DSA Media News and Information
Wolverley School Testimonial
We’ve recently completed a number of small enhancements and a couple of large projects for Wolverley School who run a very busy Intranet site using WordPress. The work has included a file storage system, to allow students and staff to upload files from home or school and be able to access them from another computer, and some smaller enhancements to allow the staff to select which news categories they choose to see news from on the front page and to also mark news posts as ‘read’ so that they disappear and they don’t see them again in their main news stream.
We also received the following testimonial from them:
Wolverley CE Secondary School used DSA media to assist us in creating an in house school management and VLE system. DSA Media went above and beyond our expectations with a difficult, bespoke brief – with fast and efficient product delivery, support and advice.
We would (and do) actively recommend them to those who are looking for any of the services they offer.
Wolverley CE Secondary School – www.wolverley.worcs.sch.uk
TimThumb Vulnerability
In August 2011 a major vulnerability was found in the TimThumb image resizing script. This is a popular script that is used on many websites but is also very popular with many WordPress commercial themes and some plugins.
The script was updated and secured soon after the vulnerability was found however, we have recently been made aware of the second theme on our server still using the vulnerable code. Thankfully our security scanner picked up an attempt to upload a virus via the exploit and quarantined it, and the theme has now been upgraded by the site owner.
However, this highlights the fact that site owners need to be more active in keeping their plugins and themes up to date. Modern WordPress themes can contain just as many potential exploits as plugins can, and must be kept up to date at all times. Often the reason for not upgrading themes is due to modifications made to an off the shelf theme, however this should not be a reason to leave a potentially insecure theme running. If you need to make code modifications to a theme then you should be using a child theme instead, which leaves your main theme untouched and thereby allowing you to continue to keep it upgraded as soon as new versions are released.
So we are asking all hosting clients to check their sites, and if they have the TimThumb script running (note, this isn’t WordPress dependent) then please ensure it is updated to the latest version, and if you are running a WordPress site, please ensure all themes, whether in use or not, are always kept up to date with the latest release.
To help with keeping on top of updates we recommend that you install and use the WP Updates Notifier plugin which will email you as soon as there is an update available for either the core files, a plugin or theme from the WordPress repository. However, this will not notify you for themes or plugins not available on the WordPress website, therefore you will still need to make regular checks to ensure any updates are carried out as soon as possible.
Server Upgrade Notice
In recent weeks our server has experienced unusually high performance loads from a small number of resource intensive sites. This increased load has resulted in the RAM and swap capacity being exceeded and consequently caused short outages.
Whilst we have been able to track down a number of the problem sites, and provide guidance on making them more efficient so that they can continue to be hosted on a shared hosting environment, it hasn’t yet been possible to track down all of the problem sites and to take action.
Consequently we have been compelled to purchase new hardware to compensate for the continuing increased load in order to try to prevent further outages. Following on from an outage earlier today we have made the decision to carry out the upgrade as soon as possible. The upgrade will be done outside of UK standard business hours this evening, at 8pm.
As the new hardware will need to be installed whilst the server is off-line there will be a short period when your web sites will be unavailable, however this should only be for a few minutes and no longer than 30.
We apologise for any inconvenience that arises as a result of this essential upgrade work and will aim to complete it as soon as technically possible. We will also work to identify any sites that continue to cause problems and to work with the owners of those sites in order to improve their efficiency and enable the server to work at its optimum.
Further security updates
On Thursday we discovered that a site on our server had been the target of numerous DoS attacks and this has been the cause of the recent downtime issues. Upon discovering this we blocked a large number of IP ranges from the site in question to reduce the impact on this site and subsequently on the server. Our engineers also advised the following urgent actions to be taken:
- Upgrade PHP to the latest version (5.3.8)
- Install Suhosin to secure PHP further
- Disable the ability to run certain (rarely used) PHP functions that could potentially cause a security risk (for a full list of disabled functions please contact us)
- Disable displaying PHP errors on-screen, which should not be used in a production environment. All fatal errors and warnings are still logged to the error_log file in the file’s directory location.
Whilst we have seen a couple of minor issues arise from these updates, which have been dealt with as quickly as possible, most sites are still running as normal and are unaffected.
The main issue that we have seen is due to old or badly coded scripts causing numerous errors. These scripts should be removed from the server or updated immediately as per points 4(a) and (b) on our hosting terms (please note, both are excerpts of the full points):
Clients are solely responsible for ensuring that all scripts installed by them (including any available within your account control panel) are patched and kept up to date.
Any client not keeping their scripts up-to-date and secure is liable to have their site suspended with immediate effect in order to protect the integrity of the server and other accounts hosted on it.
If you find an issue on your site then please first check the relevant error_log file and your Error Log in cPanel, to ensure that it’s not a simple script issue. For any off the shelf scripts, a search on the error will often give you further information with regards to this.
If you do find an unexplainable issue with your site or an issue that you cannot fix then please do not hesitate to contact us, providing as much information as possible including any search results or further information you have found online.
Please be aware that if we have to take time to support and/or fix an out-of-date or unsecure script then we may have to charge for this at our hourly rate of £40 + VAT (this does not include issues that have arisen from adding Suhosin, Mod Security or disabling certain PHP functions).
Mod_Security and other security measures
As part of our continuing efforts to maintain the security of our hosting services we have today added both an anti-virus module and the mod_security firewall module which have been configured to work alongside our existing firewall. We’ll be monitoring any changes to the server’s behaviour following these additions, and if they work well they will become a permanent addition. We also aim to install a vulnerability scanner, within the next week or two, which will provide a means to scan uploads for security issues as well as scan files already residing on the server for exploit vulnerabilities. However as this software relies on the presence of the anti-virus and mod_security modules to function we need to wait until we’ve had time to assess those before proceeding.
Whilst we don’t expect there to be any disruption, there may be potential issues for some clients or their visitors as a consequence of the more stringent security measures. In the eventuality that you discover issues with your site during the evaluation period it would be extremely helpful if you could contact us as soon as possible with as much information as possible regarding the issue, what you were doing that led up to the issue manifesting itself, which browser or other software you were using at the time (including version number), and importantly your IP number; please also advise us of any software that you have installed on your hosting account, including any content management systems (such as WordPress, Joomla, etc.).
If you find yourself unable to connect to your web site or hosting control panel, as a result of the security measures put in place, you should use the form on our external status site, at: www.dsamedia-status.co.uk/supportform.php.
