Official WebHostingBuzz Company Blog

If you’re a security conscious Internet user, I’m sure you look for an https connection and padlock icon when using your on-line banking or making purchases. What about your web hosting account?

Regular http traffic can be intercepted and read by nefarious characters. If, for example, your reseller account login were stolen, someone could create dozens of web sites and mail accounts to use for spamming, virus distribution and other unethical or illegal purposes.

Your web host should use https for secure login to your control panel. On all newer and most older servers, WebHostingBuzz forces https, so that even if the user enters the insecure http, the login will occur over https. This is a good security measure.

For cPanel hosting, https uses a different port than http. The regular logins for cPanel and WHM are:

• cPanel:  http://domain.com:2082
• WHM:  http://domain.com:2086

For https over SSL, they are usually:

• secure cPanel:  https://domain.com:2083
• secure WHM:  https://domain.com:2087

If you’re on cPanel hosting, try those secure login ports. Some clients, unaware that their hosts had SSL access available, found that those URLs worked to give them secure access.

If your host does not offer control panel access over SSL, ask them why not. They should be encouraged to offer secure access, as its in the interests both of them and their clients.

If you have a reseller account, you could create secure access for yourself. I did this at a previous host that lacked shared SSL. I installed my own self-signed SSL certificate to gain secure access to cPanel, WHM and my SquirrelMail installation.

Your web hosting account is an important asset. Take steps to protect it.

If you are using or shopping for a web host, you may have come across the term “LAMP server”. It’s not a type of hardware but, rather, a web server based on open source software. LAMP is an acronym formed from the first letter of each of the four major components:

• Linux (operating system)
• Apache (HTTP server)
• MySQL (database software)
• PHP (scripting language, sometimes replaced or supplemented by Python or Perl)

Linux is an operating system based on Unix, noted for security and stability.

Apache is the web server that receives incoming traffic, processes the requests, and serves up the required web pages. It’s the most popular type of web server.

MySQL is a multi-user database. It can be used to store data that are then served into dynamic web pages. Data could be a retailer’s products, a club’s member list, or your vinyl record collection to show off to site visitors.

PHP is a scripting language used to program web sites. One of its advantages is that its language can be read by humans relatively easily. This allows even novices to begin writing scripts for their web sites.

LAMP web servers are popular because they are stable, well understood, and the open source software can be modified and customized as needed. While the components were all designed separately, they create an effective a package. Here at WebHostingBuzz, LAMP servers are used as LAMP is bundled into the cPanel release.

LAMP servers’ popularity, coupled with the open source nature of the components, means that plenty of documentation and help are available. When you want to learn how to add a feature or program something for your site, just search the WWW as there are thousands of tutorial sites and forums on these components. I programmed a hierarchical navigation menu system for my site using information from tutorial and reference web sites, plus a little help from on-line contacts.

When you choose web hosting on a LAMP server, you’re joining a huge community. Explore each component and you’ll be amazed what you can do to trick out your web site.

Have you ever wanted the security of SSL (Secure Socket Layer) for your web site, but didn’t want the cost of a certificate? If you need only the security and not the stamp of approval from the big issuers, then you can create your own SSL certificate.

Communications over the internet are by default insecure. If e-mail or form inputs are intercepted, your information can be read. That’s why on-line shopping, bank and auction sites use SSL. An SSL connection encrypts the traffic, so even if intercepted it cannot be read. You can tell that you’re using a secured connection by the little padlock icon in your web browser.

Commercial SSL certificates are issued by a certificate authority such as GeoTrust and Verisign. The certificate authority provides third-party validation that the web site is who it says it is. Web browsers are designed to automatically accept certificates issued by the major certificate authorities.

Self-signed certificates are useful when you need the security of SSL encryption, but don’t need a recognizable authority name on the certificate. For an end user, the obvious difference between a certificate issued by a major certificate authority and a self-signed is that the self-signed certificate will generate a browser warning.

