All of you have noticed that we have a nice shiny new website now.

What most of you may not know is how we built it, I’ll leave it to Tim to tell you all about the design work in an upcoming series of posts that will be appearing here over the coming weeks, but on they way to getting we had to decide how to run the site, and we settled on using a CMS or Content Management system.

Now there are many CMS’ out there, we’re using Joomla for the main site and Wordpress to run this blog, but to get to that decision we had to test out lots of systems to find the one we liked most and worked best for us. I’m sure you have all seen the list of CMS and blog systems in Fantastico and over the next few weeks I’ll be writing a review of all of the best of these systems and what I like about them. We start this week with Drupal.

Drupal was and still is, possibly my personal favorite CMS system, for starters, it is possibly the most simple system, anyone can use it without much work to figure out how it works, then there are hundreds of skins for it both free and paid for. It’s very clean, makes good use of Ajax and other things to make it look nicer. another thing I like is that it really guides a new user through how to set it up, which is a nice change from last time I really looked at CMS’ and PHPNuke which I found had far too much going on everywhere and came with little or no explanations and lacked options when skinning. Drupal can be made to look like a proper fully coded website, with lots of advanced features, with minimum effort from the person running the site and thats all without even starting on the huge number of add-on modules and other extras that can be downloaded and added to your installation! Maybe I’ll do another separate post of skins and add-ons that you might like to try on your own site!
Just a quick note about security, as with all scripts you can run on your site it is very very important that you keep the software up to date at all times, mainly because out of date scripts are generally very easy to hack into, and we don’t want that to happen to any of us, but also because you might be missing out on some awesome new features!!

To round off each of these reviews I’ll give a score out of 10, now you might think this is harsh, but nothing will ever score a 10, ever. Why? Simple if something scores a 10 there is nowhere it needs to improve, and that’s never true with anything.

So with that in mind, my rating for Drupal is…..

Just another thing, if you want to suggest something for me to write about or flame me about one of my posts, drop us a ticket in to the feedback and suggestions department and you might just get to see your idea written here. We’re also interested to hear from anyone that might like to be a guest writer on our blog, so if you feel you have something that you could do to contribute send that along also, you might get to write for us! If you aren’t a current customer you can always use the contact us form to get in touch with us!

It’s been a few days since my last post so I’ve done some searching for you and found some websites with a huge selection of free themes, images and photoshop brushes for you all!

Qbrushes has a huge number of really useful and totally awesome photoshop brushes, click the screenshot below to jump over there and have look for youself! QBrushes also has a sister site, QVectors which is packed full of vector images for you to use in your site!

For the less adventurous I’ve also got some theme and template sites for you these have a mix of CSS/XHTML website templates and Wordpress/Joomla themes

Soljcija.com - free CSS/XHTML templates

Opensourcetemplates.org - More CSS/XHTML templates

Themesbase.com - Joomla, Wordpress and nearly any other open-source web-app you can think of, the themes are here!

If anyone has found anywhere else that has useful template or design resources leave us a link in the comments and I will be sure to include them in later posts

Important security guide is enclosed, please read it. Only together can we keep your websites and our servers secure from hackers - please do your part today, in fact, now, it’s really important!

Old scripts
Remember that install of Joomla or Wordpress you tried out a couple of months ago and never used? Please remove it, old installations are an open invitation to hackers. For any script you install on our servers you must at all times make sure it is of the latest version. Check out www.milw0rm.com and type in the name of your favourite open-source script, then you’ll see what I mean. It takes 5 seconds to hack an old version of Joomla, upload a shell script and have total control over your account.

Passwords.
Never use easy to guess passwords or the same password more than once, if someone finds a password of yours they will try it everywhere else until they reach success. If someone finds your webmail password you’re pretty much guaranteed they’ll try it elsewhere - maybe in cPanel, maybe on your online banking!

Cloak Your Folders.
You should keep a blank index.html in all of the folders inside your public_html, this will make sure the contents can’t be easily viewed on the internet. cPanel has this function, check out ‘Index Manager’. It’s always a good idea to keep your files and folders secret.

Password protect your admin folder.
You should password protect the admin folder of any scripts you are using, this provides an extra layer of security and is highly recommended. You can do this in cPanel by clicking the Directory Protection link.

