You might have seen an error message very similar to this lately, or perhaps you noticed that your thumbnails are no longer working.  You might be asking yourself “what is this error and how do I fix my website”, if so — we’re here to help!

What is timthumb?

Prior to a few months ago, nobody really knew what timthumb.php was.  This was until someone found an exploit in it’s code and started hacking WordPress blogs left and right.  If you’re still not sure with timthumb.php is, it gets bundled with a lot of WordPress themes and is usually designed to create thumbnails of larger pictures for your blog, most people have it without even noticing.

So, what do we do?

You need to make sure a few things are up to date, they are; wordpress, all themes and all plugins.  In most instances, the wordpress theme makers are now bundling the correct timthumb.php which will protect you against the exploit that came out.   Keeping in mind that if you were hacked prior to upgrading timthumb.php, you will still be hacked, it doesn’t repair a hacked installation of WordPress.

So, we’re all good than, right?

For the most part, yes! However, the way a lot of people generate thumbnails is by using the full domain name in the URL, such as http://example.com/wp-content/themes/phones/timthumb.php?src=http://example.com/wp-content/uploads/2012/02/skype-windows-phone.jpg&h=60&w=60&zc=1.   The correct way to use timthumb is to link to the directory only, such as http://example.com/wp-content/themes/phones/timthumb.php?src=/wp-content/uploads/2012/02/skype-windows-phone.jpg&h=60&w=60&zc=1.

But, I have all of my thumbnail links already generated and it’s too much work to change them all!

We can understand that, if you don’t feel like changing all of your WordPress links to the new format (the non-domain format), you can add your domain as an “allowed domain”.  We warn you though, if you’re not experienced in web design, it may require a little work on your side.

Step 1) Go to your website which would show a thumbnail (the main page, in most cases) and click “View Source”

Step 2) You will need to search that page for a <img src> tag which is calling timthumb.php, it will look similar to:  <img src=”http://example.com/wp-content/themes/phones/timthumb.php?src=http://example.com/wp-content/uploads/2012/03/ics-update.jpg&amp;h=300&amp;w=460&amp;zc=1″ alt=”"/>.   This is the path to your timthumb.php file which you will need to manually edit.

Step 3) Fire up your FTP client and download that file.  In our example, it’s going to be in /home/user/public_html/wp-content/themes/phones/timthumb.php.

Step 4) Edit that file carefully and look for the line that starts with “$ALLOWED_SITES = array” you will see a list of sites that are allowed by default.

Step 5) You will want to edit that file to add your domain to it, in our example we’re using example.com as our domain, so our ALLOWED_SITES variable should look like this when we’re done:

if(! isset($ALLOWED_SITES)){
     $ALLOWED_SITES = array (
          'flickr.com',
          'staticflickr.com',
          'picasa.com',
          'img.youtube.com',
          'upload.wikimedia.org',
          'photobucket.com',
          'imgur.com',
          'imageshack.us',
          'tinypic.com',
          'example.com',
    );
}

Step 6) Save that file and re-upload it to the same directory, in our case it was /home/user/public_html/wp-content/themes/phones/

But…. I use thumbnails from hundreds of domains, I don’t want to add each one!

While timthumb.php allows you to turn off this security check, we highly recommend NOT doing it.   If you link to multiple external URLs and don’t want to add each one to $ALLOWED_SITES, you can disable the security check by editing timthumb.php and replacing this line:

if(! defined('ALLOW_ALL_EXTERNAL_SITES') )    define ('ALLOW_ALL_EXTERNAL_SITES', FALSE);

with:

if(! defined('ALLOW_ALL_EXTERNAL_SITES') )    define ('ALLOW_ALL_EXTERNAL_SITES', TRUE);

In order for our servers to get “out to the internet” we have a connection with our providers.  In this example, our “connection” is going to be a tube slide, similar to something like this (http://www.slideinnovations.com/site/images/products/1055/1.jpg).  When you visit your website, you “throw a ball down the slide” which then shows you your website hosted on our servers.  In a normal day, the slide can have many balls go down at the same time, hundreds perhaps….

