The vulnerabilities discovered allow remote attackers being able to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create open redirects, poison cache, and bypass authorization access and input sanitation.

These vulnerabilities have been addressed and resolved in the latest WordPress version 5.3.1+.

Our team would like to kindly encourage our clients to update their WordPress installations to the latest, secure version to protect your website any of the mentioned attacks.

Additionally please consider reading our WordPress security guide for further recommendations to secure your WordPress website.

If you don’t update your WordPress version, and unfortunately your website is compromised by one of the above attacks, you may find this article helpful… “How did my WordPress website get hacked? What do I do?”

The festival attracts close to 800,000 visitors each season, with hundreds of thousands of tickets being sold and managed via the MICF website. Serversaurus has been collaborating with MICF by providing infrastructure, devops, support and 24×7 management for the festival website since 2016. We’re proud to boast a zero downtime partnership since then, with traffic growing year-on-year. Overall traffic is up 65% since 2016, with views up by nearly quarter since 2018, reaching 4.8 million in 2019.

The website and underlying infrastructure is one of the festivals most important communications channels, interacting with audiences, artists and key stakeholders. The website is critical throughout the entire festival, supporting patrons in navigating and planning the enormous festival program.

Serversaurus achieves high levels of redundancy from a hardware perspective, by running the infrastructure in a parallel configuration across a range of independent servers, including dedicated database and caching infrastructure. The entire puzzle is connected and kept in configuration through distributed service discovery, HAProxy, Ansible and in-house Go applications.

We can’t wait for 2020!

This has been a complex and time-consuming process, requiring us to completely maintain and interconnect two physically disparate platforms, while continuing to provide 100% uptime for our customers.

Storage resilience

Our new v2 platform comes with a range of features and benefits, including storage and virtualisation resilience by design, accomplished through a new interconnected distributed storage network. Our new storage platform maintains two copies of all customer data across a network of SSD powered hypervisors. What this means, is that if a server fails with your virtual server on it, it will be automatically migrated onto standby capacity within the network. 

This design also allows us to hot-migrate customer infrastructure for maintenance. Commonly, underlying infrastructure maintenance on competitor platforms requires you to completely rebuild your infrastructure on new hardware via infrastructure automation tools. Our model allows you to move the entire virtual machine without touching the contents of the machine itself.

Network resilience

Our new v2 cloud has also given us the opportunity to redesign how to best network our infrastructure. Our cloud consists of three network layers: Storage, management & transit.  We’ve coupled storage & transit onto stacked switches which run in parallel, allowing one switch to completely fail while maintaining 100% uptime. Our management network mirrors this topography through bonding. This means we can handle a complete switch failure on both of our core networks without disrupting availability. This level of hardware redundancy runs right the way up through our transit provider and associated 2N datacentre architecture.

Instant VM provisioning

Other than better performance, better reliability and better architecture, in addition, we’ll be offering public access to our VM provisioning dashboard within our Melbourne PoP.

Please see our knowledge base article about using LiteSpeed cache with your website.

When the Australian Government proposed changes to the higher education system as part of its 2014-2015 Budget, it included a change the annual interest rate on loans through the Higher Education Loan Programme from the CPI (2.6 per cent at the time) to the ten year Government Bond rate (4.0 per cent). This would have a far-reaching consequence that was very unfair. Because women take more time out from the workforce to raise a family than men, the compounding effect of this higher interest rate would mean that women could be paying far more than men, for the same education. Tens of thousands of dollars more! Luckily for both women and men, the change never happened.

Thinking about this scenario lead me to consider the superannuation system and realise that it is subject to the same effect. Because women take more time out from the workforce to raise a family than men, they accumulate significantly less superannuation. Superannuation contributions stop when work stops, but also the level of contribution stalls while out of the workforce. Women usually return to the workforce at the same level of career progression they were at, while most men will continue to advance in salary and therefore higher superannuation contributions.

If we look at the outcome of the current system, it’s clearly not fair. So we need to do something about this problem. Of course action needs to be taken at the highest levels – this affects every woman in the country. So we’ll lobby and encourage industry and government to take action on this issue at the broadest level. There is a lot of work being done in this area: Make Super Fair.

But for us, this doesn’t address the need for fairness in our own company. We need concrete, real action. We made some some assumptions: let’s say women start in the workforce at 21, at the same salary level as men, take 10 years out of the workforce to raise a family, then return at the same salary level, and superannuation fund returns average 5% per annum. We plugged these assumptions into a spreadsheet and came out with a surprising result. It would only take around 5% extra superannuation to make retirement savings equal by retirement age. So since February 2016, at Serversaurus we pay our female staff an extra 5.5% superannuation. It’s not a lot, and if your company has gender parity (50% male and female staff), it would produce an overall increase in payroll of less than 2.5%.

Why don’t you encourage your company to join us and help to make Superannuation Fair!