So you got hacked?
If you find that something has happened, maybe spam was sent from your account, or you found you were hosting a phishing site, the first thing you need to do is change your passwords. All of them. cPanel, email, site admin passwords, everything.

Next up, go through your web space and remove all old script installations, remember if you installed plugins in your scripts (modules for Joomla/Wordpress etc) they can be hacked too! Make sure they’re up-to-date too.

You can check the Error Log in cPanel for suspicious requests. Usually a hacker will leave files around, look for suspicious files within your public_html folder. Once found; take the date and time that the file was uploaded, the file name, folder it was in, and tell us so we can check through. Then delete the files.

Being hacked can happen to anyone at all, your security will always depend on its weakest point. To give you a figure, an average server will be vulnerability scanned 100-1000 times a day by hackers - eventually, if you don’t keep things up-to-date and secure, your site will be hacked and be used for criminal activity in one way or another - however now is the perfect time to stop this from happening.

If you have any questions or need help, please feel free to ask

Today we’ve got some great wordpress themes from around the web for you to use on your blog!

Green Light
The ‘Green Light’ theme is a clean and tidy layout making use of lighting effects and lots of floral vector images, together it creates a whole look that is very upto date and dare I say it, rather pretty! Perhaps one for the personal blog rather than a business site, it could give a great finish to your  website that really works well with nearly anything. Unless of course you aren’t a fan of green, then you might want to scroll down and look at our next theme of the week!

To see a live demo click here

To download this theme click here

Puzzled

I thought we needed a theme that is more useful to those business websites out there, and I came across the ‘Puzzled’ theme, everyone here at the office liked this theme but none of us really knew why, so we’ll leave it up to you to decide what you think of this theme. Its a very simple, clean design that could easily be adapted to fit into nearly any website design, and as always with themes from freewpthemes.net there is a web template version on freecsstemplates.org if you want one!

To Preview Click here

To Download Click here

We will have some more themes for you next week!

Recently a few people asked us if there was a way they can automatically backup their site to another location. I’ve done some searching and found a script which will back up your website and FTP it to a location you choose.

From here down is the PHP code for the script:

// PHP script to allow periodic cPanel backups automatically, optionally to a remote FTP server.
// This script contains passwords. KEEP ACCESS TO THIS FILE SECURE! (place it in your home dir, not /www/)

// ********* THE FOLLOWING ITEMS NEED TO BE CONFIGURED *********

// Info required for cPanel access
$cpuser = “username”; // Username used to login to CPanel
$cppass = “password”; // Password used to login to CPanel
$domain = “example.com”; // Domain name where CPanel is run
$skin = “x3″; // Set to cPanel skin you use (script won’t work if it doesn’t match). Most people run the default x theme

// Info required for FTP host
$ftpuser = “ftpusername”; // Username for FTP account
$ftppass = “ftppassword”; // Password for FTP account
$ftphost = “ftp.example.com”; // Full hostname or IP address for FTP host
$ftpmode = “ftp”; // FTP mode (”ftp” for active, “passiveftp” for passive)

// Notification information
$notifyemail = “you@example.com”; // Email address to send results

// Secure or non-secure mode
$secure = 0; // Set to 1 for SSL (requires SSL support), otherwise will use standard HTTP

// Set to 1 to have web page result appear in your cron log
$debug = 0;

// *********** NO CONFIGURATION ITEMS BELOW THIS LINE *********

if ($secure) {
$url = “ssl://”.$domain;
$port = 2083;
} else {
$url = $domain;
$port = 2082;
}

$socket = fsockopen($url,$port);
if (!$socket) { echo “Failed to open socket connection… Bailing out!\n”; exit; }

// Encode authentication string
$authstr = $cpuser.”:”.$cppass;
$pass = base64_encode($authstr);

$params = “dest=$ftpmode&email=$notifyemail&server=$ftphost&user=$ftpuser&pass=$ftppass&submit=Generate Backup”;

// Make POST to cPanel
fputs($socket,”POST /frontend/”.$skin.”/backup/dofullbackup.html?”.$params.” HTTP/1.0\r\n”);
fputs($socket,”Host: $domain\r\n”);
fputs($socket,”Authorization: Basic $pass\r\n”);
fputs($socket,”Connection: Close\r\n”);
fputs($socket,”\r\n”);

// Grab response even if we don’t do anything with it.
while (!feof($socket)) {
$response = fgets($socket,4096);
if ($debug) echo $response;
}

fclose($socket);

?>

End of PHP Code!

