StableHost – Blog

You may not fetch images from that site. To enable this site in timthumb, you can either add it to $ALLOWED_SITES and set ALLOW_EXTERNAL=true. Or you can set ALLOW_ALL_EXTERNAL_SITES=true, depending on your security needs.

You might have seen an error message very similar to this lately, or perhaps you noticed that your thumbnails are no longer working.  You might be asking yourself “what is this error and how do I fix my website”, if so — we’re here to help!

What is timthumb?

Prior to a few months ago, nobody really knew what timthumb.php was.  This was until someone found an exploit in it’s code and started hacking WordPress blogs left and right.  If you’re still not sure with timthumb.php is, it gets bundled with a lot of WordPress themes and is usually designed to create thumbnails of larger pictures for your blog, most people have it without even noticing.

So, what do we do?

You need to make sure a few things are up to date, they are; wordpress, all themes and all plugins.  In most instances, the wordpress theme makers are now bundling the correct timthumb.php which will protect you against the exploit that came out.   Keeping in mind that if you were hacked prior to upgrading timthumb.php, you will still be hacked, it doesn’t repair a hacked installation of WordPress.

So, we’re all good than, right?

For the most part, yes! However, the way a lot of people generate thumbnails is by using the full domain name in the URL, such as http://example.com/wp-content/themes/phones/timthumb.php?src=http://example.com/wp-content/uploads/2012/02/skype-windows-phone.jpg&h=60&w=60&zc=1.   The correct way to use timthumb is to link to the directory only, such as http://example.com/wp-content/themes/phones/timthumb.php?src=/wp-content/uploads/2012/02/skype-windows-phone.jpg&h=60&w=60&zc=1.

But, I have all of my thumbnail links already generated and it’s too much work to change them all!

We can understand that, if you don’t feel like changing all of your WordPress links to the new format (the non-domain format), you can add your domain as an “allowed domain”.  We warn you though, if you’re not experienced in web design, it may require a little work on your side.

Step 1) Go to your website which would show a thumbnail (the main page, in most cases) and click “View Source”

Step 2) You will need to search that page for a <img src> tag which is calling timthumb.php, it will look similar to:  <img src=”http://example.com/wp-content/themes/phones/timthumb.php?src=http://example.com/wp-content/uploads/2012/03/ics-update.jpg&amp;h=300&amp;w=460&amp;zc=1″ alt=”"/>.   This is the path to your timthumb.php file which you will need to manually edit.

Step 3) Fire up your FTP client and download that file.  In our example, it’s going to be in /home/user/public_html/wp-content/themes/phones/timthumb.php.

Step 4) Edit that file carefully and look for the line that starts with “$ALLOWED_SITES = array” you will see a list of sites that are allowed by default.

Step 5) You will want to edit that file to add your domain to it, in our example we’re using example.com as our domain, so our ALLOWED_SITES variable should look like this when we’re done:

if(! isset($ALLOWED_SITES)){
     $ALLOWED_SITES = array (
          'flickr.com',
          'staticflickr.com',
          'picasa.com',
          'img.youtube.com',
          'upload.wikimedia.org',
          'photobucket.com',
          'imgur.com',
          'imageshack.us',
          'tinypic.com',
          'example.com',
    );
}

Step 6) Save that file and re-upload it to the same directory, in our case it was /home/user/public_html/wp-content/themes/phones/

But…. I use thumbnails from hundreds of domains, I don’t want to add each one!

While timthumb.php allows you to turn off this security check, we highly recommend NOT doing it.   If you link to multiple external URLs and don’t want to add each one to $ALLOWED_SITES, you can disable the security check by editing timthumb.php and replacing this line:

if(! defined('ALLOW_ALL_EXTERNAL_SITES') )    define ('ALLOW_ALL_EXTERNAL_SITES', FALSE);

with:

if(! defined('ALLOW_ALL_EXTERNAL_SITES') )    define ('ALLOW_ALL_EXTERNAL_SITES', TRUE);

We had two major DDOS attacks in the past few days…  While we’re not happy about this, it’s a part of web hosting and therefore we wanted to educate our customers on what exactly a “DDOS Attack” is and why they suck.

In order for our servers to get “out to the internet” we have a connection with our providers.  In this example, our “connection” is going to be a tube slide, similar to something like this (http://www.slideinnovations.com/site/images/products/1055/1.jpg).  When you visit your website, you “throw a ball down the slide” which then shows you your website hosted on our servers.  In a normal day, the slide can have many balls go down at the same time, hundreds perhaps….

So, what exactly is a DDOS attack?  Well, a DDOS attack is when thousands if not tens of thousands of people try to throw a ball down the slide at the same time.  As you can imagine, you can only have so many balls go down the slide at the same time and sooner or later it will jam up the slide and no more balls will be able to get in.   A DDOS attack is just that, they send thousands of connections at our servers every second and try to jam up the slide.  The purpose of a DDOS attack is to take down a website so it’s no longer available to be viewed.

