Quick jump menu:

DSA Media News and Information

TimThumb Vulnerability

** Outdated Post **

In August 2011 a major vulnerability was found in the TimThumb image resizing script. This is a popular script that is used on many websites but is also very popular with many WordPress commercial themes and some plugins.

The script was updated and secured soon after the vulnerability was found however, we have recently been made aware of the second theme on our server still using the vulnerable code. Thankfully our security scanner picked up an attempt to upload a virus via the exploit and quarantined it, and the theme has now been upgraded by the site owner.

However, this highlights the fact that site owners need to be more active in keeping their plugins and themes up to date. Modern WordPress themes can contain just as many potential exploits as plugins can, and must be kept up to date at all times. Often the reason for not upgrading themes is due to modifications made to an off the shelf theme, however this should not be a reason to leave a potentially insecure theme running. If you need to make code modifications to a theme then you should be using a child theme instead, which leaves your main theme untouched and thereby allowing you to continue to keep it upgraded as soon as new versions are released.

So we are asking all hosting clients to check their sites, and if they have the TimThumb script running (note, this isn’t WordPress dependent) then please ensure it is updated to the latest version, and if you are running a WordPress site, please ensure all themes, whether in use or not, are always kept up to date with the latest release.

To help with keeping on top of updates we recommend that you install and use the WP Updates Notifier plugin which will email you as soon as there is an update available for either the core files, a plugin or theme from the WordPress repository. However, this will not notify you for themes or plugins not available on the WordPress website, therefore you will still need to make regular checks to ensure any updates are carried out as soon as possible.

Using Google for downloading email

GMail by Google

We often find clients don’t want to download their email, or at least not right away, so that they can access it from multiple locations, perhaps at home and work. However, we unfortunately have to impose storage limits on accounts otherwise we would run out of space very quickly. We’ve found on a number of occasions clients let their mailboxes fill very quickly, or they give too high a space limit to their mailbox and their entire hosting account gets full. This causes all types of problems as you cannot access your mailbox via webmail once it’s full. So if you want to set up an online system to ‘hold’ your email temporarily or permanently then we recommend using Google Mail. You get 7GB of space with Google Mail. That should be plenty for temporary storage or it should cope with quite a few emails!

Setting up POP on GMail

To download email to GMail you need to use your POP3 mail settings. To set up your POP account on GMail you will need to create and/or log into your Google account. Then follow these instructions.

  • In GMail click on the small ‘cog’ icon in the top right of your screen which should give you a drop down menu with Mail settings and Mail help in it.
  • Select Mail settings.
  • In the settings you need to select “Accounts and Import”.
  • On the Accounts setting screen there is a section called “Check mail using POP3”. Click on the button to the right of this titled “Add POP3 email account”.
  • In the pop up box it will first ask for your email address. Enter the email address for your account on our server. Then click Next Step.
  • In the next screen you will need to enter your username, which is your email address except replace the @ with a + (plus sign).
  • Then enter your email password in the password box.
  • The POP server will probably be prefilled by Google with mail.yourdomain.com (where yourdomain.com is your web address). If it isn’t then please set it to be mail.yourdomain.com.
  • The port number should be set at 110.
  • You then have some checkboxes. We do not recommend that you leave a copy of your mail on the server as this defeats the object of setting up GMail to access and download your email.
  • You can leave the SSL connection unchecked, and the final two boxes are optional and your own choice.

Once finished you can click on Add Account. It will then check that your login details are correct. If they come up as invalid, please check that you’ve entered the details correctly. If you’re not sure if your password is correct then please use your cPanel account to reset it. Too many incorrect attempts may cause the server firewall to temporarily block Google’s IP.

If you later need to download copies of your emails to your computer then you can download them from Google. You will find the information to do this under Settings -> Forwarding and POP/IMAP from within your GMail account.

If you wish to use this method to check your email but are unsure how to proceed, or the steps above seem slightly daunting, then we can provide a service to set up one or more email accounts on your GMail account for you for a small fee. Please contact us to discuss this.

