ll have used 10,000MB (10GB) of bandwidth.

“That’s great about individual files, but what about when someone loads my actual site?”

Great question! Same concept as above. If your site ends up being 3MB in size once all resources are sent/loaded and your site is requested 3,000 times, you’ll have used 9,000MB (9GB) of bandwidth. There are many things that can be done to help reduce bandwidth usage, such as compressing files before they are sent to the end user and forcing their browsers to cache various files. We’ll go into this more in another article about site caching.

“How can I view my actual bandwidth usage if Google Analytics isn’t tracking individual files?”

cPanel has a great tool called Awstats and is our preferred method of reviewing bandwidth. In your cPanel account, type Awstats in the top search bar and click the icon. Here you’ll see your various sites separated by SSL and non-SSL reports. If you have all your traffic routed to SSL (https), you’ll want to select that report. All this data comes directly from the server logs compared to third-party tools which don’t have access to the server logs and do their reporting differently.

The first thing you’ll want to look at is the Monthly history. This shows how much bandwidth you’ve used on a monthly basis. Next are the days of month, days of week, and even hours. The other two sections we use most often are the File type and Downloads. If there is an excessive amount of bandwidth being used, it’s usually obvious in these sections that there is a specific file, such as a popular video or image that’s going viral, or type of file, such as images in general, which can happen with a site that is image heavy.

In short, bandwidth is the amount of data, not page views, being transferred from the server. If you have any questions about lowering your bandwidth usage or interpreting Awstats information, please feel free to open a ticket so we can perform a review of your site.

Upcoming SSL Changes to Google Chrome

New labeling for http sites

Starting in July 2018, Google Chrome will be marking all http sites as “Not secure”, something you may have already seen on some sites. When you request a site with http rather than https, your connection is not secure and therefore vulnerable to malicious activity. Google is trying to move the web towards a secure (https) web by default and marking http sites as “Not secure” is part of that process. More information about the upcoming changes can be found in this Venture Beat post.

What does this mean for you?

In short, if your site doesn’t have an SSL, it will be marked as “Not secure”. Currently this is only happening for sites that contain password fields and/or take credit card information, but will soon apply to your site. This doesn’t have to happen though! We can help secure your site! We have a variety of SSL certificates but the CP SSL product is the best value. It will cover all domains and subdomains on your cPanel account.

If you’re using our WordPress Only product, you get free certificates included! If you don’t have one yet or aren’t sure if it’s enabled, just let us know and we’ll check!

Post SSL Installation

Once we install the SSL certificate, the site needs to be converted over to https. Meaning, all references of http will be changed over to https. Any image, script, whatever other links, need to be changed over. For WordPress sites (99.99% of what our customers use), we use the WordPress command line tool to make these changes. We’ve had great success with this method.

 

Please let us know if you have any questions or would like assistance getting your site set up with an SSL certificate!