The option to pay via Google is available when checking out, and also on paying Invoices raised for existing products.

This now means that you can now pay us directly with your card, via Paypal or Google Checkout with bank transfer as a last resort.

If you encounter any problems, please let us know via our support site.

Over the last few weeks we’ve converted most of our shared hosting fleet of servers over to Cloud Linux to improve our hosting solution. For the reasons why, please read on…

Why Cloud Linux?

As a host of thousands of websites, we have to manage our servers to make sure that no single user can dominate the resources of a server. This has always been a battle when running CentOS with users able to eat up server memory using php, or compromised websites running perl scripts.

Cloud Linux enables us to set the maximum resources that a single user can consume based on CPU and Memory (Disk I/O is on the way too!) meaning that a single user can’t take up all a server’s memory and cause it to run out of swap and crash. It also means that users with large websites aren’t hogging resources from everyone else.

How does this affect me as a user?

The simple answer is that is shouldn’t at all. Chances are if you are on one of our shared hosting or reseller plans then you’ve already been moved over. You should see a few new statistics in your cPanel.

If you are running a very intensive website on one of our cheaper plans, then you could run into the limits set by Cloud Linux, but so far we’ve not had a single report of this.

Incompatibility

The only current incompatibility we have is that R1Soft backups are currently not working with CloudLinux 6. We don’t know if this is just a CloudLinux 6 problem, or a Centos 6 problem. The R1Soft backups cause the kernel to crash (not even just a panic), requiring the server to have to be manually rebooted. R1Soft are aware of this problem, and there is an issue open since December, but no progress has been reported as of yet. Luckily we currently only have 4 servers running Cloud Linux 6 – Sahara, Dionysus, Demeter and Hera. We are taking extra cPanel backups for these servers at the moment to fill the void.

More Information

- If you are a dedicated server client and are interested in converting to CloudLinux then please open a support ticket.
- If you want more information on CloudLinux then check out their website : http://cloudlinux.com/about/

Malware affects ALL systems

When did you last install a Windows Update, or apply a Software Update to your Mac, or Ubuntu PC? The chances are that you have done so several times in the past year.

There is every chance, however, that you have never updated WordPress, Joomla, Drupal etc since you installed it. Or if you have, did you remember to check all of those juicy plugins, addons, and modules that you installed to make your website into the super funky thing that it is today?

Old plugins are a primary attack vector (that’s technical speak for “gaping hole”) for hackers to fire their attacks at. Just because there are no updates for your plugin does NOT mean it’s up to date – the developer may have abandoned the project. So always check.

Who wants to hack your site?

There are, unfortunately, armies of misguided yet talented individuals who spend their time supporting criminals, working out new ways to circumvent the security of your website so they can install their own software on your website.

Why? Because the software they install is intended to make them money – either directly through fraud (installing false banking lookalike pages) or by attempting to fool you into installing malware on your PC, so they can further spread their dark doings.

The consequences of being hacked

So what? My site got hacked – I’ll just restore it. This is a bad attitude for the following reasons:

• If the hack was subtle, you may not even realise it for some time. Your site may look and operate normally. After a few days we will no longer retain backups of the clean code, making recover that much harder.
• Once search engines discover the malware, your SEO success story will come to a spectacular end. Your page rank will fall like a brick.
• Do we need to mention the loss of business this will cause?
• Loss of trust in your site and more importantly, your brand.
• Just restoring clean code is not enough – the vulnerability will still exist and you will find yourself back in hot water soon enough.
• We will probably suspend your account.

Types of attack

The anatomy of any attack is quite complex – there is the method by which the attackers actually gains control, the method by which their dastardly malware is applied to your website, and then the effect of the malware itself on computers that open the website. Here are some examples of each stage of infection:

Common incursion methods :

System command injection : Every time you open a webpage, your computer requests data from the server. An attacker creates malformed requests that attempt to fool the server into executing arbitrary code that will allow the attacker to gain the ability to alter the contents of server’s filesystem.

SQL injection : Similar to Remote Command Injections, this method uses malformed requests to try and escape out of your PHP code to run arbitrary SQL queries, possibly exposing your database to the attacker.