Martin Gleeson, Co-Founder.

Note that the best results will come from profiling and optimizing the web application before it hits the servers. However, the following strategies are services that Serversaurus can offer you at a server management level.

Summary

^Degree of improvement is relative to PHP 5.x via Apache (mpm_worker). Combining strategies is possible and recommended for best results.

PHP 7

PHP received a very significant performance bump in the upgrade from version 5.6 to 7.x.

There are very minor improvements between PHP versions 5.4, 5.5, and 5.6. These are generally not worth pursuing for performance, but we suggest not using EOL PHP versions nonetheless.

Upgrading to PHP 7.x is a practically free way of buying performance, if the web application supports it.

Benefits

• Unrivalled performance
• Web application agnostic

Risks

• Does not know about the web application – it is entirely up to the developer to ensure the application does not exhibit behaviour that is cache-busting or otherwise pathological from Varnish’s perspective.
• Requires fairly solid understanding of Varnish, the web application at the HTTP protocol level to leverage correctly.

PHP-FPM/Execution Model/Runtime

The traditional execution model for PHP is to exist as independent runtimes alongside forked Apache (mpm_worker) workers.

This is convenient because it permits use of Apache features such as .htaccess. However, this convenience incurs a very high overhead in comparison to other models.

Consider alternative execution models:

Benefits

• Provides improved execution model while remaining compatible with .htaccess
• Familiar cPanel environment
• No difference to regular shared hosting from developer point of view
• Can be combined with Varnish and PHP 7.x.

Risks

• No operational risks.
• May not meet performance requirement for extremely high traffic sites.

HHVM

HHVM is a rewrite of the PHP runtime that is capable of optimizing and executing PHP 5.x code, much more efficiently than the official PHP runtime. It is a kind of “application server”, which exposes a FCGI interface, similar to PHP-FPM.

Like PHP-FPM, it is persistent, but is a single, threaded process.

Because HHVM is essentially a rewrite of the PHP runtime and all of its functions and modules, there are minor incompatibilities compared to the stock 5.x runtime. It is extremely important to test when using HHVM.

For this reason, it is also recommended, in a production deployment, to layer HHVM with PHP-FPM, and have the web server fall-back to PHP-FPM if the request fails to be served via HHVM.

If the web application is already PHP 7.x native, it is usually better to just deploy PHP 7.x with PHP-FPM.

Otherwise, it is very much recommended to ensure that the application works with PHP 5.6 before transitioning to HHVM.

In Serversaurus’ case study of a real-world Expression Engine/PHP-FPM 5.4 website, HHVM achieved a 10x increase in throughput (from 2.x req/sec to 25-30 req/sec), and a 8-10x reduction in TTFB (from 2-3sec to 200-300ms). This was with no code changes.

Benefits

• Extremely high (10x) performance improvement compared to PHP 5.x with PHP-FPM
• Targets PHP 5.x compatibility
• Ability to fail-over (and swap-in/out with PHP-FPM)

Risks

• Some probability of edge cases coming from minor compatibility issues
• Some minor functions and modules may be missing from HHVM
• Suffers from warm-up time when booting, but there are mitigations.
• Almost total rewrite of PHP runtime means that total extent of risk is unknown

Varnish Cache

This strategy will not increase PHP performance. In fact, does not affect PHP whatsoever, but it is worth a mention due to its effectiveness.

Varnish cache is a web server which takes responses from PHP (or other backend), and stores them in their entirety for re-transmission to subsequent visitors.

It is capable of extremely high throughput (much more than any PHP runtime will ever be capable of), limited only by hardware interface. It is also extremely flexible and configurable.

However, it also has the highest developer overhead of any solution.

Many PHP frameworks and applications (e.g. WordPress and ExpressionEngine) exhibit behavior that makes their pages difficult to cache. i.e. they cache-bust by default.

For this reason, Varnish is best suited to web applications that are largely:

• Brochureware
• Festival websites that do not have a high degree of interactivity
• Well-understood by their developers, specifically regarding the use of sessions, partials that are unique to specific visitors etc.

As a rule of thumb, Varnish should not be used when:

• Sessions are always present AND used
• Pages contain content unique to specific visitors
• Page contents do not stay the same over subsequent requests
• Web application has low traffic, since cache will be cold

It is perfectly possible to use Varnish in those cases, and sometimes necessary given a volume of traffic. However the configuration complexity tends to grow very quickly at that point, and the use of Varnish becomes a development exercise rather than an infrastructure exercise.

It is possible to use Varnish on a white-list basis or a black-list basis, which can mitigate some of the risk.

Benefits

• Unrivalled performance
• Web application agnostic

Risks

• Does not know about the web application – it is entirely up to the developer to ensure the application does not exhibit behaviour that is cache-busting or otherwise pathological from Varnish’s perspective.
• Requires fairly solid understanding of Varnish, the web application at the HTTP protocol level to leverage correctly.