The web browser, upon encountering a self-signed SSL certificate, warns the user that it does not recogniae the certificate authority. While this would be unsuitable for on-line sales, it’s fine for many other types of access. As long as your users are aware that you’re using a self-signed SSL cert, it’s not a problem. The first time users connects and receive the warning, they can use browser commands to accept and install the certificate. Once a user installs your cert as a trusted cert, no warnings will appear on subsequent connections.

Note that the level of encryption, and therefore security, are the same with a self-signed cert as with one from a major certificate authority. On one of my web sites I run an installation of SquirrelMail and use a self-signed SSL certificate to provide secure login and use of that web mail application for my users.

Installing a self-signed SSL certificate on a cPanel server

To install on a cPanel server, you need a reseller or VPS hosting account. You’ll also need a dedicated IP address, to separate the site from others on the shared hosting server. Here at WebHostingBuzz, reseller accounts include dedicated IP address, and you may use one of those for your certificate.

Create a self-signed SSL certificate

1. Login to WHM.
2. Click “Generate a SSL Certificate & Signing Request”.
3. Enter “Contact info” with a valid e-mail address.
4. Enter or generate a password, making sure it is sufficiently long with a mixture of letters, numbers and symbols.
5. Under “Host to make cert for”, enter the domain on which you want the SSL.
6. Click “Create”.
7. Copy the text displayed for the .key and .crt, and paste them into a text file on your computer. You may need that text in the next steps.

Install a self-signed SSL certificate

1. In WHM, click “Install an SSL Certificate and Setup the Domain”.
2. Enter the domain name, account user name, and IP address for the certificate in the Domain, User, and IP Address fields.
3. Click “Fetch” to paste the .key and .crt files for the domain into the available display spaces, if they are currently on your server. (The first time I did this, clicking Fetch automatically pasted the required data into the fields. When I created later certs, the I had to manually paste in the information.)
4. Don’t enter anything in CA bundle: there is no Certificate Authority because you are installing a self-signed cert.
5. Click “Submit”, then wait for all processes to complete. WHM will display various lines of information and finally display “Finished Install Process.. “
6. Point your web browser to https:// followed by the domain, to see your new SSL connection working.

If you don’t see the SSL commands in your WHM, it may be because you don’t have a dedicated IP on your account. Once you have a dedicated IP assigned to a domain, the SSL Certificate links/commands will appear in WHM.

Since I began using self-signed SSL certificates a few years ago, several free and public domain certificate authorities have appeared. They issue certificates similar to those from the large commercial certificate authorities. The drawback is that most of them are not yet automatically trusted by major web browsers, meaning that users would see the same warning as when using a self-signed certificate. If these free issuers eventually get approval from the major web browsers, they would be a good alternative.

It must be a truism that you never need a backup so much as when you don’t have one. More than once I’ve received a panicked call from a friend, client or co-worker after they’ve suffered a drive failure or other data loss. As long as a recent backup is available, a little restoration work leads to a happy ending. Without a backup, the outcome is often more traumatic.

The same is true for your web site. Server hard drives can fail. Whether your web host does periodic backups or not, you need to take responsibility for your own backups. Any popular web hosting control panel should have a backup utility. I’m most familiar with cPanel, used at WebHostingBuzz, and as that’s also one of the most widely used control panels I’ll detail its backup process.

cPanel site backup

1. Login to cPanel
2. Click Backups
3. Click Download or Generate a Full Web Site Backup
4. Select the Backup Destination, choosing Home Directory
5. You may enter an e-mail address: the system will send a message to that address when the backup is finished.
6. Click Generate Full Backup button.

The backup will create a .tar.gz archive, in this format:

backup-4.23.2011_19-11-18_accountname.tar.gz

The first set of numbers denotes the date of the backups while the second set is the time stamp. This allows you to easily differentiate backups, if you accumulate several.