Infected PC : Due to an infection on your PC, an attacker has been able to gain access to your hosting account details.

Man in the middle : An attacker compromises a local WiFi hotspot, and waits for victims to use it. Using advanced cryptographic techniques, the attacker may be able to sniff out usernames and passwords for various services you access.

Types of attack :

SEO Poisoning – This is a technique where your website actually appears to run normally. The hackers create redirection commands (via htaccess or via injected PHP code) that redirect ONLY search engines to their  undesirable target site. So, when you look at your website it appears fine, but all of your hard earned results in google will point to porn, fraud or worse content.

iFrame attack – The attacker injects code into your webpages that renders a “page within a page”. The injected webpage will invariably try to load popup windows that will try to fool you into installing fake anti-virus software, or similar, by telling you there is a problem with your PC. Unfortunately, the injected code is the symptom, and the vulnerability that allowed the injection to take place will be elsewhere.Symlink

Cross site scripting : Somewhat more complicated, but equally as common, this sort of attack requires three parties – your vulnerable website, an unsuspecting user, and the attacker. The attacker lures the unsuspecting user to a compromised web page, and uses this page to access your vulnerable website using malformed requests. Once the unsuspecting party has accessed your vulnerable site, the attacker is able to view information that should be secret to the unsuspecting user.

Why suspend my account?

Depending on the severity and nature of the hack we may suspend your account. This might sound harsh, but in fact we are usually doing you a favour:

• In terms of SEO – if Google, Bing etc. can’t see your hacked site, they can’t ban you, with all of the ramifications that go with it.
• In terms of your business – do you want your customers to experience a defaced website, or to have malware installed on their computers?

If you had a monster loose in your shop, you’d want the building manager to close the doors while you sorted things out, right?

Also, depending on the nature of the attack, the malware may pose a threat to other users on the server, or to the stability of the server as a whole. It’s usually best to steer the safest course of action until we know what we are dealing with.

Protecting your website

ALWAYS keep your PC, Mac, iPad etc up to date

Operating system updates – These can seem to arise at the most inconvenient of times. Those annoying popups telling you there are a dozen new updates for Windows, are there for a reason. Don’t delay – update as soon as you are able.

Anti-Virus software – No computer is immune from malicious software, no matter that the marketing hype says. I’m writing this on a Mac, but I still have Anti-Virus software installed. Always keep your Anti-Virus software updated – without doing so, you may as well not have any at all.

ALWAYS keep your website software up to date

Content Management Systems (CMS) – If you’re website is based on one of the popular content management solutions, such as WordPress, Joomla, Drupal, Concrete, phpBB, SMF, vBulletin etc, then this should be a straightforward task to updating the core components and should not take too long (often a few minutes).

Plugins – Almost every CMS has the ability to add plugins, or add-in modules. As previously stated, it’s no good maintaining your CMS if the plugins you have installed are holding the door open for hackers. Always ensure they are kept up to date, and that they are being maintained by the author.

Custom written – If you paid someone to develop your website from scratch, then you really have no option but to contact them and ensure that they maintain your website for you. It is advisable to ask them to provide a breakdown of the security issues they have addressed each time they charge you for updates!

ALWAYS connect to your services using secure methods

Always access your webmail and cpanel services as:

http://yourdomain/webmail and http://yourdomain/cpanel

In all cases, accessing the above should redirect you to a secure (https://) login page.

Email, should be accessed using SSL methods – this is described in the following support article:

What mail settings should I use to connect to Krystal’s servers?

Always connect to your FTP services using SFTP instead of FTP as this will encrypt the password. Please note that SFTP is available on port 722 (not the default 22)

Introduction

In this post we are going to explain how to view your website before moving the domains records over from another location. This method will enable you to build and test a new website on our hosting and then move between different hosts with little to no downtime.

In our examples we are going to use an example domain “www.exampledomain.com“ and the I.P address assigned to the site is “77.72.0.130“. The actual details for your domain will be in your cPanel hosting welcome e-mail.

DNS in 60 seconds.

Before we jump straight into the solution, lets quickly go over the basics of DNS so we can understand what we are doing. If you already know about nameservers and DNS, then skip this section!

