Search Blog


Get the latest on what's happening at itomic

Informative commentary on the web industry from the experts at Itomic.

October 7, 2016

Itomic Offers Free SSL Certificates for Life to all Website Hosting Clients

By Ross Gerring

Let's Encrypt LogoItomic is very pleased to announce that we are now supplying free SSL certificates to the owners of all new websites that we develop and host. And for all existing clients, we’ll be offering the same over the coming months.

We strongly recommend that all websites have an SSL certificate, as explained in our still-valid 2014 article “Does your website need an SSL Certificate?”.

How are free SSL certificates possible?

Two stars have aligned:

  1. ‘Let’s Encrypt’: genuine, industry-standard SSL certificates for $0.
  2. Automation: the certificates self-validate and self-install, so we anticipate minimal involvement from Itomic. Let’s Encrypt certificates are issued for 90 days, and automation ensure that certificates are reissued every 90 days.

Let’s Encrypt SSL certificates are provided by the Internet Security Research Group (ISRG). This group is sponsored by many big players including Cisco, Facebook, Google Chrome, Mozilla and Shopify. It recognised that a) online security is very important, and b) putting a price tag on security will naturally put SSL certificates out of reach for some. You can read more about the how and why here:

ISRG has worked hard to ensure that the process of validating and installing the certificates is 100% automated. (author’s note: I’ve been hands-on with SSL validation and installation since about 1998, and it’s always been prone to error, human and machine. It’s been one of my least favourite tasks over the years!). Luckily for us and our clients, the hosting platform that powers all our hosting servers, cPanel & WHM, has integrated their software with the Let’s Encrypt service. They call it AutoSSL. So we are now able to enable this service for our clients.

Are there any catches?

For existing Itomic clients wishing to have this service enabled, you’ll need to have an active service & support contract with a minimum balance of 3 hours of labour. In the unlikely event of any technical issues associated with the SSL installation and configuration, this allows us to attend to these issues without delay. If you don’t have an active service & support contract with Itomic, just ask!

What if my site already has a current, paid, SSL certificate?

A Let’s Encrypt SSL cert will automatically replace your existing certificate shortly after it reaches 3 days to expiry. Your existing paid SSL will be absolutely fine and unaffected until then. If you wish to continue paying for your SSL certificate – and some organisations will (more on that below) – then we will continue to offer this service as before.

Are these free SSL certificates as secure as the paid ones?

They provide identical levels of encryption to the paid ones, and therefore will be suitable for the vast majority of our clients.

It’s important to note the difference between encryption and authentication. A Let’s Encrypt SSL certificate provides a website with genuine, industry standard encryption, but it does not authenticate that the organisation using the encryption is who they say they are.

Let’s Encrypt supplies a type of SSL certificate known as Domain Validated (DV) certificate. This validates that the domain name is registered, and someone with admin rights (in this case Itomic) is aware of and approves the certificate request. No official proof (authentication) of your entity’s official registration is required, e.g. that your organisation has an ABN number, as all recognised entities have here in Australia.

If you evaluate that your website needs to display a higher level of authentication (e.g. because you’re a large high-profile organisation, government department, etc.), then you need an OV (organisation validated) or an EV (extended validation) certificate. These types you have to pay for, not least because of the additional manual overhead in acquiring and installing them. Note that, just because a website is using an OV or EV certificate, it doesn’t guarantee that the organisation behind it is reputable, or handles your data securely or responsibly after receipt, or that the website hasn’t been hacked.

For more information on the different types of SSL certificate:

Does an SSL certificate (Let’s Encrypt or otherwise) make a website ‘secure’?

Only in the sense that it guarantees that data being transferred between your device (e.g. desktop PC, tablet, etc.) and the hosting server is fully encrypted. This means that it’s extraordinarily unlikely to be unencrypted and read by a 3rd party. An SSL cert is only a single component of a comprehensive data security strategy. Other components include, for example, ensuring that your website and web server is regularly updated with the latest recommended security patches.

My site is basic, with no e-commerce. Do I even need an SSL certificate, free or otherwise?

  • Many basic sites have a backend admin area for the purpose of managing the content on your site. It’s better to login to this section of your site using a secure (encrypted) connection, than a non-encrypted one.
  • Google prefers sites with SSL protection. All other things being equal, your website will rank more highly in a Google search if it has an SSL certificate, compared with one that doesn’t, i.e. it’s better for SEO (search engine optimisation).

Will Let’s Encrypt issue wildcard certificates?

Currently no, but it is a possibility in the future. Thanks to Let’s Encrypt, wildcards certificates are no longer necessary for the vast majority of websites because it’s easy to get and manage free certificates for all subdomains. Prior to Let’s Encrypt, Itomic always recommended wildcard SSL certificates over single SSL certificates so that the same certificate could protect all subdomains without having to purchase additional single SSL certificates per subdomain.

Are other SSL Providers getting on the free SSL bandwagon?

Yes, they’ve got no choice, e.g. We’ve chosen Let’s Encrypt because they are clearly the first movers and leaders in this field. We want to acknowledge and reward them for their efforts.

Remember that an enormous amount of money has been made over the years by companies who issue SSL certificates. There are some major vested interests who’d prefer to hold back the tide as long as possible.

