Learning from other people’s web hosting mistakes

As the new series of Dragons’ Den on BBC2 starts it seems that some people in this world are doomed to keep repeating the mistakes of others without learning anything from them.  Every year it is the same without fail, someone will make a pitch to the Dragons and their website instantly becomes unavailable – robbing them of publicity and more importantly, customers.

Even Worse…

It gets even worse when the website is your business!  Last night you may have seen The Present Club do their pitch to the Dragons, like thousands of other people I thought I’d take a look at the website – although more to see if it was still working than anything else.  Unfortunately like so many before they had not prepared themselves adequately for what is probably the largest amount of publicity they are likely to receive in the short term, loosing themselves many potential customers and showing themselves in a poor light to any potential investors – You have to remember that an offer on Dragons’ Den is not binding and may not go ahead once due diligence is completed, but other people may be thinking they are a good business to be involved with (Despite what Duncan Bannatyne may think, you need to keep your options open to get the best deal if things don’t work out).

What can be done?

If you find yourself in such a situation, where you’re going to appear on TV, or your product/service will be featured prominently on Radio/Magazine/Large Event then you need to talk to your web hosting company as soon as possible and ask them what they can do to help you cope with the increase in visitors to your site – of course some of these things will not be free, but as a business person you have to work out the cost of lost customers.

The Maths

If your appearance on TV brings in 200,000 visitors to your site and you usually convert 3% of visitors to customers then that’s 6,000 new customers for you – But only if your website is up and running.  Maybe 5-10% of those will come back the next day to take a look at your site, so now you’re only talking about 300-600 new customers – that’s a significant drop.  If your average sale is £20 then that’s a difference of £114,000 at the worst case (£120,000 – £6,000).

Can You Afford To Throw Away £120,000?

If so then you probably don’t need to be reading this blog post at all and congratulations, you’ve done very well for yourself.  If like the majority you can’t then you need to sit down with your web hosting supplier (or better yet, give us a call about our business web hosting and dedicated servers) and work out a plan – even if it’s only for a temporary increase in capacity for your website.  There are a great many things that can be done, quite a few of them for free that can help your website survive an increase in visitor numbers and help you capture new customers – for <1% of that £120,000 of new business you could potentially increase the capacity of your website by 3-4x, if not more in some cases.

I’d Like To Know More

If you’d like to know more about how we can help you with your web site hosting problems then please get in touch with us to discuss our business hosting solutions.

.uk Short Domains (and Reserved)

As many of you will already be aware (we’ve already applied for some of you) Nominet (the organisation that runs the .uk domain name space) is releasing a large list of previously reserved domain names – most of these are either single or double character domains. At the moment we’re in the open landrush phase – so anyone can apply for any of the remaining 2640 domain names.

How much does it cost?

Nominet charge a fee of £10 + VAT per domain name for applying for a domain name – if you’re the only one that applies then you’ll be allocated the domain name, if more than one registration is received by June 15th then it will go to auction. If you’re successful at either stage then KDA will charge our usual fee of £14.95 + VAT per domain name to register it for 2 years.

How do I apply?

If you’d like to apply then you’ll need to open up a support ticket with us, as we’re currently doing all the reserved domain applications manually – so we can make sure everything runs smoothly. Once we’ve submitted the request, we’ll send you a code, which you’ll need to enter at the URL we provide – this will allow you to pay the £10 + VAT fee to Nominet.

Microsoft Office XML MIME Types

We’ve had a couple of customers ask about this recently, where documents created in newer versions of MS Office don’t download to the browser correctly. Instead of downloading as an MS Office document they download as a ZIP file.

The reason behind this is because they are new file types and are basically XML files inside a ZIP archive and servers setup before these new files came on the scene don’t know what the correct type of file is, so they check the file and it looks like a ZIP archive, so that’s what they tell your browser.

All of our cPanel based business class hosting fully supports the new MS Office MIME Types – so your files will download as MS Office documents and not as ZIP archive files.

If you’d like to modify your own server so that it supports the new MS Office file extensions and file types then you need to place the following entries in to you /etc/mime.types file (for plain CentOS/RedHat) or /usr/local/apache/conf/mime.types if you’re running cPanel.