The internet is one massive network. Each node connected to this network has a unique I.P address. These addresses are used to send information to the correct place. At the moment the majority of the internet is still based on IPv4, which means that addresses are made up of 4 numbers such as: 77.72.0.1

Humans aren’t good at remembering numbers that have no relevance to what the address means to them. Imagine telling your customers that your website address was http://77.72.0.15 – they’d never remember it. Humans are good at remembering short and concise words or phrases they can relate things to. That’s where “DNS” – Domain Name System comes in. DNS turns meaningful web addresses like “www.krystal.co.uk” into an I.P address that your computer can use to communicate with.

When you set your nameservers on your domain you are telling the world where to find all of the DNS entries for your domain – where to find your website and where to send e-mail.

Overriding DNS records

To start testing our domain on the new server, we want to instruct our local computer to ignore the DNS records found publicly on the domain name, and set our own records. This is done using the hosts file. Every operating system has one, and it’s a simple text file in where you can enter I.P addresses and domain names or subdomains.

Windows

The hosts file in located at C:\Windows\system32\drivers\etc\hosts 

This file is often set with read only permissions by system protective software as it’s an easy avenue of attack if your system is compromised. If your system was compromised, anyone with access could redirect you to any site that they wanted by entering false details in your hosts file. You’ll need to take off the read only permissions to make changes if it is set.

The default hosts file will look similar to this:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
 
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

All we need to do is insert new records for our domain name at the bottom of this file. We add one for the domain name, and one for the www. record of the domain name.

77.72.0.130	exampledomain.com
77.72.0.130	www.exampledomain.com

Once you’ve saved this file, your computer will no longer go off and ask for DNS records for the domain name, but will simply use the address in the file. If you wish to remove the records, then load up the file and remove them, or add # to the start of the line to comment it out.

Linux and MacOS

The syntax for Linux and MacOS is exactly the same as Windows. The file will be located at /etc/hosts and will be protected, so you’ll need to edit it as a superuser, or as root. Open a terminal and type:

sudo nano /etc/hosts

Use exactly the same syntax as in Windows, entering the records at the bottom of the file and then save the file.

77.72.0.130	exampledomain.com
77.72.0.130	www.exampledomain.com

Warning!

The hosts file may already contain records such as

127.0.0.1		localhost

Make sure you don’t remove these records, as you will cause problems with your system.

Remember that by adding these records to your system, the old website will cease to function for you until you remove them again. This could affect your ability to collect your e-mail as well as other things, so bare this in mind.

Introduction

If you want to brush up on the basics of the .htaccess file then please see our .htaccess file beginners guide.

Probably the most powerful use of the .htaccess file is the ability to take incoming requests to your website and manipulating them to your will. If you’ve ever looked at the link structure of other sites, and wondered how you can remove file extensions like .php or .html then read on!

The magic comes from an Apache module know as mod_rewrite. This module is installed and ready to use on all of our UK Hosting plans.

How does it work?

Anytime a request is made to your website the rewrite module will compare the address with any rules you have created. It will go through the list of rules in order and use the first one that is matched. If a match is found, then it will use the rule to reply to the request with the correct content.

Getting Started

All of our mod_rewrite rules will be going in our .htaccess file. The first thing you’ll need to do it enable the mod_rewrite module by adding the following:

Options +FollowSymlinks
RewriteEngine on

This only needs to be done once in the file – above all of your rules.

Let’s get stuck into some examples of what we can do!

Hiding File Extensions

A nice simple example to start off: Let’s say you have a site built with some php code, but you want to use the extension .html to serve your pages to the public. One way of doing this is to rewrite the file using the following code:

RewriteRule ^(.*)\.html$ $1.php [NC]

If we look at this code, we can break it down as follows:

• RewriteRule – All of our rules will start with this.
• ^(.*)\.html$ – The second part is a regular expression that matches the incoming request, in this case the expression matches all files ending in .html
• $1.php – The third section tells Apache what to do with the incoming request, in this case use the first match from the second part and serve a file with that name ending in .php
• [NC] – The last part is a switch, which tells mod_rewrite to ignore case (NoCase).