You may then download that file to your personal computer via FTP.

cPanel’s Full Backup backs up the entire site, not only your web pages, scripts and images, but other features such as mail forwarders, mail accounts, and configuration files. If you need to backup just certain aspects of your site, there are also these individual options:

• Download a Home Directory Backup
• Download a MySQL Database Backup
• Download Email Forwarders
• Download Email Filters

It’s vital that you keep a copy of your web site. If you follow my advice, you will already have a copy of your web pages since you will create those on your local computer prior to uploading. This is safer than editing directly on the server, as I explained in an earlier article.

Keep recent backups of your web site. If you ever need them, you’ll be glad you did.

In an earlier article I described how mail forwarders work. They are a useful feature. So much so that some of us have long lists of forwarders for our domains.

Creation and editing of mail forwarders is normally handled via cPanel’s web interface. Those of us with long lists, though, now find it awkward due to a change made by cPanel developers to sub-divide long lists of items such as mail forwarders into multiple pages, as detailed in an earlier article.

If you have VPS (virtual private server) hosting plan, you might prefer to directly edit the file containing the forwarders. This can be achieved via an SSH connection. For security purposes, SSH may by default be disabled on your server, so you may need to request SSH access from your host.

Once logged in to your VPS as root, over SSH, change directory to etc/valiases/ :

cd /etc/valiases/

In valiases you should see several files, one per domain. If you cannot find that directory, then ask your host, as configuration does vary somewhat, thought that is the most common path.

Use Midnight commander (‘mc’ command), ‘vi’ or ‘nano’ commands to edit those files. To create a forwarder, add lines in this format:

myaccount@domain.com: myaccount@gmail.com, myaccount@yahoo.com
*: :fail: No Such User Here

The last line is necessary to avoid delivery to non-existent mail accounts and addresses.

Root access is one of the many advantages of a VPS hosting plan. It provides more control, more features, and ways to directly access files that are often faster than using the cPanel GUI.

Many studies have found that one of the most common passwords is “password”. This is likely because it is the default in many systems. A very bad default, in my opinion.

We’re overwhelmed by passwords, so it’s not surprising that many people choose highly insecure, but easy to type and remember, passwords. They’re creating a large risk for themselves by doing that.

When creating a password, do a threat assessment, judging the risk to you if someone guesses or hacks the password. An on-line forum is not a great risk, as likely all that could happen is that someone could make postings or send internal messages in your name. Your web hosting account or on-line bank are much more serious, and require very strong passwords.

Create a password that mixes upper and lower-case letters, numbers and, if the system allows it (many don’t) symbols such as hyphen, #, @, or %. If you find strong passwords difficult to remember, create a mnemonic or a phrase in which you enter the first character of each letter, substituting 1 for i, 3 for e, etc. Not all systems allow you to include special characters, which in my view is a foolish limitation.

Do not use only words found in the dictionary, as password cracking software quickly tries all of those. Do not use your birthday, or spouse’s name, or your city, or any other personal data that could be easily guessed by someone who knows a few of your details.

Do not write your password on something you leave accessible. Don’t, as too many people do, keep a written copy of your ATM banking password in your wallet. I recall a boss whose office computer and network password was “tigger”. This was poor in three ways:

1. It is too short.
2. It’s the name of a popular Winnie the Pooh character.
3. He wrote it on a yellow post-it note stuck to his office workstation for all to see.

Also, according to one study, Top 500 Worst Passwords of All Time, it’s the 34th most common password. Another common password is “ncc1701″, the registration number of the USS Enterprise from the original Star Trek. One of my clients uses this as his cPanel web hosting password (no, I do not host his sites).

That 500 Worst Passwords list makes for interesting reading. I found many themes. Cars are a common choice: mustang, porsche, firebird, camaro, corvette, toyota, ferrari, bronco, jaguar, viper, saturn, mercedes, sierra, blazer, ford, falcon, scorpion, dakota, ranger.