So, what exactly is a DDOS attack?  Well, a DDOS attack is when thousands if not tens of thousands of people try to throw a ball down the slide at the same time.  As you can imagine, you can only have so many balls go down the slide at the same time and sooner or later it will jam up the slide and no more balls will be able to get in.   A DDOS attack is just that, they send thousands of connections at our servers every second and try to jam up the slide.  The purpose of a DDOS attack is to take down a website so it’s no longer available to be viewed.

Why would people do this? Because their parents don’t love them, that’s why.  In all seriousness, websites get attacked for numbers of reasons, but most of the time it’s because the owner of the website made someone really upset, it usually happens on high risk websites such as adult, gambling, etc….. Which is why we’re very strict on what type of content we allow on our servers!

So how do we fix it? Well, it depends… If the person getting attacked is on a VPS or dedicated IP, we can simply block that IP with our providers and than everyone is back up.  However that’s usually not the case, it’s usually someone on a shared IP which 300+ other websites.  In those situations, we have a few options but it usually involves downtime for multiple people that share that IP address.  Sometimes it can affect our entire network if it’s big enough when all servers are down, however that’s usually not the case.  The solution to fixing a DDOS attack is usually wait it out.  We can sometimes filter out the attack but the majority of time, we have to wait until they stop.

Once a customer gets attacked, we no longer host them… We blacklist them from hosting with us in the future because it doesn’t really hurt them by getting attacked, but it hurts us (the web provider) the most.  We lose customers due to the downtime caused by the DDOS attack but more importantly, it can cost us a lot of money.  We pay our providers based on how many “balls” go through that slide every month, it’s not the typical DSL/Cable connection where we pay $49/month and can use it as much as we want, we pay for usage…. Therefore when thousands of balls continue to go down the slide (even if they aren’t successful) we have to pay for it.

We hope this helps you better understand DDOS attacks, what they are and why they are bad for both you and us.

The bad: Hundreds of our customers didn’t get our Christmas cards due to wrong addresses on file!

Do you have a US address and not get our Christmas card? Double check your address on file with us because it’s wrong!

It’s 1AM, we started to get paged regarding a certain internal service that was down, this particular service was hosted on a VPS at another provider’s network. We opened up a ticket with them as many of our own customers would do and the first response we received was “It’s not down, it’s just slow”. While that answer may be perfectly acceptable in certain situations, when we can’t ping or ssh into the server at all, it doesn’t matter if it’s “just slow”, it’s down for us and that’s all that matters. We replied back letting them know not only was it “not slow, but completely down” we didn’t hear back for quite some time.

We jumped on their live chat a few hours later and asked what’s going on, their response was ‘we’re working on it, no eta’. Few hours later, we replied to our ticket again asking for an update, no response.

12 hours later, our server is accessible again.

To this date, we have not yet received a response from them as to what happened, no apology, nothing.

So, what did we learn from this?

• Downtime will happen regardless! It doesn’t matter if you’re Joe’s Small Hosting Company or Google. You will have outages big and small, computers have a limited time span before they finally fail on you.

• Communication during an outage is #1. We’ve learned customers are a lot more understanding knowing what’s being done to bring the server back up, even if they don’t exactly understand the “tech lingo”. There should be status updates via twitter and facebook at least hourly and constant updates to support tickets. No communication during an outage is the worst thing you can do, however it’s also the easiest thing to do as you’re busy fixing the server, the last thing you want to do is update people on the status. We believe, in our situation, the entire server had to be restored and in that case 10+ hours is perfectly acceptable as there’s a lot of work to be done, however without any updates from the company you automatically assume the worst.

• Follow up with customers after the fact, be truthful and learn from your mistakes. If your customers have been down for the past few hours, they deserve some kind of notification letting them know what happened, why it happened and what you’re going to do to prevent it from happening again.

You can run the perfect company in terms of pricing, support, have a great looking website and so on, however if you forget the simple things such as communication when it matters most, you’re not going to succeed in this business.

Similar situations has haunted me here, however it’s not with employees but customers this time. Very few customers will write in and tell us they are unhappy with us but instead change web hosts and we find out months down the road when they write a thread on a web hosting forum letting people know why they don’t recommend us.

As we run a shared platform, we have to use technology and standards that will fit ‘most’ customers, now this doesn’t mean every customer is going to have a positive experience because we know that won’t happen. However, in most cases, we can always make the customer happy by moving them to another server, adjusting a server configuration or upgrading them to another plan/service. I can count on my right hand how many times we’ve exhausted all resources for a single client and end up letting them know they are better off with another service because we simply can’t help them. That feeling really sucks and we’re lucky we don’t have to do it very often.

