Web Hosting and Digital Marketing Blog .

Blog

Shared Web Hosting Servers Major Upgrade

We have recently upgraded our whole shared web hosting web servers. The upgrade has been applied to all our shared web hosting users and concerns the implementation of a new set of features. The features are mainly focused around speed while enhancing the user experience and also supporting emerging new technologies as listed below

  • Automatic Firewall Check Upon login to the client-area and Unban
  • PHP 7.2 Support
  • cPanel Website Cache Management Plugin
  • Improved GZIP Management: Automatic GZIP Activation for Cached Content
  • TLS 1.3 Support
  • GeoIP2 Lookup Support
  • GoogleQUIC v43 Support
  • Google BROTLI Compression Support for Static / Dynamic Content
  • PHP CRIU Support
CVE-2018-0886-remote-desktop-access-min
CVE-2018-0886: Microsoft Security Update CredSSP affecting RDP Access

On the 8th of May, Microsoft finalized an update which started in March 13th by changing the authentification protrocol of the remote desktop sessions.

They rolled the final update by disabling the former CREDSSP protocol since an exploit was discovered. (CVE-2018-0886)

The exploit allowed to execute remote code a remote system through the logins details provided in a regular remote desktop session.

A hacker could therefore gain access to the remote desktop data, programs or even create/ disable new accounts.

Since, yesterday the patch not only patched the security issue by completely changed the authentification protocol and disabled the CREDSSP one by default.

The issue is that if you haven’t updated your Windows VPS (remote desktop server), you wouldn’t be able to access your VPS any longer and you should see the following message:

An Authentification error has occurred.

The Function requested is not supported

Remote computer: *IP ADDRESS*

This could be due to CredSSP encryption oracle remediation.

For more information, see https://go.microsoft.com/fwlink/?linkid=866660

Remote Desktop Connection CredSSP Error

In order to retrieve the usual access to your Windows VPS / Remote Desktop Access you would need to follow the steps below:

  1. Open a Command Prompt using Administrator Rights (right click on the cmd.exe, select execute as administrator)
  2. Paste the following commands into your command prompt and hit enter

reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters” /f /v AllowEncryptionOracle /t REG_DWORD /d 2

 

It will revert the modification made automatically with the latest automatic Windows Update and you should be able to access your remote desktop again.

Giving how critical this vulnerability is, we warmly invite you to perform all the Windows updates in order to patch the current security issue which is considered as highly critical and put your Windows VPS at risk.

Once you have run the update and your Windows VPS has been restarted, your VPS is patched and if you allow a remote desktop access to your computer, you would need to revert the change made by typing in the command prompt with elevated privileges the following:

reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters” /f /v AllowEncryptionOracle /t REG_DWORD /d 1

Hit enter.

Payza Logo
Payza Gateway Updated
posted by: in Announcements

We are publishing this news to let you know that we have updated the Payza gateway which is now operational.
Payza.com was seized by the US department of Justice  because of money laundering charges regarding the crypto currencies purchasing business.

Payza has now migrated their structure over Europe and now is under the website payza.eu

We have therefore updated the billing gateway after verification on our end to insure its integrity.

Google: HTTPS Swap is now Overdue

In 2014 Google made a statement on their webmaster central blog mentioning that Google would start to give a slight ranking boost to secured HTTPS websites using a SSL relying on a 2048 Bit key.

In January 2017 Google mentioned on their Google Security Blog that they had introduced with Chrome Version 56, a “Not Secure” mention in the address bar for website transmitting password or credit cards information.

 

Address Bar Google Chrome

 

While being announced in April 2017  in this official blog post, we notice that a significant amount of our users isn’t yet using a SSL certificate.

If your website isn’t using a SSL certificate as of now, it is now the time to get in and set one up for your website.

As a matter of fact, Google will push their effort further by introducing a dynamic warning to unsecured websites as soon as an user is entering data or even all HTTP pages browsed in Incognito Mode.