application/vnd.ms-word.document.macroEnabled.12                          .docm
application/vnd.openxmlformats-officedocument.wordprocessingml.document   .docx
application/vnd.ms-word.template.macroEnabled.12                          .dotm
application/vnd.openxmlformats-officedocument.wordprocessingml.template   .dotx
application/vnd.ms-powerpoint.slideshow.macroEnabled.12                   .ppsm
application/vnd.openxmlformats-officedocument.presentationml.slideshow    .ppsx
application/vnd.ms-powerpoint.presentation.macroEnabled.12                .pptm
application/vnd.openxmlformats-officedocument.presentationml.presentation .pptx
application/vnd.ms-excel.sheet.binary.macroEnabled.12                     .xlsb
application/vnd.ms-excel.sheet.macroEnabled.12                            .xlsm
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet         .xlsx
application/vnd.ms-xpsdocument                                            .xps
application/vnd.ms-powerpoint.template.macroEnabled.12                    .potm
application/vnd.openxmlformats-officedocument.presentationml.template     .potx
application/vnd.ms-powerpoint.addin.macroEnabled.12                       .ppam
application/vnd.ms-powerpoint.presentation.macroEnabled.12                .pptm
application/vnd.ms-excel.addin.macroEnabled.12                            .xlam
application/vnd.ms-excel.sheet.binary.macroEnabled.12                     .xlsb
application/vnd.ms-excel.template.macroEnabled.12                         .xltm
application/vnd.openxmlformats-officedocument.spreadsheetml               .xltx

Once done, restart Apache and you should be good to go with MS Office Files downloading correctly.

Securing File Uploads

We’ve noticed recently a small number of customer websites have had issues with defacements and generally having malicious content added to them and they’ve all had one thing in common – The way in which they were hacked. In all instances recently it has been down to the sites allowing users to upload content to them.

The problems with this are:

  • Most scripts upload to a publicly accessible directory
  • Most scripts don’t even perform basic content checks
  • Most scripts allow any type of file to be read/executed from the upload directory

When we combine all 3 together we end up with a situation where someone can upload a PHP script to your uploads directory and then trigger the running of it from their web browser – basically giving themselves the same level of access to your account as you would have via FTP (As we run PHP under each users own username via SuPHP so that one users problems can’t affect another user).

So what do we recommend?

  • Keep your upload directory outside of your document root (generally public_html) if you possibly can
  • Make sure your upload scripts only allow the content you want to be uploaded – basically check it against a whitelist, if it’s not in the whitelist don’t allow it. Deny everything, allow only what you require
  • Make sure only content you allow can be accessed from the upload directory, you can do this with a .htaccess file, an example is shown below:

Allow only JPEG, GIF and PNG files to be accessed:

<FilesMatch ".*">
 Deny from all

<FilesMatch ".(jpe?g|gif|png)$">
 Allow from all

There are more things that can be done, but these should serve as a starter for improving your site security.

osCommerce & WordPress Exploit

We’ve been made aware of a new exploit that appears to have been launched today that is so far targeting WordPress and osCommerce installations. If you are running either of these pieces of software we recommend that you upgrade to the latest version as soon as possible. With osCommerce we would actually recommend you switch to an alternative product such as Zen Cart, as the development process is very slow and often stagnates.

The exploit itself creates .htaccess files in any directory where it has write permissions and places the following two lines in it, or on the end of an existing .htaccess:

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html

The file: /tmp/25454b22bf39c75795851f39d5e347c4 claims to be mini suhosin, part of the Suhosin PHP security software, this is not the case. The exploit also tries to leave a back door shell in to infected system by leaving a shell process called minisuhosin running.

Get an EV SSL Certificate for £99.95/year

That’s right, you can now get an Extended Validation (EV) SSL security certificate for only £99.95 + VAT per year! That’s a saving of over £250 on a 2 year certificate.

What is an EV SSL?

Extended Validation Certificates are designed to work with web browsers since Internet Explorer Version 7 (and Firefox, Chrome, Opera, Safari) and provide users with a green address bar and scrolling information next to the address bar displaying who the certificate is registered to and who issued it as well as that the business is registered with the correct government bodies. This provides instant reassurance to visitors using a compatible browser that your site is secure and trustworthy – just like they see when they login to their online banking.

Why would I want an EV SSL?

These certificates are designed to provide absolute peace of mind for their users. They are issued under strict validation by all issuers to ensure that they are only issued to the company whose name they are issued in and that the department/person requesting the certificate has authority to do so – meaning that rogue employees and criminal gangs cannot get an EV SSL issued in your company name and commit fraud.

If you’re carrying out online sales then an Extended Validation SSL is the ultimate in confidence for your users that you are whom you say you are and that their data will be safe in transit to you.

If you’d like to order an EV SSL then please email us – sales@support.kdaws.com or alternatively, if you’d just like a standard SSL certificate then we can offer those as well, you can find more information about them on our SSL certificates page.

New Support System

As some of you will know we’ve been having some issues with our current support system for a while now, and whilst it was initially a very good system the development of it has virtually stopped, leaving us in the position of having to find a new system – Today we have implemented our new system, using the well known and utilised Kayako Support Suite.

The new system is available at: http://support.kdaws.com/desk and will eventually just move to being http://support.kdaws.com once all tickets in the current system have been closed out.

Along with the new system we have simplified the email addresses for opening tickets via email, we now have just three:

Billing Enquiries: billing@support.kdaws.com

Sales Enquiries: sales@support.kdaws.com

Support Enquiries: help@support.kdaws.com

We hope this will provide a more streamlined and easier to use system.