I encourage everyone if there’s a problem in life, not just web hosting, be honest with the other person/company and in most cases you will see it’s a lot easier to work out the issue then to move on. It’s our job to make sure you’re happy and if we never hear from you, we will always expect there’s nothing we could do to make your experience a better one.

First off, you have to understand how it’s all connected together. The Internet isn’t a service that people sign up and you’re connected, it’s far more complex. The major Internet companies out there laid cables, known as fiber cables, it looks like this:

These cables are mostly under ground and we drive over them every day. The providers that own these cables are the main players of communication and are known as Level3, Sprint, QWest (CentryLink), AT&T, Savvis, etc. For the Internet to work, these cables need to connect each of these providers up with another provider. For example, AT&T has cables that connect into Sprint’s networking equipment all over the world. Companies then, such as us, buy a “port” on these major companies routers which allow us to connect into the “Internet”.

When you check your email, you send a packet to your Internet provider which has certain information such as where you want to go. Your ISP then check their database as to how they reach our network and send it on it’s way. It would be very expensive to buy ports on every ISP’s networking equipment so, so we rely on an Internet protocol called “BGP”. The BGP protocol will tell your ISP in order to get to us, you have to go to AT&T first, then Level3, and then Sprint and we have a port on Sprint’s networking equipment. In this example, it only changes locations 3 times, however in the real world, it’s normal for a single packet to change companies 10-15 times depending on how far away you are from where we are (and our servers).

It’s really incredible if you think about it, you are sending thousands and thousands packets to us every day. For example, when you check your email every 5 minutes, you send us atleast 20 packets just to ask us if you have any new email, so every 5 minutes, you are sending 20 packets from one end of the world to Phoenix faster then you can blink.

The Internet is an amazing thing, however since there’s so many moving pieces to the Internet and how it’s all connected together, there can be problems where you can’t reach your servers and it’s not our fault. For example, in our situation above where it went from your Internet company, to AT&T, and then Level3 to Sprint to us. If Level3 had an issue for whatever reason, your may not be able to reach your website.

We hope you enjoyed this, obviously there’s a lot more to the Internet as we describe here but that’s the basics on how things work.

Normally survey results are kept fairly confidential — however, we were stunned by the results so we wanted to share with everyone.  Usually you won’t see companies release survey results because they are always negative, companies send out surveys to figure out “What’s wrong” and “Why sales are horrible”.  We don’t feel that way at all, however customer needs are always changing and we want to make sure we’re supporting our customers as much as possible…… and now to the results:

First off, we’re extremely happy to see the majority of people voted us “Excellent” in all categories — that is outstanding and we couldn’t be more happy.

As we expected, speed was the lowest rating (insert sad face here).  As we pointed out a few months ago, shared web hosting isn’t for every website out there.  If it’s a personal website where you store pictures and use for email, you won’t have speed issues, if it’s a small business website that you run, shouldn’t be a problem either.  Slow speeds come into play when you’re running multiple sites with database-driven applications (Huge blogs, forums, chat servers, etc).

In most cases, when you notice speed issues, it’s usually not due to the server being overloaded (even though that has happened due to various reasons in the past, it’s unlikely), it’s usually due to you running out of your own CPU/memory restrictions we place on each account.  We do this, not to make you mad, however to protect the server and protect the other hundreds of clients on our servers.  However, as we allow for each website to use “up to 10%” (not to be confused with use 10% constantly), a few bad apples in the hundreds of accounts can really slow things down, all it takes is 6 or 7 accounts and the server is running on 30% CPU idle for the rest of the hundreds of accounts, not really ideal.  We do our best to make sure our server’s are always monitored and they page us as soon as they notice CPU issues so if it comes to that point, we fix it before it becomes a major issue.  We recently released VPS plans (both budget — for those who are experienced system administrators who can need a VPS for a low-resource project, and enterprise VPS’s, which are for high end websites (high end blogs, forums, etc) who don’t want to upgrade to a dedicated server but want the benefit and speed of one.

