When talking about web hosting, one of the frequent questions we get asked is why we chose to base our
OnSiteWP WordPress Hosting service on Amazon AWS.
WordPress developers who have done their market research will tell us there are less expensive providers out there like Rackspace, Digital Ocean and Linode who are just as good. And while it is true that similar servers can be had for less money from other providers, we believe there is something to be said for using the hosting industry’s market leader to base our service on.
I have been working as a professional server administrator for 20 years. When I worked for a large IT operation we had the benefit of multi-million dollar budgets to purchase enterprise quality hardware.
Many people don’t realize that an IT operation is more than just buying a server. There is networking gear (switches, routers), load balancers, firewalls, KVM (for remote keyboard, video and mouse access), massive external storage arrays, tape backup systems and SAN switches. And just like the server itself, each of these devices can fail so you need to buy redundant quantities of them to operate a highly available service. (Translation: $$$$$$$)
AWS is great because Amazon has the buying power to get the best of the best for their data centers. For example, did you know Intel makes special high performance CPUs just for Amazon that you can’t buy in the store? Even giant internet companies that you have heard of like Cox and Comcast don’t have this kind of top tier relationship with Intel.
The special partnership with Intel has other benefits besides faster hardware that you and I can’t buy on the open market. When engineering problems are found with the hardware, a small handful of Intel’s most trusted partners hear about the problem before the general public does.
The ‘spectre’ CPU bug is good case to illustrate the benefits or working with market leaders. Spectre is serious security bug found in the CPU. The researcher who discovered the security bug notified Intel of the problem before he announced it to the general public. In the security community this is called responsible disclosure. It gives the manufacturer a chance to fix the bug and have updates released before bad guys learn about the security flaw.
Not only did Intel have the bug fixed before it hit the newspapers, Intel gave the Spectre fix to Amazon before the bug hit the newspapers. Amazon, and by extension, OnSiteWP had this serious vulnerability fixed before the press knew the problem existed. Unfortunately Linode, Packet and almost every other hosting company in the world didn’t get the word until they saw it in the news.
This is why we chose Amazon AWS for the infrastructure underneath our WordPress Hosting business.
There is something that can be said for being the best.
See Hosting Plans
Our engineers at OnSiteWP follow the large developments in the WordPress community. One such development is the release of WooCommerce 3.0.
The new version of WooCommerce is a major update. By major we mean that your plugins and themes need to be compatible with this update.
Should I Update to WooCommerce 3.0?
As of today, April 10, 2017, our recommendation is to NOT upgrade your site just yet. There will be a time to update but we recommend to give the developers and field testers a chance to find and fix compatibility issues with this major 3.0 release.
Already we have seen WooCommerce 3.0.1 get released. This fixes some of the issues in 3.0 but it has only been a week. We would like to see Woocommerce 3.0 mature a little bit more before we recommend it as an update to our clients?
Some people think they always need to stay updated to be secure. This is a guiding principle absent of additional information. The WooCommerce 3.0 release is a new feature release, not a security release. At this time we can confidently say it is not a security problem to stay at version 2.6.14.
WooCommerce 3.0 has introduced a new product image lightbox on the product pages. If you have a theme with a custom product page, your theme will need to be updated to be compatible with WooCommerce. If you are unsure if this applies to you, contact your theme developer and ask if your theme is compatible. It will be helpful to look under Appearance – Themes in the WordPress dashboard to tell the theme developer the name and version of the theme currently installed on your site.
It is very common to extend WooCommerce functionality with plugins. This can range anywhere from payment gateway, shipping module, or a full on subscription system. Check with your plugin developers for WooCommerce 3.0 compatibility. Developers have had about 2 months prior to the public release of 3.0 to get their plugins ready. Some have done a better job of preparing than others. At minimum, make sure that you have the most current version before attempting the WooCommerce 3.0 upgrade.