Sports teams are another favourite: flyers, giants, eagles, yankees, rangers, packers, redsox, gators, cowboys, braves, dolphins, redwings, broncos, redskins, raiders, angels, arsenal, united, chelsea. Sports also make the most common list: baseball, football, fishing, golfer, tennis, nascar, swimming, soccer, hockey.

Within the top 500 are many place names: austin, japan, canada, boston, newyork, brazil, phoenix, dallas, brandon, chicago, victoria, london, paris, sydney, russia, florida.

Many common first names are used: jennifer, michael, eric, jack, michelle, daniel, william, george, thomas, robert, kevin.

There are colours: black, orange, purple, white, yellow, blue.

Surprisingly, there is a large number of sex related words. You can check for yourself, I won’t repeat them here.

Even when people try to be clever by using numbers instead of common words, they use obvious string that are used by thousands of other people: 123456, 1234, 1111, 12345, 12345678, 2222, 7777, 5555, 6666, 666666, 1212, 0, abc123.

If you have trouble coming up with good passwords, you can use a random password generator such as this one. If you’re working on your cPanel web hosting account, you’ll find a password generator built into cPanel, to use when creating mail accounts and FTP accounts, and for reseller and VPS accounts there is one in WHM when creating new cPanel accounts.

Choose a method that works for you, but be sure to protect yourself with strong, uncommon passwords.

It can be confusing to shop for web hosting. There are so many plans and types of hosting that it can be difficult to know where to begin. Today I’m going to give you a brief explanation of each of the major types of hosting.

Shared hosting
This is likely the most common form of hosting used by individuals and small businesses. The “ahared” refers to the fact that the hosting account shares a server with many other such accounts. The web host carves up a server’s disk storage and bandwidth resources into smaller packages to sell as shared accounts.

Shared hosting enables the client to get space on, potentially, a high quality server with good Internet connections at a relatively low price. Shared hosting is where most of us begin our hosting experience.

Some of the limitations of shared hosting are:

• performance of your web site can be affected by other accounts on the server that are running insecure scripts that hog server resources;
• if another account on the server sends out spam, your server’s mail IP address could get blacklisted, causing your sent mail to be blocked by recipient servers until your web host deals with the issue;
• you typically have little control over server configuration, as that is all handled by the web host.

Reseller hosting
Reseller hosting is sort of a “super shared” hosting account. It was originally designed as a way to enable small-scale web hosting businesses. Even a one-person business can, with reseller hosting, create and sell shared hosting. However, I believe that the real value of reseller hosting has nothing to do with reselling.

A reseller hosting account typically provides you with a control panel at a higher level than shared hosting, enabling you to control all the shared accounts below you. I find this enormously convenient for managing my multiple domains and web sites. Think of them not as plans for people reselling web hosting, but as plans for anyone who wants an easier and more powerful way to manage multiple domains, web sites and hosting accounts.

Here at WebHostingBuzz, shared hosting accounts use cPanel control panel, and reseller account also get WebHost Manager to manage administer those shared accounts. The reseller account can, with a single login, make changes to all client accounts and access all the client accounts’ cPanels. This is a real time saver when managing multiple domains and sites, as I do.

Reseller accounts also have a wealth of features and functions not available in shared hosting. In one of my earlier articles I explained reseller hosting in more detail.

VPS hosting
Virtual Private Server (VPS) hosting is a level above reseller hosting. As the name implies, it mimics the control available with a dedicated server, but at a lower price.

The web host configures a server into several VPS accounts. Each VPS account has a share of the server’s resources allocated to it as a minimum performance standard, plus the use of additional processing resources when available. A VPS account gives you virtual root access and the ability to configure your virtual server as though you controlled an entire server.

Typically a VPS account comes with a control panel for management. At WebHostingBuzz, cPanel’s WHM is one of the available choices. The VPS control panel allows you not only to create shared hosting accounts, as with a reseller account, but also to create and sell reseller accounts.