This code would mean that if you visited the URL http://<yoursite>/index.html then you would see http://<yoursite>/index.html in your address bar, but the actual page rendered in the browser would be http://<yoursite>/index.php

You can do this with any extension, it doesn’t have to be a recognised one. If you wanted to make all of your pages end in .krystal then you could with the following code:

RewriteRule ^(.*)\.krystal$ $1.php [NC]

Simple redirecting to different URL/s

If you’ve developed a new site, moved your files to a different location or found some links that are showing 404 error pages, then you’ll want to catch these incoming requests and re-direct them to the correct location. There are a number of different ways you can do this, but the common consensus is that the best way to keep the search engines happy is to use the 301 http code (moved permanently).

We can do a simple redirect for a single file with the following code:

redirect 301 /old_page.htm http://www.exampledomain.com/new_page.htm

But we can do much more with mod_write. If we use the same example as above, and say that we want to rewrite all .html files to .php files, and let the search engines, and users that the pages have permanently moved to the new location:

RewriteRule ^(.*)\.html$ http://www.exampledomain.com/$1.php [R=301,NC]

This code would mean that if you visited the URL http://<yoursite>/index.html then you would be redirected to http://<yoursite>/index.php in your address bar, and the actual page rendered in the browser would be http://<yoursite>/index.php. You would also keep much of your search engine link juice.

Advanced redirection with variables

The real magic of mod_rewrite is the ability to convert complex URLs into multiple variables to pass to your scripts. This functionally gives you the ability to have fully dynamic URLS on your website, that can be interpreted. In the previous examples we used a regular expression to pull out the name of a file, and then loaded up a php file. In this example, we are going to use multiple regular expressions, and turn a request into a a normal php request.

Let’s say we have a normal web address with php variables such as : http://www.exampledomain.com/news.php?category=sport&id=999

This is a perfectly valid, and satisfactory web address, but it could be better. If we could get the title of the news article into the URL, and hide the fact that we are using php then we’d be happy.

RewriteRule ^news/([a-z]+)/([0-9]+)-(.*) /news.php?category=$1&id=$2 [NC]

This code would mean that if you visited the URL http://<yoursite>/news/sport/999-tom-scores-hatrick-in-world-cup-final and you would see the same URL in the browser location bar, but the actual page rendered in the browser would be news.php?category=sport&id=999

You can see from this example that each regular expression inside the brackets () is interpreted and turned into variables in numerical order, $1,$2,$3 etc, so in this example  ([a-z]+) = $1, ([0-9]+) = $2, (.*) = $3. We don’t bother using $3 in our rewrite rule – this isn’t a problem.

Removing www. from your URLs

If you want to remove www. from all of your addresses so that everyone gets re-directed to your root domain then you can use the following code:

RewriteCond %{HTTP_HOST} ^www.krystal.co.uk$
RewriteRule ^(.*)$ http://krystal.co.uk/$1 [R=301,L]

This is very handy for making sure that you aren’t serving duplicate content to the search engines on both the www. and the non-www of your domain.

Adding www. to your URLs.

The opposite to above, if you’d prefer to keep your www. and red-redirect everyone too it, then you can use

RewriteCond %{HTTP_HOST} ^krystal.co.uk$
RewriteRule ^(.*)$ http://www.krystal.co.uk/$1 [R=301,L]

Redirecting multiple domains to the same content

If you have multiple domains, and you want to correctly redirect them to the same website without taking a search engine hit for duplicate content, then you can use the following code:

RewriteCond %{HTTP_HOST} !www.krystal.co.uk$ [NC]
RewriteRule ^(.*)$ https://www.krystal.co.uk/$1 [L,R=301]

This code says that if the domain IS NOT “www.krystal.co.uk” then re-direct to the same page, but on “www.krystal.co.uk”.

Force requests over to secure URLs on https://

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This code will force all of your traffic over to https://

Please let me know if you’d like to see any other specific rewrite examples, or .htaccess examples.

Introduction

How do I create an .htaccess file?

Firstly, the .htaccess file is simply a text file. It starts with a . because Linux naming convention is that any file or folder starting with a . is hidden and usually contains automated information or configuration information. You should be able to create the file using any text program, or any web editing software.

Where do I put an .htaccess file?