 

 

This update will come with the Chrome version 62 expected to be released in October 2017.

 

 

 

 

While not being a drastic penalty, it may still result in a loss in your conversion rates especially on non Tech Savvy markets.

Google makes consecutive move toward a full secured web even giving a slight google rankings boost using a SSL certificate which is a factor you should absolutely play with considering it is now at everyone’s reach.

Now, how would you approach the SSL migration, it can seem overwhelming and complicated. We are going to recapitulate a checklist for your to migrate to the HTTPS protocol without any inconvenience.

 

I) Backup Your Web Hosting Account

 

It is very important before proceeding to the SSL installations to back up your website in full, database included. You may refer to the backup section of your cPanel Account if you are running cPanel and then download it on your computer. This step is even recommended to do every once in a while in spite of our nightly backup for your shared web hosting account.

 

II) Check your CDN SSL Specifications

 

If you are using a Content Delivery Network (such as cloud flare or maxCDN), read about the specifications and whether they support the HTTPS protocol. It generally involves extra steps in order to make it work.

As a partner of Cloudflare, some of our users are based on this CDN. Cloudflare provides SSL certificate along with their CDN for which you would need to refer to this guide

If you are using Cloudflare SSLs you can refer directly to the step 3.

 

 

III) Install your SSL certificate

 

At HostStage, if you are running a shared web hosting account, you can refer to this guide, if you are under a managed linux VPS or a cPanel unmanaged VPS, or a cPanel dedicated server you can open a support ticket to have us install this module and you’ll be able to issue a SSL within a few clicks as shown in our knowledgebase article : How to Generate and Install a Free SSL Certificate with Let’s Encrypt

 

You can also benefit from premium SSL certificate which we provide or using a third party provider of course. Their benefits over Let’s Encrypt are multiple such as Issuance Speed, extended trust signals in browser (especially with EV SSL), all browsers compatible (Old Androids distributions, Blackberry, Sony PS3 / PS4)..) , Yearly renewal.

 

IV) Update the references in your content

 

All javascript, CSS, or absolute URL for images must be called in https and check whether the https version is working in your browser.

For example, let’s say assume you are using a Google fonts through the Google library.

In your website headers, you may have the following link to load your font :

http://fonts.googleapis.com/css?family=Lora

You would need to change it to :

https://fonts.googleapis.com/css?family=Lora

It would basically load your font using the Google SSL which is required for your own HTTPS otherwise, your page will displays warnings.

The references non-exhaustive list to check for is :

  • Update Images references in absolute URL
  • Update Social Media Javascripts references (Facebook, Twitter, G +)
  • Update External Javascripts and Libraries references (jQuery)
  • Update External or Absolute CSS Pages references
  • Update References in content (which could be in the database, WordPress plugins exists for this purpose)
  • Update Hreflang Tags
  • Update Canonical Tags

The only exception would of course remains the external links which doesn’t need to be in https as they are loaded along with your website.

It could be indeed a tedious work and they are way to automate the process either through SSH, or even using the bulk find and replace function of Notepad ++ on Windows, Atom on MacOS X. Please note, you would still need to check whether the HTTPS version of your resources is available manually in a web browser in order to be on the safe side.

 

V) Let’s not Forget your On Site SEO !

 

After all, you are also here to benefit from a ranking boost from the SSL so it is also important to not neglect the others side of your On Site SEO.

  • Update your Sitemap URLs with the HTTPS version
  • Update your Disavow file in Google Webmaster if any
  • Update your robots.txt to include your new sitemap(s)
  • Add a new property in Google, Bing Webmaster Tools and Google Analytics, and add in GWT and BWT the sitemap URL (no need to use the change address tool)
  • Update your social Share Count (some wordpress plugins and guides online are available)
  • Update your media campaign to use the https version
  • Update your old 301 redirects if any to redirect directly to the https version of your website

You can also enable HSTS (HTTP Strict Transport Security) which would optimize your website loading time by forcing the browser to make all its future requests in HTTPS rather than first querying over the HTTP protocol and then be redirected.