For many of us with many domains and sites, a VPS account gives us everything we need. It provides the level of control of a dedicated server, but at an affordable price. Also, if you plan to one day manage a server yourself, a VPS account is a great transition.

Dedicated hosting
Dedicated hosting assigns an entire server to you. You have full control of server configuration, and can choose to split it up into multiple accounts or operate it for one high-volume high-performance site. Depending upon the host, you may have the option of choosing hardware specs. yourself for your server.

One of the big decisions to make when choosing a dedicated hosting plan is whether you want the server to be managed or unmanaged. Managed means that the web host takes care of updating software and applying security patches for you. Unmanaged would require you to do that work. At WebHostingBuzz, as an example, one can choose an unmanaged server, a fully managed server, or several options in between those two extremes.

Unlimited hosting
This is not actually a type of hosting, but as you’ll often see the term advertised I thought I should explain it. The “unlimited” refers to the disk space and bandwidth allowed with the hosting plan. While this is often advertised by low-price hosts, unlimited is never truly unlimited. With a low-price host, your unlimited plan will quickly become limited, or you will be asked to upgrade at a higher price, if you use a high amount of server resources.

Windows or Unix/Linux
Most web hosting uses a version of Unix, often built on an open source Linux variant. Unix hosting is usually less expensive than Windows hosting. Traditionally it has also been more stable, although recent versions of Windows hosting have naturally tried to improve stability. Unless you have a specific need for Windows hosting, go with Unix/Linux.

What do I use?
I began running a web site using free space provided by my ISP. I soon found that too limiting, and moved to shared hosting. As soon as I had a few domains and sites, reseller hosting was the answer to my need for easier and more flexible management of multiple accounts.

I now use a VPS, and like the ability to change server config. and have greater control over all accounts. I could go back to reseller hosting, but I could never return to shared hosting. I hope that helps you in your decision making.

cPanel, and its big brother WHM, can sometimes be frustrating. While cPanel is one of the most popular web hosting control panels, for good reason, it also suffers from some annoying choices by developers.

In a cPanel update back in 2009 or so, a new feature was added to sub-divide long lists of items such as mail forwarders into multiple pages. From my observation, this change affects at least these features:

• Email Accounts
• Forwarders
• Subdomains
• Addon Domains

It probably affects others such as Parked Domains and Redirects, in fact any feature that displays a list of enabled items.

When opening one of those pages, for example forwarders, instead of displaying all forwarders as it did previously, now it displays only 10. There is a new control “Showing x Results per page”, where “x” is a drop down list allowing selection of 10, 25, 50, 100, 250, or 500.

The result is that if you have more than 10 items, if you want to see more than 10 items you must make  a selection from that list every time you visit the page. Even if you change it to a higher value, say 500, and then change pages or create or edit an item, the next page display again returns to the default of 10. This is enormously frustrating when editing or managing multiple items such as forwarders or mail accounts.

Here’s what I think happened. When there are many items, such as a long list of forwarders, buttons such as “Add Forwarder” and “Add Domain Forwarder” were moved far down the page, below the list. Some clever cPanel developer decided that it would look better with a shorter list, hence it was split into to multiple pages and a user selection control added.

There have been complaints about this. In response, one year ago a cPanel support rep. wrote this:
“At the present time it is not possible for cPanel account users to change the default number of items per page without assistance from the hosting service provider; however, this feature request will ensure the feature idea is considered for possible implementation in the future.”

A later update from the cPanel support rep. said:
“If a user changes the “Results per page” on a screen in the cPanel interface, for example: from 10 to 50, that setting should be remembered for the next time the cPanel user visits that page. Furthermore, this preference should now be applied to all cPanel pages where this setting is present.”

So, they added a feature that made user tasks more difficult. Now they plan to build a fix on top of that to change how the feature works.