To schedule the script to run regularly, save it as fullbackup.php in your top directory (not /public_html, which would be less secure), and enter a new cron job like the following:
15 2 * * * /usr/local/bin/php /home/youraccount/fullbackup.php
(Runs every night at 2:15 a.m.)

or
15 2 * * 1 /usr/local/bin/php /home/youraccount/fullbackup.php
(Runs every Sunday night at 2:15 a.m.)

Most web hosts don’t touch on this subject as downtime is our least favourite term in this industry and it puts off clients when they’re viewing the company site.

You may have heard about the explosion at a data centre in Houston, lots of my favourite sites were knocked off line due to this such as b3ta.com and… erm… ok… I live on b3ta when I’m not replying tickets … Anyway, around 9,000 servers and who knows how many websites were taken offline due to this, many of which are facing 50/60+ hours downtime at the time of writing this.

I have been keeping up to date on the happenings, reading a lot of posts on the forums of some of the companies affected. I notice many, many people complaining about the outage and how it has affected their business.

Many of these people (not all admittedly) didn’t have to suffer downtime, they just hadn’t made any form of disaster recovery plan and when their sites wouldn’t load they took absolutely no responsibility for their own negligence or lack of knowledge. If you are making money from your site then it is in your best interest to learn how everything works and to make plans for the worst. You do this for every business, right? I worked for Mattel for some time as I was starting Evo, they had their own back up office in case their UKHQ burnt down, all their data is sent offsite weekly, now why aren’t you doing similar for your web server? It’s common sense.

I noticed today how even staff at one company mention to their customers on the forums that how they should have had a backup plan if their site is valuable, I wholeheartedly agree with this stance from a business owner point of view, unfortunately for those customers it is too late this time and they’ll just have to learn from their mistake. The worst didn’t happen for them, their sites are merely offline (I say merely, I know this is life or death for some people), but all data is intact.

Now imagine if that building had burnt to the ground, all data was lost and all they had to show was some crispy fried servers.

If that had happened I would imagine some of those hosting customers could go out of business from this purely due to poor/no disaster planning, and of course I wouldn’t be able to check out the awesome drunk cheeseburger eating Hoff animated GIFs and LOLCATS style pictures at b3ta any more, that would indeed make me feel quite sad.

Accidents happen no matter how good a data centre is, no matter how good the equipment is, no matter how good the staff are, no matter how much things are checked and no matter how well we as hosts practice our disaster recovery procedures. It is inevitable that at some point something will go wrong, especially when your building uses as much power as a small town to stay running and needs generators the size of a plane to operate when the power goes out.

The explosion at H1 is by no means the first data centre problem in the world, every single web host has some problem which occurs at one point or another, whether it be those pesky hackers, server configuration issue or lack of power / network / air-con.

We’ve had a couple of instances of 7 - 12 hour FSCKs, rare as they are, you can read about them on our blog, they can and do happen to every hosting company at some point, no matter what the marketing spiel says.

If your business relies on your web site / email to stay alive and you haven’t got a disaster recovery plan yet you should take some time out today to sort this out. I can’t emphasize how important this is.

Here are some hints on starting out with your disaster notification & recovery plan, these are by no means exhaustive but should give you some form of insight into some of the things you should be thinking about.

Monitor your website - As a web designer, isn’t it rather embarrassing when your main customer phones up and asks you why their web site is down when you didn’t realise yourself? We use Wormly here and we love it, it monitors all the services on each server, it lets us know the same minute via ICQ & SMS when something is dying so we can go fix before any of our customers have even noticed. If you had Wormly then you’d know if your customer’s web site was pinging away happily or not, you’d also know that we’d be fixing it already too because we have a minute monitor.

Monitor your home page - Similar to what Wormly does, but home page monitoring will make a call to your website every few minutes to make sure it is loading the data you want your customers to see rather than a “THIS HAS BEEN HACKED BY …” text or “Internet Explorer cannot display this page”. You should be using home page monitoring if you care about your website, it’s your website we’re hosting and you should know the second something happens. It’s our responsibility to make sure the servers are stable and working fine but it’s your responsibility to make sure your web site is working. We don’t do home page monitoring because we don’t know when you update your website, if we did home page monitoring then the second you changed your homepage with a new design or different text we’d be alerted and have to call you, and for a £5/month average hosting plan that isn’t feasible.