Why would people do this? Because their parents don’t love them, that’s why.  In all seriousness, websites get attacked for numbers of reasons, but most of the time it’s because the owner of the website made someone really upset, it usually happens on high risk websites such as adult, gambling, etc….. Which is why we’re very strict on what type of content we allow on our servers!

So how do we fix it? Well, it depends… If the person getting attacked is on a VPS or dedicated IP, we can simply block that IP with our providers and than everyone is back up.  However that’s usually not the case, it’s usually someone on a shared IP which 300+ other websites.  In those situations, we have a few options but it usually involves downtime for multiple people that share that IP address.  Sometimes it can affect our entire network if it’s big enough when all servers are down, however that’s usually not the case.  The solution to fixing a DDOS attack is usually wait it out.  We can sometimes filter out the attack but the majority of time, we have to wait until they stop.

Once a customer gets attacked, we no longer host them… We blacklist them from hosting with us in the future because it doesn’t really hurt them by getting attacked, but it hurts us (the web provider) the most.  We lose customers due to the downtime caused by the DDOS attack but more importantly, it can cost us a lot of money.  We pay our providers based on how many “balls” go through that slide every month, it’s not the typical DSL/Cable connection where we pay $49/month and can use it as much as we want, we pay for usage…. Therefore when thousands of balls continue to go down the slide (even if they aren’t successful) we have to pay for it.

We hope this helps you better understand DDOS attacks, what they are and why they are bad for both you and us.

The good: I think we paid enough of the salaries in postage to the US Post Office so they can stay open 1 more year.

The bad: Hundreds of our customers didn’t get our Christmas cards due to wrong addresses on file!

Do you have a US address and not get our Christmas card? Double check your address on file with us because it’s wrong!

We’ve worked with a certain provider many times throughout the last few years; they’ve hosted external services for us that we’ve used internally that needed to be outside our network. This post isn’t to slam this provider, in fact we won’t be naming the provider, however the lesson we learned that day was critical to us and we’re making sure our customers never experience the same lesson as we did.

It’s 1AM, we started to get paged regarding a certain internal service that was down, this particular service was hosted on a VPS at another provider’s network. We opened up a ticket with them as many of our own customers would do and the first response we received was “It’s not down, it’s just slow”. While that answer may be perfectly acceptable in certain situations, when we can’t ping or ssh into the server at all, it doesn’t matter if it’s “just slow”, it’s down for us and that’s all that matters. We replied back letting them know not only was it “not slow, but completely down” we didn’t hear back for quite some time.

We jumped on their live chat a few hours later and asked what’s going on, their response was ‘we’re working on it, no eta’. Few hours later, we replied to our ticket again asking for an update, no response.

12 hours later, our server is accessible again.

To this date, we have not yet received a response from them as to what happened, no apology, nothing.

So, what did we learn from this?

• Downtime will happen regardless! It doesn’t matter if you’re Joe’s Small Hosting Company or Google. You will have outages big and small, computers have a limited time span before they finally fail on you.

• Communication during an outage is #1. We’ve learned customers are a lot more understanding knowing what’s being done to bring the server back up, even if they don’t exactly understand the “tech lingo”. There should be status updates via twitter and facebook at least hourly and constant updates to support tickets. No communication during an outage is the worst thing you can do, however it’s also the easiest thing to do as you’re busy fixing the server, the last thing you want to do is update people on the status. We believe, in our situation, the entire server had to be restored and in that case 10+ hours is perfectly acceptable as there’s a lot of work to be done, however without any updates from the company you automatically assume the worst.

• Follow up with customers after the fact, be truthful and learn from your mistakes. If your customers have been down for the past few hours, they deserve some kind of notification letting them know what happened, why it happened and what you’re going to do to prevent it from happening again.

You can run the perfect company in terms of pricing, support, have a great looking website and so on, however if you forget the simple things such as communication when it matters most, you’re not going to succeed in this business.

Several years ago, prior to working here, I was a manager of a technical support organization. Every few months, I’d have an employee come to me and let me know they were leaving the company because they were unhappy with a certain aspect of their job. I always asked them why they didn’t let me know prior and always felt like a failure because as a manager it’s your job to realize when people are unhappy and make them happy again. I could never get a honest answer from them, I just assume employees feel it’s easier and less risky to find another job then to to be honest with their boss.

Similar situations has haunted me here, however it’s not with employees but customers this time. Very few customers will write in and tell us they are unhappy with us but instead change web hosts and we find out months down the road when they write a thread on a web hosting forum letting people know why they don’t recommend us.

As we run a shared platform, we have to use technology and standards that will fit ‘most’ customers, now this doesn’t mean every customer is going to have a positive experience because we know that won’t happen. However, in most cases, we can always make the customer happy by moving them to another server, adjusting a server configuration or upgrading them to another plan/service. I can count on my right hand how many times we’ve exhausted all resources for a single client and end up letting them know they are better off with another service because we simply can’t help them. That feeling really sucks and we’re lucky we don’t have to do it very often.