Performance Shared Hosting

Serversaurus’ Performance Shared hosting provides an improved environment compared to Business Shared hosting with practically zero developer overhead.

It leverages ideas from the PHP-FPM solution, and provides users with a low contention, high CPU/Memory allocation, persistent execution model environment that remains compatible with .htaccess usage.

It is also likely to be more affordable than many of the solutions that are only compatible with Cloud Hosting services.

Benefits

• Provides improved execution model while remaining compatible with .htaccess
• Familiar cPanel environment
• No difference to regular shared hosting from developer point of view
• Can be combined with Varnish and PHP 7.x.

Risks

• No operational risks.
• May not meet performance requirement for extremely high traffic sites.

A brief history for those who are not aware of the recent security breaches; On the 26th of January WordPress Version 4.7.2 was released. The update included security patches which at the time of the release the importance of these updates were not disclosed to the public.

6 days after the initial release, the details of the security update were publicly disclosed. In WordPress versions 4.7 and 4.7.1 a vulnerability in the REST API plug-in (enabled by default) would allow an unauthenticated user to modify the content of any post or page within a WordPress site.

Since the vulnerability was public acknowledgement, thousands of WordPress sites have been targeted and defaced by hackers.

“This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites,” said Mark Maunder, Wordfence Founder and CEO. “During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor.”

We highly recommend any of our clients using vulnerable WordPress versions to update as soon as possible and as a further security measure, install a site security software such as Wordfence.

Melbourne, Victoria, 2nd August, 2016 – Serversaurus, a Melbourne-based green cloud computing company, has purchased the customers and infrastructure of Brisbane based cloud hosting company Tract.com.

Serversaurus co-founder Martin Gleeson said he was proud to be making the company’s first acquisition since its inception in 2005:

The purchase of the Tract.com customer base and assets is our first foray into acquired expansion outside of our organic growth over the last 11 years. This expansion brings with it both an existing customer base, as well as necessary infrastructure to upgrade and expand our services in Melbourne

Like Serversaurus, Tract.com is built on the OnApp cloud stack, offering a range of SSD powered hosting services, premium DNS and shared hosting. This acquisition will provide the base for Serversaurus’ next generation cloud platform, allowing for a seamless upgrade path from the original platform which went online in 2010.

Serversaurus co-founder Nick Jaffe looks forward to the infrastructure and reliability benefits of the acquisition:

In the last 6 years Serversaurus has maintained unprecedented uptime, outperforming the likes of Amazon Web Services and other major cloud players. This acquisition from an infrastructure perspective, will provide Serversaurus with the base platform necessary to upgrade and continue our high level of reliability, while causing the minimum amount of customer disruption.

Serversaurus will continue to provide the quality of service Tract.com customers have been used to, and looks forward to being able to offer additional products and services, such as proven high-traffic and high-availability solutions.

Serversaurus is proud to be able to grow and continue it’s mission in providing both world-class cloud services from its Melbourne based headquarters, while also continuing its environmental and sustainable business practices.

– ENDS –

About Serversaurus

Serversaurus is headquartered at Electron Workshop, their purpose-built coworking space, which is shared with other like-minded businesses and entrepreneurs.

Serversaurus and Electron Workshop were co-founded under the parent company Arktisma, by Melbourne-based entrepreneurs Nick Jaffe and Martin Gleeson in 2005.

Serversaurus is a 100% Melbourne, Australian based green web hosting company, offering email, domains, web hosting, management, content delivery (CDN), Anycast DNS, and cloud hosting services.

Serversaurus is Australia’s first certified web hosting B Corporation, and one of the exclusive group of Founding Australian B Corporations in 2014. In 2007 Serversaurus was the first Australian hosting company to carbon-offset its emissions, and donates 1% of its annual turnover to environmental charities through the 1% For The Planet program.

For more information on Arktisma projects, visit: serversaurus.com.au and electronworkshop.com.au

About B Corporation

B Corps are certified by the nonprofit B Lab. To become a B Corp a company must complete a B Impact Assessment to demonstrate how they voluntarily meet higher standards of social and environmental performance, accountability, and transparency.

B Lab provides tools for companies to measure, compare and improve their social and environmental performance.

For more information on B Corp, visit www.bcorporation.net

Our SSD storage is locally connected across a high speed backplane, providing arguably one of the fastest methods of hosting storage, allowing ultra quick database reads/writes & high speed static file access.

Couple your site with our included CDN and provide exceptional end user experience across your website, through high speed servers and globally replicated content.

At this stage we have no intention of shutting down our existing Personal hosting services, however, we have made the business decision to no longer offer them as a product. Personal customers can think of themselves as being ‘grandfathered’ into the Serversaurus ecosystem for the foreseeable future.