Put your data in at least 2 completely different geographical locations - Sounds like a waste of £5 a month for a second shared hosting account somewhere doesn’t it? But then on the flip side, if an outage occurs you have to work out what uptime vs £££ means to you. If you have a replica of your site else where coupled with the next item I’m going to mention then there is no more down time problem.

Set the name servers on your domain to use an external DNS provider so you can either flick the switch to your backup provider manually or have automated DNS failover - DNS is the thing that resolves your domain name to a server’s IP address, when you type www.whatever.com into your browser your computer then goes and asks a DNS server where to go. If your name servers are pointed at your multi-homed DNS provider then you can just press a button to instantly point your domain at another server. You can do this manually or with automated failover.

Take nightly or weekly offsite backups of your data - Whatever your host says about backups doesn’t matter, whoever you host with, YOU should take backups too, it is as simple as that. The onus is on you to make sure your or your customers data is safe. You are our customer and we take nightly backups of our shared servers, we take nightly, weekly, monthly backups on our business class servers, we run RAID so we’re protected against single drive failure, something we didn’t have in 2004 when we started. However this doesn’t protect us against total RAID array failure (unlikely, but then again a data centre explosion is unlikely and that happened… so…). Soon we’ll have entire servers backing up between data centres in case of RAID array failure or even data centre fire which means we can roll out entirely new servers, pre-built with all customer sites in 4 - 12 hours, not many shared hosts bother with this. Even with all this in place, you need to take your own backups too.

Practice restoring backups on your backup server before you actually need to - So the nightmare has happened, your site is down, you don’t already have a ready/rolled out version of your site on your backup, but at least you downloaded your backup and you have a nice tar.gz file of your site sitting on your Windows desktop, right? Great, but you’ve only done half the job. Exactly how are you going to know it works unless you’ve tested it beforehand? There are always little issues, there are always configuration issues between servers too, most of ours have phpSuExec, your backup might not, so you’ll have to change permissions in all your folders in rather a hurry, or your database was corrupt when exported from the downed server so your backup is useless. For those reasons you need to practice what you are doing before it is needed.

Keep your customers up to date - We will always do our best to keep our customers up to date in the event of an emergency, with that information you should be able to do the same as well. ETA’s, best case/worst case scenarios, everything you can do, but never over promise. Make a plan for what you are going to say to your customers, are you going to take the first move in notifying them, or are you going to wait for them to phone you?

I hope this gives you some ideas of the kinds of things you should be looking into right now, I’ll let you and Google fill in the blanks, but next time an outage occurs somewhere, anywhere, hopefully not here, be prepared. The last thing we need to hear is that you’re losing money through something that could have been avoided by being a little bit proactive as we’re sitting here frantically fixing the shiny expensive Dell PowerEdge server you’re hosted on and keeping you in the loop.

Have you ever been looking for a new domain, found it is available, then the next day you’ve gone to purchase it and found it has been registered? I’ve noticed this happen a few times recently and think you should be aware of this practice as it isn’t talked about that much. This is called ‘domain tasting’.

It seems a number of whois services are infiltrated or run by companies who will go ahead and register certain domain names if they are checked on whois and turn out to be available then try to extort a lot of money from you.

A loophole with COM NET and ORG domains (maybe others, haven’t checked) mean that a company can actually register a domain then drop it within a 5 day grace period and get their money back. To get around this I suggest you use only companies that you trust to check for domains.

I personally use these sites and have had no problems:
Evohosting Domain Registration | Psychic Whois | Who.is | Nameboy

Wikipedia states “In April 2006, out of 35 million registrations, only a little more than 2 million were permanent or actually purchased. By February 2007, the CEO of GoDaddy reported that of 55.1 million domain names registered, 51.5 million were canceled and refunded just before the 5 day grace period expired and only 3.6 million domain names were actually kept.”

Remember, this does happen quite frequently - be careful when you are searching for your perfect domain name and don’t give these people a penny.