We have seen one report of a site where their woocommerce license manager had disconnected from woocommerce.com so they weren’t showing any plugin updates. If you have plugins from woothemes, you may want to spot check certain plugins by going to their product page (e.g. woocommerce subscriptions) and clicking on the ChangeLog link at the bottom of the right column. Within the long list of text are the version numbers and release dates.
Testing With A Development Server
OnSiteWP recommends you copy your full website to a development environment where you can test the WooCommerce 3.0 update prior to rolling it out to your live site. This is to find any compatibility problems with your collection of theme, plugins, and customizations.
If you decide to forego testing on a development server, at least take a backup of your WordPress site prior to upgrading to 3.0. This new version updates your database scheme which means there is no going back to an old version without restoring your database from backups.
If this is something that you don’t want to deal with, OnSiteWP has website maintenance packages to alleviate your need to be a technical wiz to perform the update. Contact us today for more information.
Photo by Canonicalized
WordPress Security Alert:
One of the new features of the recent WordPress 4.7 update is the REST API which is being hailed as the NEXT BIG THING for the WordPress platform.
Of course that remains to be seen.
So what exactly is this REST (JSON)
API and what does it do?
In short, it is a connector between WordPress and other software applications which is characterized by universality and high compatibility.
Universality and high Compatibility. That is the takeaway.
The WordPress REST API is revolutionary because it enables WP to communicate with other web properties no matter what programming language they’re written in. This is a Big Deal.
That’s the Good News.
Here’s the bad news.
Parts of this new API on your site are potentially available to anyone on the internet.
This means that the new WordPress REST API allows anonymous access to some features of your WordPress website.
One of the functions that it provides is that anyone can list the users on a WordPress website without registering or having an account.
This is not a good thing.
It allows anyone to list all users that have published a post and view the Userid, Username, Gravatar Hash and Website URL.
Really Not Good!
The awesome folks from the WordFence Security plugin were the first to bring this to our attention.
You can read the post here:
So why is this a security alert and why is having your username publicly visible not a good thing?
Your username is 50% of your login info.
If a hacker or bot has your username, they only need to run password cracking scripts to try to guess the password.
Knowing your username gets them 50% of the way to breaking into your website.
That is the reason for this security alert.
Security Tip: Never display your username publicly.
Another way your username can be viewed publicly is simply due to lack of user knowledge.
Every WordPress user has a username and a nickname.
Users must have a username, but don’t necessarily need a nickname. Your nickname is what is displayed on every blog post and author bio.
If no nickname is chosen, WordPress defaults to the username and inserts that into the nickname field.
If you haven’t changed your nickname, your username is automatically inserted and therefore displayed.
Again, not good.
We always recommend using a different name for your nickname (the publicly displayed name) than your username.
If you want to see if your usernames are publicly available using the REST API,
just enter your site url in the field below.
If your usernames are not displayed, then congratulate yourself or your web developer.
You have good security practices/features in place.
If you can see your usernames, then as quickly as you can, install the WordFence Security plugin.
Then go to your admin user area and add a different nickname to your user.
Another option is a recent update to iThemes Security which now has the ability to turn off the REST API functionality in WordPress.
You can read about it here: Restrict WordPress REST API with iThemes Security.
We always recommend updating WordPress, Themes, and Plugins.
Many updates are plugs for security holes.
In the case of WordPress 4.7 we still recommend updating
but make a few changes and you will be covered.
Staying on top of security news and potential threats is what we do.
That is our job.
We also keep your website up to date so you don’t need to be concerned with this stuff.
You can focus on growing your business instead.
For plans and pricing go here:
Website Maintenance Pricing
One of the OnSiteWP Co-founders, Brian Murphy, has been selected to speak at the 2016 WordCamp Phoenix conference. Brian’s topic will be focused on WordPress website maintenance. WordCamps are a great way to learn more about WordPress and related online marketing topics.
To learn more WordCamp Phoenix and to purchase tickets, please visit https://2016.phoenix.wordcamp.org/.