However, our servers are getting a little bit of upgrade in the next few months (starting with the first one tomorrow, actually).  Each of our US servers has 12G of ram, we are upgrading all of our Phoenix-based servers to 24G of ram, doubling the amount of things we can keep in cache.  This will help increase speeds greatly across the board.  Some of our EU servers already have 24gigs, we’ll be rolling it out to all of them after we finish with our Phoenix-based servers.

The next survey question was regarding communication and how often we communicated with you.  Sometimes I feel like we communicate too much with you so I’m glad we asked this question — the results were not expected.   We’ll continue to send updates as much as needed — hopefully in the future, customers can check what kind of communication they want from us (outages, maintenance’s, features, etc) and so they only receive certain emails from us if they feel we’re sending too many.

The next question related to how we notify customers, we’re glad phone wasn’t a favorite.   It would take a long time to call thousands of people anytime we made a change — and we’re nerds, we hate talking on the phone!

The question related to referrals was a huge sign to us we’re doing the right thing — in most cases, you don’t refer other people to services which you aren’t happy with, therefore we’re very happy to see the results of that poll

As far as ‘What could we do better?’ this was a comment box with lots of comments — most of them say ‘Nothing, you’re doing a great job’ which is awesome!    However, I wanted to publicly address on the blog:

Concerns about our terms of service – If you are a newer customer of ours, you might have no idea what we are talking about here, but maybe 8 months ago, we completely re-did our terms with our lawyer and he wrote up about 25 pages of “lawyer-speak”.     We thought it was a good idea due to recent events at the time, however we received a lot of negative feedback about it.    We decided to change our terms a few months back to make it much easier to read — therefore, for those who complained about our terms, we invite you to check out our new terms and let us know any feedback you have!   It’s best to contact us directly regarding terms questions/comments.

Concerns we are getting too big and service will decline – Every big company has this issue, either they grow too fast and can’t support things or they start going cheap on things to make more profitable.     We’re doing our best NOT to become those companies, we’re not a fan of these “mega web hosting companies” that have millions of customers and 1000′s of employees because to them, a customer is nothing.    We’re growing at a steady pace that gives us the ability to not have hundreds of employees and we still try to treat each customer like they are a part of our family.      I hope we never lose that feeling as we continue to grow.     If it wasn’t for the customers, we wouldn’t be here — as people grow big, they forget that very thing.

Coupons for existing customers - The majority of our coupons on for new accounts only — this is pretty standard across most web hosting companies.   However, after reading some of these comments, we’re going to change some things up and start offering limited-time coupons to existing customers to encourage them to bring their additional accounts over to us.  When this happens, we’ll make sure to announce it!

That’s about it — we greatly thank each and every one of you for taking your time and answering our survey.

When PHP created PHP 5.3.x, they rewrote a lot of the functions that PHP 5.2.x had, causing the majority of scripts out there to not work.       As a web hosting provider, we have to make decisions every day on what’s the best decision for our clients — do we enable PHP 5.3.x knowing that it will not work with older scripts such as WordPress, but allow newer scripts to work with our system such as the new versions of Joomla?   The cons of PHP 5.3.x always out-weighed the pros and therefore we always kept on the PHP 5.2.x branch….. until now.

I’m happy to report all of our Litespeed servers now support both PHP 5.2.x and PHP 5.3.x versions.     By default, our customers will always use PHP 5.2.x, however if you wish to use PHP 5.3,x, it’s a simple line to your .htaccess file.

AddType application/x-httpd-php53 php53 php

Enjoy!

Due to increased growth the last 2 years, we’ve been changing things non-stop to accommodate the growth.    Any person that has an internet connection can start a web hosting company, however very few people have the technical knowledge to continue to scale it as it continues to grow.

When we had only a few hundred clients, we leased our servers directly from the datacenter.    We started like every other web hosting company out there, with a $99 server.   As we all know — a $99 server can only go so far, a few clients and it’s maxed out.    As months went on, we started to buy our own hardware directly from Dell and placed it in a cabinet in Texas.    Several months later, we continued to add servers and realized we needed them to be locally here in Arizona.    Troubleshooting hardware problems remotely is very hard not something we wanted to do.    However, how do you move all of your clients from Texas to Phoenix?

Well, we could overnight the servers and hope the customers are okay with 24 hours of downtime, not ideal but the cheapest solution by far.   We decided 24 hours of downtime was unacceptable (hey! we have to live up to our name!) so we bought new hardware and duplicated our setup that we had in Texas.    We then migrated everyone from Texas to Phoenix, not a fun task for the customer or us.