I encourage everyone if there’s a problem in life, not just web hosting, be honest with the other person/company and in most cases you will see it’s a lot easier to work out the issue then to move on. It’s our job to make sure you’re happy and if we never hear from you, we will always expect there’s nothing we could do to make your experience a better one.

We recently sent out an invitation to rate us on our performance to a few thousand people — we didn’t send it out to new customers because we wanted people to have a chance to experience us a bit more before reviewing.  We only expected 20 or so people to respond because let’s be honest, surveys are a pain.  We all get them constantly and they just annoy us — so seeing a few hundred people answered ours was amazing!

Normally survey results are kept fairly confidential — however, we were stunned by the results so we wanted to share with everyone.  Usually you won’t see companies release survey results because they are always negative, companies send out surveys to figure out “What’s wrong” and “Why sales are horrible”.  We don’t feel that way at all, however customer needs are always changing and we want to make sure we’re supporting our customers as much as possible…… and now to the results:

First off, we’re extremely happy to see the majority of people voted us “Excellent” in all categories — that is outstanding and we couldn’t be more happy.

As we expected, speed was the lowest rating (insert sad face here).  As we pointed out a few months ago, shared web hosting isn’t for every website out there.  If it’s a personal website where you store pictures and use for email, you won’t have speed issues, if it’s a small business website that you run, shouldn’t be a problem either.  Slow speeds come into play when you’re running multiple sites with database-driven applications (Huge blogs, forums, chat servers, etc).

In most cases, when you notice speed issues, it’s usually not due to the server being overloaded (even though that has happened due to various reasons in the past, it’s unlikely), it’s usually due to you running out of your own CPU/memory restrictions we place on each account.  We do this, not to make you mad, however to protect the server and protect the other hundreds of clients on our servers.  However, as we allow for each website to use “up to 10%” (not to be confused with use 10% constantly), a few bad apples in the hundreds of accounts can really slow things down, all it takes is 6 or 7 accounts and the server is running on 30% CPU idle for the rest of the hundreds of accounts, not really ideal.  We do our best to make sure our server’s are always monitored and they page us as soon as they notice CPU issues so if it comes to that point, we fix it before it becomes a major issue.  We recently released VPS plans (both budget — for those who are experienced system administrators who can need a VPS for a low-resource project, and enterprise VPS’s, which are for high end websites (high end blogs, forums, etc) who don’t want to upgrade to a dedicated server but want the benefit and speed of one.

However, our servers are getting a little bit of upgrade in the next few months (starting with the first one tomorrow, actually).  Each of our US servers has 12G of ram, we are upgrading all of our Phoenix-based servers to 24G of ram, doubling the amount of things we can keep in cache.  This will help increase speeds greatly across the board.  Some of our EU servers already have 24gigs, we’ll be rolling it out to all of them after we finish with our Phoenix-based servers.

The next survey question was regarding communication and how often we communicated with you.  Sometimes I feel like we communicate too much with you so I’m glad we asked this question — the results were not expected.   We’ll continue to send updates as much as needed — hopefully in the future, customers can check what kind of communication they want from us (outages, maintenance’s, features, etc) and so they only receive certain emails from us if they feel we’re sending too many.

The next question related to how we notify customers, we’re glad phone wasn’t a favorite.   It would take a long time to call thousands of people anytime we made a change — and we’re nerds, we hate talking on the phone!

The question related to referrals was a huge sign to us we’re doing the right thing — in most cases, you don’t refer other people to services which you aren’t happy with, therefore we’re very happy to see the results of that poll

As far as ‘What could we do better?’ this was a comment box with lots of comments — most of them say ‘Nothing, you’re doing a great job’ which is awesome!    However, I wanted to publicly address on the blog:

Concerns about our terms of service – If you are a newer customer of ours, you might have no idea what we are talking about here, but maybe 8 months ago, we completely re-did our terms with our lawyer and he wrote up about 25 pages of “lawyer-speak”.     We thought it was a good idea due to recent events at the time, however we received a lot of negative feedback about it.    We decided to change our terms a few months back to make it much easier to read — therefore, for those who complained about our terms, we invite you to check out our new terms and let us know any feedback you have!   It’s best to contact us directly regarding terms questions/comments.

Concerns we are getting too big and service will decline – Every big company has this issue, either they grow too fast and can’t support things or they start going cheap on things to make more profitable.     We’re doing our best NOT to become those companies, we’re not a fan of these “mega web hosting companies” that have millions of customers and 1000′s of employees because to them, a customer is nothing.    We’re growing at a steady pace that gives us the ability to not have hundreds of employees and we still try to treat each customer like they are a part of our family.      I hope we never lose that feeling as we continue to grow.     If it wasn’t for the customers, we wouldn’t be here — as people grow big, they forget that very thing.

Coupons for existing customers - The majority of our coupons on for new accounts only — this is pretty standard across most web hosting companies.   However, after reading some of these comments, we’re going to change some things up and start offering limited-time coupons to existing customers to encourage them to bring their additional accounts over to us.  When this happens, we’ll make sure to announce it!

That’s about it — we greatly thank each and every one of you for taking your time and answering our survey.