To do so, you would just need to add the following in your .htaccess file in your public directory.

Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS

If your website includes subdomains, you may also directly enable HSTS for them as well with the code below instead of the first one:

Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" env=HTTPS

 

 

 

VI) Let’s Put This ONLINE and Fire your HTTPS

If you are using wordpress, you would need to change your Base Url from the admin area :

  • Click On Settings
  • Select General Sub Menu
  • Update WordPress Address (URL)
  • Update Site Address (URL)

If you are using another CMS such as Joomla, Drupal, Prestashop the steps while similar would differ.

You would need to refer to their online guide in order to update the website main URL

Then, you would need to 301 redirect the HTTP version over the HTTPS version for which you would need to update your .htaccess and use the code quoted below :

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

Section : I have heard !?

 

1) “I have heard that running a https website is slower than http!

It is indeed a valid concern since the server would be stressed a little more to encrypt the data of your web page. Now, if you are using our services, you wouldn’t need to worry at all on this matter. We saw it coming and we have taken silent steps to prevent any overload or significant performance loss. All our linux VPS nodes are SSD RAID 10 Hardware, using latest CPU generation. Our shared web hosting servers have all been migrated to Litespeed which is a better performing Apache replacement. Litespeed is also available on your Linux VPS servers.

2) “I have heard that Let’s Encrypt needs to be renewed every 3 months!

Correct here again! Except that in HostStage, Let’s Encrypt renewals will be done automatically in due time without any SSL downtime. So it would be a worryless situation for you. 

3) “I have heard that I must pay for SSL!

Yes, that used to be the case, and you can still do if you opt for a premium SSL certificate (starting from $14,99 per year). But the Let’s Encrypt initiative remains completely free and we do not charge anything for you to benefit from it. On your web hosting account, the feature is already there.

The 8 Absolute Commandments for Internet Marketers Success

Working online is unquestionably a new growing trend over the last decade. It became a goal for many people. We estimated 2 millions person in the world working as internet marketers and it is growing.

The core goals are generally to be financially independent while working under your own terms. In others words being completely free.

Yet, being entirely free can be confusing or even overwhelming and here are some concrete and actionable tips for you to be successful in your online ventures

 

 

1. NEVER WORK WITH UNDER FINANCIAL PRESSURE

That’s the rule number one, as we had many users or seen many posts about the requirement to make X amount of money under X days.

Such thinking process is demanding for a one permanent failure as failures being part of the game, there is no room for them.

It is best to start aside of a day job without any financial stress and even having some little money to start with. (at least for a domain and a web hosting account)

Just don’t expect, to get a large sum of money overnight, it might happen but shall not be expected as it is exceptional.

 

 

   2. FIGHT ENTHUSIASM AND TURN IT AS A WEAPON

Enthusiasm is tricky feeling which turns you in a working machine able to concretize an idea which is great to pull you out a procrastination circle but it comes with a side effect where you want to get immediate success to arouse the hype and often you don’t find the expected return and eventually the enthusiasm fade away as fast as it came, leaving a failure taste.

Yet, it remains a powerful weapon in your arsenal and using enthusiasm in a structured manner is key to your success. If you brainstorm over an idea (mind map / whiteboards) and then strategize the action plan, you would be on fire on the right area rather than shortcutting your way to success than very few meet anyhow. Consistency prevails over a burst fire.

 

 

3. FOCUS ON MEANINGFUL WORK / TASKS

This one is also a big one and it can be applied on all type of work. Working hard is very important of course and a key factor of your online success but smart work primes over anything else.

Working a dead amount of hours on a tedious outsourceable task is pointless and makes you loose focus or quality on the essential.