When we originally moved to Phoenix, we were still using our datacenter’s network.    When you have your own servers, you have two options on how you configure your network.    You can take the easy and cheap approach which involves buying a switch and having a uplink to your datacenter’s network, they give you IPs, and you’re set!   We did that for a while and realized while we love our servers locally in Phoenix, we needed more control over the network.     We hate relying on other people if we can help it and the more things we have control over, the better.

Months later, we decided that we needed to build out an actual “network” in Phoenix.   By this, it involves buying routers, transit providers, our own IPs,  etc.   This has been a “work in progress” for the past year, constantly upgrading it and adding additional redundancy to it.

If you signed up with us in the past year in our US location, you’re “on our network”, while if you came from our Texas network, or signed up prior to the whole build out, you’re still on the “old network (datacenters network)”.   While there’s nothing wrong with the old network — it doesn’t mean your website is slow, etc — it does mean that we don’t have the control we want when it comes to DOS attacks, routing issues, outages, redundancy, etc.

Therefore, our last (hopefully!) network migration is to move all of the people who are on the old network to our own network.     So, how do you know what network you’re on?  You can determine it based on your IP address.    If your IP address starts with 199.x.x.x, you are on our network.    If you are on a 64.38.x.x IP, or a 184.x.x.x IP, you are on our older network.     We started this IP migration project as of today and starting with the server ‘cp20′.    We will be updating this post with our update to keep everyone informed on the progress of it as it’s a very slow and time consuming process.

Lastly, we greatly appreciate everyone’s patience as we continue to make our network better.    We are very happy with how our US network turned out after several changes and learning what works (and what doesn’t work) and hope you can understand and appreciate why we do it.

IP MIGRATION STATUS

-

cp20: As of 08/01/11 – All accounts have been moved over successfully.

cp22: As of 08/21/11 – All accounts have been moved over successfully.

cp23: As of 08/22/11 – All accounts have been moved over successfully.

cp24: As of 08/04/11 – All accounts have been moved over successfully.

What exactly is shared hosting? Most customers have never heard that word before, they just know they buy web hosting from StableHost.com. Shared hosting is the term companies use where they purchase a server which is shared amongst all of their customers. A shared server can have anywhere from 100 to 2000 clients on it, depending on specs, load, etc. We have many shared servers that we spread our customer base out equally to each of them.

On average, web hosting companies will allow each customer to use a certain amount of CPU, normally this ranges from 10-15%. CPU is the most valuable resource when it comes to a server and therefore there is always a limit of how much each website can use. When web hosting companies state a 10% CPU limit, that means you can burst up to 10% (usually for up to a few minutes) but that doesn’t mean you can constantly use 10%.

We’ll explain why — let’s take the average server cost, $500/month for the server, rack space and bandwidth. If we allowed a customer to constantly use 10% of the server, that means we could only have 10 clients per server. That means each customer would have to pay $50/month and that gives us no overhead, no support costs, no paying employees, no upgrades, nothing. With the average web hosting cost of $5/month, that averages out to the customer paying for roughly 1% of the CPU.

99.9% of websites will fall under the 10% CPU, however the 0.1% of usually our highest submitting ticket customers. We run cloudlinux which basically limits each customer to 10% automatically. Before cloudlinux came around, we would have to watch for it constantly and suspend if we saw someone abusing resources. They make it easy on us now where the server does all the hard work and will limit a website if they are using more then 10%. When your website gets limited, it will either be extremely slow or you will not be able to reach it.

These types of websites are suitable for shared hosting:

- A personal blog or website
- A forum for a few friends or a small community
- A gallery of pictures
- Your small business website

These types of websites are NOT suitable for shared hosting:

- A large forum (over 30 people online at a time)
- A large blog (Over 10,000 visitors a day)
- Any type of web-based game

So what happens when you outgrow shared hosting? The next step is VPS which is your own virtual server. It’s where a web hosting provider will split a dedicated server into smaller pieces and allocate 1 piece to each customer giving them dedicated CPU/Memory resources. VPS’s with cPanel start roughly around $50/month and go up from there. Once you outgrow a VPS, the next step is a dedicated server which start usually around $150-$200/month.