WordPress 4.0.1 Security Release

WordPress 4.0.1 is now available for download and upgrade.

This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress Hosting

Sites that support automatic background updates will be updated to WordPress 4.0.1 automatically. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (Older versions than 3.7.x are no longer supported so it is recommended to upgrade to the latest version)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.

Version 4.0.1 also fixes 23 bugs with 4.0 and two hardening changes, including better validation of EXIF data that are extracted from uploaded photos.

For more information on all of the changes, see the release notes or consult the list of changes.

Getting Ready for the Holiday Season

As the holiday season is upon us, now is the best time to get ready for the increased traffic and sales to your website.

Before we continue, let’s list down the important dates for online shopping:-

  • November 27th: Thanksgiving Day
  • November 28th: Black Friday
  • December 1st: Cyber Monday
  • December 16th: Hanukkah
  • December 24th: Christmas Eve
  • December 25th: Christmas Day
  • December 31st: New Year’s Eve
  • January 1st: New Year’s Day

The following are some tips for our clients to prepare for the increase in website traffic during the holiday season.

Continue reading

New Affiliate Banners 2014

Our last batch of affiliate banners were launched two years ago to match the style of our previous website design.

As we have redesigned our website recently, it is only natural to update our web banners to better match the new website design.

Besides the usual GIF banners, we have also added HTML5 banners which are as fluid as Flash banners but will work with all devices. You can view all the new banners below.

If you are an affiliate, you can obtain the new banners and codes in our Client Area.

Our Affiliate Program is open to all clients of Aspiration Hosting who maintains an Active hosting account. We pay recurring commissions to for each customers that you refer to us for the entire duration of their service.

Not an affiliate yet? Join our Affiliate Program and start earning commissions today!

Continue reading

Aspiration Hosting 3.0

Three years ago we introduced Aspiration Hosting 2.0, which includes a complete redesign of our website and a host of other changes.

Today we are introducing Aspiration Hosting 3.0, which include the biggest changes to our company to date.

New Responsive Designs

As the last website design is becoming dated and uninteresting, we decided that it is time to do a complete redesign. We enlisted the help of an excellent designer, Jordan Owen to work on a new design and after a few months of hard work, our new website design is now ready to go live.

The new design is responsive, which means that you can access our website from any devices (Desktops, Laptops/Notebooks, Tablets, Smartphones) and the website layout will automatically adjust to match the screen size of your device. This extends to our Company Blog and Client Area as well so you can read our announcements, pay your invoices, submit and read your support tickets from any devices.

We are in the process of working on a new cPanel design which matches the new website design and it will be responsive as well, allowing you to manage your hosting accounts easily from any devices. You will see a pleasant new design when logging in to your cPanel as soon as the design is ready to go live.

Cloud Servers

Along with the new design, we are introducing our latest solution to help you grow your business with peace of mind – The Cloud Server with Auto Failover.

The main features of our Cloud Servers include High Availability, Pure SSD Storage, Guaranteed Resources and Easy Scaling.

All Cloud Servers are genuinely 100% Fully Managed and we are responsible for all server administration matters. You will not need knowledge about server management or worry about security as we will handle them all for you.

It took us many months to create the perfect formula for our Cloud Servers and we hope you will like it as much as we do!

Rewards Program

We work with partners across multiple industries to draw up a Rewards Program specially for you, our valued client.

Our Rewards Program offers you with Freebies, Special Deals and Perks by our partners including aheadWorks, Stripe, Google, Sucuri, LastPass, Extendware and many more.

We are constantly working with multiple partners to bring more value to you so do stay tuned for more partners who will be joining our Rewards Program.

Uptime, Twitter, Feedback and Reviews

As with our announcements three years ago, the Uptime Report for our servers (monitored by Pingdom) are still viewable publicly.

We are still active in Twitter and if you haven’t follow us, now is the time to do so!

Our Feedback Department is still available where you can reach our Management team directly for any complaints, feedbacks or suggestions.

Finally, we still collect reviews with ShopperApproved and if you love our services, we do hope you can take some time to write an honest review about your experience with us.

Thank you for taking the time out of your hectic schedule to read this, we really appreciate it!

SSLv3 Disabled Due to POODLE Bug

Engineers at Google found a new vulnerability in SSL version 3.0 (SSLv3) and they call it POODLE (Padding Oracle On Downgraded Legacy Encryption). The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol. Full details have been published by Google in a paper.

Who does this affect?

SSLv3 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

However, the only group of users who will be seriously affected by this bug is those who are still using Internet Explorer 6 on Windows XP (both are already at their End of Life).

According to CloudFlare, 0.09% of all traffic across their network is SSLv3. For HTTPS traffic, 0.65% across their network uses SSLv3. The good news is most of that traffic is actually attack traffic and some minor crawlers. For real visitor traffic, today 3.12% of CloudFlare’s total SSL traffic comes from Windows XP users. Of that, 1.12% Windows XP users connected using SSLv3. In other words, even on an out-of-date operating system, 98.88% Windows XP users connected using TLSv1.0+ — which is not vulnerable to this vulnerability.

Our Response

We will be disabling SSLv3 across all of our servers as this is a serious vulnerability with no patch in sight (as SSLv3 is very old) and most web browsers will be dropping support for SSLv3 after this POODLE incident anyway.

If you receive any complaints from your website visitors who are affected by the decision to disable SSLv3, we highly recommend that you suggest them to stop using Internet Explorer 6 and switch to a modern browser like Google Chrome, Mozilla Firefox, Safari and Opera.

For those of you who are not aware, even Microsoft is discouraging Windows XP users from using Internet Explorer 6 with their IE 6 Countdown website since the year 2011.

(Poodle image via Flickr, CC license.)