This can even be extended with the Paretto Principle mentioning that a typical day is made of 80% of non profitable tasks and the 20 remaining % is what makes you earn the most.

In most case, the 80% is either required or perceived as required so it needs to be done but focusing on how to optimize the 80% to become the new 20% of your working schedule is what you should be doing. So, you can then focus on what really matters.

 

 

4. SCALE FROM AN EXISTING NOT FROM NOTHING

Again, some internet marketers thinks that’s starting by limping huge amount of money over a non proven method would work. While it is a start up spirit, it is always recommended to proof test a method on a lower scale or test the water at least before trying it out. You might face issues in your process, (issues many would love to face, but can end in a devastating way), and you can even discover your method is flawed right from the start.

To illustrate this point, let’s say you are after Instagram marketing which is a great trend to make money online. You have no clue how instagram is working but you read about this method. Rather than purchasing Followliker and many Windows VPS right away, it is best to first start a bit manually to learn about how things are working to then automate it in the most efficient way adding your own twist.

 

 

5. SHUT YOUR MIND FROM EXTERNAL DISTRACTION

Another big one! So you have seen a working method, you are all hyped about and you get started. After a certain time, you open back your favorite forums / social network / skype and read / hear about this other new way so much better method that makes you want nothing else than to hop on it. Repeat that, and you have a ton of unaccomplished projects than makes no earnings.

Or even worse, you are conducting your method but even before finishing a task you start another following your irrational thinking process, you feel smart but you achieve very little. You can also end up filling up your to do list manager, which pressures you over all the things you haven’t done yet. As the author and online worker, I went through these stages and develop a specific schedule flow where I have the concrete to do list, a notebook where all fantaisies can be written on and considered later on, a mind map where it isn’t due but organized, a white board to brainstorm and finally

 

 

6. BURN ALL YOUR HARD EARNED MONEY

Far from being a financial advice, this tip remains very important. When you earn money you didn’t have, a common instinct is to want to spend it to feel rich which is how you got it all wrong.

Your hard earned money should last for as long as you can while enjoying the process, invest it wisely and treat it as it should; as a very hard resources to obtain. It should also be used to make your earning stream sustainable and it should be planned to allow you scale up.  Warren Buffet didn’t become Warren Buffet by having a spending sheet as high as his incomes.

We have read many stories about one month successful internet marketers making poor decisions about their finance disappearing overnight.

 

 

7. DIVERSIFY YOUR EARNINGS

Google Updates, Terms of services change, ban hammers, declining trend or market, copycats, saturation and so on are your ultimate ennemies that no one can be protected from and it can wipe any income stream you duly acquired. A classic business point of view is to innovate in order to prevent some of those scenarios but as an Internet Marketer diversifying is a strong and more likely the most viable solution. Diversifying require an organization in order to keep up with the main income steam.

 

 

8. DON’T POSTPONE TO TOMORROW

Now, it is time for you if you haven’t already to take actions right now ! Whether you have done already, or trying to do but taking a break, or dreaming about a potential IM Lifestyle, right now is the right time. If you took the time to read this post, it means you have the time so go for it and make things happen for you!

 

 

 

Wanna Cryptor
World Wide Ransomware Outbreak using the NSA ToolKit
posted by: in Security | tagged:

Yesterday a massive world wide event took place with a ransomware worm attacking hundreds of thousands of computers and self replicating.

How did the Ransomware spread ?

The ransomware WannaCry (aka : WCry, WanaCryptor, WannaCrypt, Wanna Decryptor)has been seeded first through a campaign of emails phishing and spread to governments services (NHS, Russian Ministries..) and also many corporations (FedEx, Renault, Dacia, Nissan…) and throughout different countries.

After the initial mailing campaign, the ransomware was self distributing by SMB network scan using shared folders.

