Security improvements for hosted sites

Security improvements for hosted sites

deZillium in our effort to constantly improve our services, has implemented a few notable security improvements for all websites hosted by us.

TL;DR; version

You don't need to do anything extra if you are not a web designer. If you are, or if you "are into this kind of thing", read on :-)

PHP's eval() elimination.

PHP's eval() is an integral function of the PHP language. Unfortunately it also opens the door to a number of exploits/vulnerabilities against websites by allowing for a way for PHP scripts to execute arbitrary commands sent to them by third parties.

deZillium has now officially stopped supporting PHP's eval(). Unofficially we have pulled the plug a year or so ago and closely monitored the hosted websites for any breakage. Fortunately there were none :-).

If in the future a breakage in a website shows up, we request that you contact your website's designer and let him know that he shouldn't be using eval() in the first place. It is a very dangerous function, and will therefore be kept disabled under ALL circumstances.

Cross Site Scripting (XSS) protection.

We have a few HTTP headers that tell your browser to forcibly turn on additional protection for a website when you visit it. For example let's say that your website example.com contains an XSS vulnerability that allows for an attacker to insert a script hosted on example2.com and embed it into your website. If your browser visits example.com, it will also pull the script from example2.com. Not an ideal situation. These headers tell your browser to only trust example.com and not pull any outside scripts that shouldn't be there.

Drive-by download protection.

We have also added a header to tell your browser not to trust content that shouldn't appear on a website hosted by us. This prevents an advertisement on example.com from infecting your computer with malware/adware.

Wordpress automatic plugin and themes updates.

Wordpress provides an easy platform for anyone to get a website up and running fast with minimal effort. There are hundreds of plugins and themes that can enhance your Wordpress website. Unfortunately we don't live in an ideal world. Sometimes there are software flaws in those plugins/themes that need to be fixed. A newer version is released, but you have to visit your website, hit that update button, wait... who has time or patience for that?

All Wordpress websites that are hosted by us have already been enabled for automatic Wordpress (core) updates, even to newer major versions (4.3 > 4.4) and not only for minor versions (4.3 > 4.3.1).

We will be adding a Must Use Plugin to all websites that are hosted by us that forces the automatic upgrading of plugins and themes. We have already enabled this for select customers and are currently monitoring the results. Eventually this will be enabled for ALL Wordpress websites that are hosted by us, so for the web designers out there: if you have any customizations that might be affected by the automatic updates, get fixing. Ideally your customizations shouldn't be affected by any updates, but in any case they are affected, please find alternative means for customizations. There is always the option to choose one of the alternative web hosting companies that doesn't care about security ;-).

Why are you making our life harder?

Please understand how computer software versioning works: A piece of software is released > A bug/flaw is found > A newer version of this software is released to fix said bug/flaw > Rinse, repeat.

Our job is to provide the most secure web hosting services. So far we have been doing a pretty good job and we would like to keep on doing what we are best at. In order for us to perform this task, you (as a web hosting customer) must allow us to keep our servers running up-to-date software, which includes any plugins/themes on your website and improve security both for your website and your website's visitors.

Ask yourself: "What would I choose? My website being compromised, or my website's footer being changed?"

Oh by the way, you don't need to do anything on your side for these security improvements to work. We have actually helped you by turning on the automatic updates more than you realize: Even if you are in the middle of the desert, with no access to a computer or water, at least your website will be up to date :-)

Side note.

In the past month we have had not one, but TWO unscheduled security audits performed on our servers. One of them was an internal security audit performed by us that was a 24hour marathon to see if we could identify any weak spots in our security: we did, and we have promptly fixed them (2 weak ciphers for IMAP/POP3 and minor information disclosures that we could do without). The other was an external security audit (not performed by us) that we are glad to say has not turned up anything suspicious.

Blue team 2, Red team 0 :-)

April wargames.

Wargames in the IT security industry are regular "drills" that the various (serious about security) companies perform: Teams are split in two groups: the ones that are are playing defense, and the ones that do the attack. The only thing you should remember for the following paragraph is that blue team = defense, red team = "attackers".

During April we will be performing yet another full external unscheduled audit with the sole purpose of identifying security weaknesses in our servers.