Kashflow – Online Business Accounting Software

Kashflow Accounting Software From time to time we get clients and colleagues asking us what accounting software we use, if any. We use Kashflow which is an online accounting system that does everything we need and more.

Kashflow is ideal for sole traders, companies and also whether you are VAT registered or not. It allows you to store all of your accounts online securely, and access them from any web enabled computer or even an iPhone via their dedicated app. Kashflow allows not only your standard accounts but also an easy way to generate invoices and quotes for your customers, including setting up repeating billing, so once the repeat invoice is set up it can go out every X weeks, months or years. Invoices are automatically added to your turnover once they’re paid too.

For VAT registered businesses, the VAT liability for the quarter is always shown to you on the front overview page as soon as you log in, which is useful to know how much you need to be putting aside towards the VAT bill each quarter. You can also set your account up with your HMRC login details to submit your VAT return directly from Kashflow, saving you the hassle of copying the figures over to HMRC and doing it directly on there.

Finally, the number of reports available are excellent. There is a self assessment report, useful for sole traders, plus profit and loss reports, VAT reports and more. Kashflow isn’t just applicable to only web businesses such as ours, but any type of business would find it easier and more efficient to use than most of the standard accountancy packages such as Sage. Our Accountant has a login to our account too which means we can easily ask him to log in and check over items that we’re not sure if they’ve been correctly entered, or he can just get the end of year accounts and reports direct from the system, saving us the time having to download the accounts and take or email them over to him.

Kashflow has a 60 day trial period available, where you can sign up and try all of the account’s features for free. You don’t even need to give any card details. This is certainly a decent length of time to be able to assess whether it’s ideal for you. If you do then choose to pay for it, it costs £15.99 + VAT, however if you visit them by clicking on the icon above, this reduces the price by £1 + VAT per month.

It’s certainly worth a try if you haven’t got a suitable accounts system or you’re thinking about switching. It’s a major time saver for us which frees us up to be able to do more work!

Tradingeye v6.1 Security Updates

Due to the recent security vulnerabilities found in the eCommerce software Tradingeye, we are offering existing users a support option to apply a number of patches to help secure the user inputs in a more suitable method so as to not cause further problems within the administration area.

We will need to charge £30 + VAT to cover the time to download your files, make the changes, update the main admin password if necessary, and run a quick test over the site. There are no guarantees that these fixes will solve all security problems within the software, however it will go some way to providing a better level of security than the current version has.

If you wish to hire us to make these changes then please contact us with the following details:

  1. Site URL
  2. Invoice name and address
  3. FTP username and password
  4. Tradingeye username and password ONLY IF your password contains any of the following characters ‘ ” < > =

We will require payment before any work commences. We will initially give you an estimated date for the day which the work can be completed however this will not be secured until payment is received.

WordPress Plugin Upgrades

Further to our posts on keeping the WordPress core files updated, please note that this also includes plugin files. Plugins from the WordPress repository are not moderated and therefore you need to trust which ones to use to ensure the security of your website.

We have recently found a number of sites under attack from spammers who were exploiting the contact form 7 plugin. From our investigations we could easily see the version of the plugin in use, as it inserts it as a hidden form field, which means it’s easy for any spammer to determine whether the plugin is up to date and if it can be exploited. One such exploit resulted in 40,000 emails being sent via our server and over 9000 bounced emails received back which eventually crashed the server.

Whilst we can appreciate that scripts and plugins are required to help a website’s functionality, and exploit attempts will always be made and can happen on up to date versions of these scripts, if there are steps to reduce the likelihood of this happening, such as upgrading a plugin or looking into a more secure method, then we request that you do so. This is not a recommendation, this is a requirement.

As per our Hosting Terms & Conditions:

4a. Clients are solely responsible for ensuring that all scripts installed by them (including any available within your account control panel) are patched and kept up to date.