WannaCrypt

 

The ransomware was using the NSA Toolkit (Eternal BlueExploit of the toolkit) released for free by a group of hackers called the Shadow Brokers in April allowing anyone to gain access to any Windows based computers within a few minutes. (SMB v1/ RDP protocol).

The malware spreading was contained through a “kill switch” which simply involved a domain registration which was a condition for the malware to keep spreading. If the domain wasn’t resolving then, it would keep attacking. If it resolves then it would stop.

You can find a more detailed and technical approach from a security analyst :

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

What Can I do to protect myself and avoid being infected ?

In order to protect yourself, you would simply and urgently need to run all Windows updates for your server.

The backdoors were patched by a Windows updates for all Windows version and even the unsupported (End of Life) Windows XP.

It is recommended to run the windows updates every now and then and in those times more than ever.
It is indeed not quite convenient to have your VPS restarted but it is important to have them set.

You also need to keep a backup of your data not tied to your computer / VPS. (offline hard drive that you plug to back your data up) or an USB key for a lesser amount of data).

For a Windows VPS, if you are using our services, you can simply open a support ticket requesting us to take a backup of your VPS. You can also specify if you would like to be part of the monthly backup or keep a recovery point.

Otherwise, you would need to use a backup system not tied / mounted to your VPS such as a FTP server through a 3rd party client, a cloud based storage with a drag and drop web page for instance.

If you are in a hurry you can also run the commands to patch your servers quicker as introduced by Microsoft :

https://support.microsoft.com

Can a Ransomware affect Dropbox ?

First and foremost, there is an important disclaimer, a common thinking process if you were using a Windows VPS is to use Dropbox as a backup platform. However, if you aren’t a Dropbox Premium users then you are exposed to have your dropbox encrypted. As a premium you would be able to recover your encrypted files by restoring a previous version but not in the free version.

One safe behavior while using dropbox which remains extremely convenient to transfer files from your computer, would be to use the selective synchronization (as explained here ) in order to only synchronize one exchange folder and hide the rest of your files from any Ransomware hitting a VPS.

 

Security Issue : Leaks of 68 Millions Dropbox Accounts

There is a current rumor of a leak of over 60 millions accounts details of dropbox users.

It is recommended to change the dropbox password as soon as possible to be on the cautious side.

We know how online marketers are loving the dropbox feature hence this post post to inform about a critical situation. It remains a solid way to transfer files from your computer to your Windows VPS for instance.

Dropbox is currently asking users to reset their passwords following a leak in 2012 as per a public statement this week.

However, some websites have analyzed a few data out of the breach and it sounds as the new encryption system they deployed in 2012 (bcrypt) has been breached.

Source : https://www.troyhunt.com/the-dropbox-hack-is-real/

Security Issue : WordPress Plugin All in One SEO Pack v2.3.6.1 exploit
posted by: in Security

All in One SEO pack is a widely spread plugins used to set the meta description, keywords and titles for the WordPress posts.

A XSS exploit has been discovered on the plugin All in One SEO pack plugin for the version 2.3.6.1 and before.

You can immediately check the version from the plugin page and the current version should be v2.3.8.

The XSS has been discovered in the bad bot blocker feature and involve an exploit allowing to steal the administrator tokens through an altered user agent.

The vulnerability has been patched and a plugin update is strongly advised.

 

 

Changelogs March

This month came with its load of new features for which you can find the changelog below :

Shared Web Hosting

  • Curative and in Real Time Malware Detection to avoid acccount suspension upon mail spam + Automatic .htaccess Shield set up
  •  On the fly scans of malwares through HTTP upload (BETA)
  •  Upgrade Modsecurity to 2.9
  •  Automatic Kernel security patches upgrade without reboot
  •  Upgrade Apache to 2.4.18 (slight perf boost)
  •  XMLRPC Attacks Protection without blocking the WordPress Jetpack Module
  •  Default Apache Configuration Enhancement on PHP 5.5 – More modules prebuilt
  •  RAID 1 SSD Shared Server Standard
  •  Network Upgrade to 1 GBPS on all shared servers