Simply, you put the .htaccess file in the folder you want to set the rules for. The .htaccess file is inherited, and can be overwritten in sub folders.

If you are using a cPanel hosting account, your home directory will be /home/<username> and your public web directory will be /home/<username>/public_html . If you place your .htaccess file in either of these directories then the file will be inherited throughout your entire web space. You should be careful if using addon domains, because you can often break software if you have it hosted in sub folders of your main web space. You can create multiple .htaccess files in different folders, and Apache will take the highest one in the hierarchy.

What exactly does the .htaccess file do?

The best place to start reading up on everything the .htaccess file can do is in the Apache Documentation, there is documentation for Apache 1.3 .htaccess and Apache 2.2 .htaccess. For now, let’s get started with some simple examples.

Examples

I’m strongly of the opinion that you learn by doing – so let’s jump straight into some examples.

We will pretend that our domain is “www.exampledomain.com” for these examples.

Just put the example text into your .htaccess file and upload it to your web space for it to go live.

Example – Error Documents

You’ve probably seen it on other peoples websites where you get a customised 404 Error page, or re-directed somewhere with a message saying that the page couldn’t be found, the .htaccess file is a great place to do that.

The following will cover you for most common error codes. See this full list of http codes for a full explanation.

ErrorDocument 400 /errors/bad_request.html
ErrorDocument 401 /errors/authentication_required.html
ErrorDocument 403 /errors/forbidden.html
ErrorDocument 404 /errors/page_not_found.html
ErrorDocument 500 /errors/server_error.html

With this code, anyone who was to hit a broken link when visiting your website would be show the page www.exampledomain.com/errors/page_not_found.html

Blocking visitors by IP

If you want to block specific visitors, or entire IP ranges from your site, then you can do so with the following code :

order allow,deny
deny from 1.2.3.4           # Blocks a single IP
deny from 1.2.3.            # Blocks all IPs from 1.2.3.0 to 1.2.3.255
deny from 192.168.0/30      # Uses CIDR notation to block 4 IPs
allow from all

Note that the # is used for commenting, so you can remember what everything does in your file

Change your default index page

When someone visits your website, you’ll have an index file such as index.php or index.htm that will get loaded automatically. What if you want to change it? Here is how:

DirectoryIndex different_index_file.html

You can even enter multiple files, and it will go through the list until it finds the correct one:

DirectoryIndex index1.html index2.php index3.cgi index4.htm

Enable Directory Listing

Most secure web hosting, including Krystal, will by default disable directory listings for security reasons. If you have some files in a directory that you’d like people to be able see and download, then you can enable directory listing.

Options +Indexes

Redirect an old web page to a new one using a 301 redirect

If you are moving your website around, then you want to keep the search engines, and visitors happy by not having broken links, then it’s a good idea to let them know that old pages have moved using a 301 redirect. The 301 code tells a visitor that the old page has Moved Permanently and that it can be found at the new address.

redirect 301 /old_page.htm http://www.exampledomain.com/new_page.htm

More complex uses of .htaccess

We will be covering more complex examples of how to use the .htaccess file in a future post. We will introduce you to dynamically rewriting addresses which can be used to help boost your SEO, and to hide the underlying structure of your code.

/script/installruby

However when any user tried to start a rails application, or a rails console, the following error appeared:

Loading production environment (Rails 2.3.11)
/usr/lib/ruby/1.8/irb/completion.rb:10:in `require': no such file to load -- readline (LoadError)
from /usr/lib/ruby/1.8/irb/completion.rb:10
from /usr/lib/ruby/1.8/irb/init.rb:254:in `require'
from /usr/lib/ruby/1.8/irb/init.rb:254:in `load_modules'
from /usr/lib/ruby/1.8/irb/init.rb:252:in `each'
from /usr/lib/ruby/1.8/irb/init.rb:252:in `load_modules'
from /usr/lib/ruby/1.8/irb/init.rb:21:in `setup'
from /usr/lib/ruby/1.8/irb.rb:54:in `start'
from /usr/bin/irb:13

This is easily fixed by typing the following as root :

# yum install ncurses-devel readline-devel libncurses5-dev
# /scripts/installruby --force

Rails should now work with cPanel’s inbuilt functionality.