What the developers should do is stand back and re-evaluate the entire page, not just try to add new code to modify their previous modification. If the issue is that the buttons potentially move too far down the page after a long list, then redesign the pages so, for example, the buttons for “Add Forwarder” and “Add Domain Forwarder” are at the top of the page. That solution would have been simpler, more elegant, and not necessitated the added user input and code complexity of the drop down list selection and upcoming additional code to remember the user’s selection.

If they are determined to retain this situation splitting the list into multiple pages with a user selection, then at least allow the user to override it. Or, allow the cPanel user to set an account-wide default of the number of items per page, ideally with one selection being unlimited. Even better, the default should be able to be set for all cPanel accounts via the reseller’s WHM.

This serves as a cautionary example when you are designing web pages or other user interfaces. Don’t focus on one element, adding code upon code to fix user issues. Try to see the forest and not just a tree or two, and consider how changing the overall layout might improve the user experience.

A few days ago I explained how to use cPanel’s Index Manager function to prevent or alter directory indexing. Today I’ll tell you how a reseller or VPS (Virtual Private Server) hosting account can change this default for all new cPanel accounts.

Reseller

1. First, create a text file. In that text file, paste the following line:

   Options -Indexes

2. Save that text file as “.htaccess”.

   If your text editor won’t let you choose that filename, save it as htaccess.txt. Then, in your file explorer select that file icon and change the filename to “.htaccess”. If your system still won’t allow that, then leave it as is and change the filename after you upload the file to your web hosting account.

3. Create a /public_html directory within your skeleton directory. (If you followed my instructions in my earlier article to create a default web page, then this directory already exists.
4. Upload the .htaccess file to /cpanel3-skel/public_html.

Any newly-created cPanel account I create will now have directory indexing disabled for all web directories. If the new cPanel account holder wants a different setting, he/she may use cPanel’s Index Manager function to enable directory indexing.

VPS

VPS accounts have a higher level of control than resellers, and can make server config changes. A VPS account can change the default for directory indexing to disabled.

1. Login to VPS as root.
2. Service Configuration > Apache Configuration > Global Configuration.
3. Under “Directory ‘/’ Options” uncheck “Indexes”.

This disables directory indexing for all accounts under the VPS. If a cPanel account holder wants a different setting, he/she may use cPanel’s Index Manager function to enable directory indexing.

When accessing a directory (rather than a page) on your site, a visitor will by default see the index page for that directory. If the directory does not contain an index file, the browser will display a list (or index) of the files in that directory.

For example, browsing to yourdomain.com/images/ would, if there were no index file (such as index.html) display a list of the contents, such as shown in this screenshot:

To prevent this directory listing, you can use an .htaccess file (a topic I’ll cover in a future article). If you’re not yet familiar or comfortable working with htaccess, there is a function in cPanel that will take care of it for you.

In cPanel under the Advanced section, click “Index Manager”. Choose public_html or whatever directory you want to change.

Index Manager allows you to customize the way a directory will be viewed on the web. You can select between a default style, no indexes, or two types of indexing. If you do not wish for people to be able to see the files in your directory, choose “no indexing”.

1. Select the directory in which you wish to begin navigating your website’s contents using the pop-up window.
2. To navigate Index Manager, click the folder icon next to the directory name.
3. Click the name of the directory for which you want to change the indexing style.
4. cPanel offers 4 options; select 1 of the following:
   • Standard Indexing: Contents appear only as filenames.
   • Fancy Indexing: Information about the files, such as the size and time last modified, appear.
   • Default System Setting: The default defined by your web host will be used.
   • No Indexing: The contents of the directory are not listed; visitors will see a message stating that the contents are “forbidden.”
5. Click Save.

With directory listing/indexing disabled, someone visiting a directory without an index file will now see this:

cPanel creates the required .htaccess file and entries for you. Because of the way .htaccess works, your new setting applies to the current directory and all sub-directories. If you want a different setting for a particular sub-directory, just use Index Manager again for that directory and select your desired setting.