To Come :

  • Personalized DDoS Mitigation Alert Email for Dedicated IP users
  •  Email Alert to users for Curative Malware Detection
  •  Email Alert to users upon XMLRPC Attack Detection
  •  Wordpress Labs Tests results to be set in production for massive performances enhancements

Reseller Web Hosting :

  •  Most of the Shared Web Hosting Enhancements
  •  Beta Test Of IP manager feature from WHM (Extra IP management paanel)

To Come :

  • -IP Manager to be set in production

SEO Web Hosting :

  • -Network Expansion to 40

To Come:

  • Network Expansion to 60 by the end of April
  • End of Beta for the 1st of May

Linux VPS :

  • RAID 10 SD VPS Node Standard
  • RAM DDR4 Standard
  • Mailing Offer Beta
  •  OS Templates Updated (Ubuntu all versions, CentOS all versions, Fedora all versions)
  •  CentOS 5.7 + cPanel set as End of life. Available in OS choice but not supported. Manual cPanel Configuration by our support instead on CentOS 6
  •  Beta Test CentOS 7 + cPanel
  •  Custom set up fees waived for cPanel configuration

To Come :

  • CentOS 7 + cPanel default cPanel template
  • New Mailing Offers

Windows VPS :

  • RAID 10 SSD Standard to replace SAS 15k drives
  •  Wide Network Enhancements
  •  Removal of a virtual network ACL which caused a downtime
  •  VPS Template upgrade
  •  Windows Server 2012 Available upon request

To come :

  • Upgrade network to 3 GBPS
  •  Windows server 2012 available from the order form

Dedicated Server :

  •  New dedicated servers available (limited stocks)

To come :

  •  Full Range of servers publicly available (unlimited stocks)
Shared Web Hosting : Ressources General Increase

Hello,

We have just increased the values for each packages of our web hosting offers. 
We have studied the usage of each packages and weight it against the server’s ressources usage and we concluded that all our users shall benefit from a ressources increase. 

For our starter users we have increased the number of processes from 20 to 50, while we intendede to lower the RAM at 512 Mb, we have kept it at 1024 Mb. 
For our premium users, we have increased the number of processes from 40 to 100 and the RAM rfom 1024 Mb to 2048 Mb. 
For our business users, we have increased the number of processes from 100 to 150 and the RAM from 2048 Mb to 4096 Mb. 

The IOPS limit is also align with the RAM for all packages. 

The upgrades are already effective.

We believe that according to our analysis it would match way more the usage of each packages and they purpose we have in mind, starter for fresh websites, premium for several established websites, and business for professionals. 

We sincerely hope that you’ll appreciate these free upgrades and enjoy the user experience of your reloaded accounts. 

Best Regards
Vincent Royant
HostStage CEO

Result 1 - 10 of 33

Join Us on Facebook

Our Latest Tweets

  • 2 months ago

    The Ultimate List: 57 Online Local Business Directories https://t.co/HATo96qXrw #localseo #Leadgeneration… https://t.co/HUz7sXscHz

  • 2 months ago

    21 of the Best #Facebook Pages We've Ever Seen https://t.co/Kz0o3jhuWS #FacebookMarketing #SMM #socialmedia https://t.co/nFOwpvtGMs

  • 2 months ago

    How to Make the Right Landing Page Rank: A Complete #SEO Checklist https://t.co/PaAye3CJCd #DigitalMarketing https://t.co/vTsj6sXEpu

  • 2 months ago

    30 Crazy #SocialMedia Facts That Might Change How You Think About Marketing https://t.co/hmEK7QuAnM #SMM #marketing https://t.co/mUlSRX8itV

  • 2 months ago

    How we fought webspam - Webspam Report 2017 https://t.co/EhjG4Ml9ct #Google #backlink #SEO https://t.co/tOC9AGGtvP