Why aren’t all hosting companies offering these free SSL certificates?

We assume that, eventually, all hosting companies will. In the meantime, it’s just a question of hosting companies satisfying themselves, like we have, that this service is a) good and b) here to stay. Then they have to ensure that they have the administrative and technical systems and procedures in place to support them.

OK, so my website has now got an SSL certificate. Why is it still showing http and not https (with the padlock symbol) in my browser?

If a website has an SSL certificate installed, it’s only actively being used when either:

  1. You directly visit the https version of the site, and not the http version, OR
  2. You directly visit the http version, and the site or hosting account has been programmed to automatically redirect the visitor to the https version.

When Itomic initially installs the SSL certificate on your site, #1 will apply. Over time (no desperate hurry!), we will work with our clients to ensure that #2 applies as standard.

I’m still unsure about whether or not I should pay for SSL certificates (OV or EV) in the future, as I’ve done in the past.

  • As previously mentioned, government departments and larger, high profile business may decide that they wish to demonstrate a higher level of authentication than a DV certificate provides. That’s totally fine by Itomic, we’re happy to oblige.
  • Do your own Google searches to better educate yourself about the pros and cons, and see how others are debating this question.

Still unsure? Ask Itomic!

Further reading: – FAQs about Let’s Encrypt. – Wikipedia on SSL certificates and related.

For your interest, below is how a Let’s Encrypt SSL certificate presents to a web browser, using our Itomic’s own site as an example:

Let's Encrypt SSL certificate for Drupalise

June 20, 2016

Mobile-friendly. What does it mean?

By Ross Gerring

Mobile-friendly means that a site retains good design principles and functionality (i.e. usability), irrespective of the device being used to view and interact with it. “Device” typically means desktop PC, tablet, or smartphone.

City of Fremantle website is mobile-friendly

Itomic’s site for the City of Fremantle is mobile-friendly

In industry lingo, a mobile-friendly site is known as a responsive site.

Not that many years ago, before smartphones and tables were widespread, responsive sites were a nice-to-have. Today, mobile-friendly sites are standard, unless there’s a special reason why the target audience(s) will only ever interact with a site on, say, a desktop PC. (side-note: more effort is required to build mobile-friendly sites than desktop-friendly-only sites, but that’s another article).

Why go mobile-friendly?

  1. Because the world is (still) going mobile. Despite recent evidence that smartphone ownership has reached peak levels in key markets worldwide, people are still trending towards using and preferring their mobile devices, over their less-mobile desktops, to consume digital content.
  2. Because Google searches are increasingly preferring sites that are responsive over sites that are not. And in the never-ending battle to get your site found ahead of your competition, every little bit helps.

How does Google decide if a web page is responsive or not?

From Google’s own blog post on the subject, a mobile-friendly site exhibits the following characteristics:

  • Avoids software that is not common on mobile devices, like Flash.
  • Uses text that is readable without zooming.
  • Sizes content to the screen so users don’t have to scroll horizontally or zoom.
  • Places links far enough apart so that the correct one can be easily tapped.

If working out the above for yourself sounds too hard – never fear! Google offers up more information about, and tests for, responsive sites in the same blog post:

How to make your site mobile-friendly?

If it’s determined that your site is not responsive, or “could do better”, then what next? In the first instance. have a conversation about it with your preferred web developer/consultant. Depending on how old your site is, and/or what technologies it’s built with, it may be more economical to rebuild your site from scratch than it is to improve it, or retro-fit it, to be responsive. By all means get a second or 3rd opinion if you’re not convinced by the first one or two.

June 8, 2016

Laravel – what is it, and why Itomic has embraced it

By Ross Gerring

Itomic has embraced Laravel because CMS’s like Drupal and WordPress can’t do everything.Drupal v WordPress logos

Itomic was founded in 2000 when quality, affordable CMS were literally non-existent. So in common with other web agencies, we built our own. It was (and still is!) very popular. It’s called Nucleus, and although it’s built using open source technology (Zend Framework) it’s essentially a home-grown solution. Which means that although non-Itomic developers can work on it without restriction, they would definitely prefer not to, because the initial learning curve would be quite steep, and there’s no broader community of developers to assist or support them.

We could see the writing on the wall for Nucleus when Drupal and WordPress really started to mature into high quality – and free – CMS. A very hard combination to compete against! If you can’t beat ’em, join ’em…. so Itomic rapidly became Drupal and WordPress experts.

Drupal and WordPress are excellent at helping non-technical people to manage content (text, graphics, etc.) on their sites. They are, after all, content management systems! Furthermore, their functionality can be extended in a myriad of different and sometimes amazing ways through configurable add-on software (also known as plug-ins or modules) and/or custom-coding. But the fact remains that, first and foremost, they are content management systems.

We’ve always prided ourselves on being the company that is more technically capable than your average web agency. When your average agency says “too hard”, we say “bring it on”. Great attitude, but sometimes this means that we’ve had to battle and bend a CMS a bit too far outside of what it was primarily designed to do. Sure, such customisations are fully-integrated into an existing CMS website which is a definitely “a good thing”. But the downside is that the time and cost to achieve and maintain such outcomes is sometimes too great.

We knew there had to be a better way.

Enter Laravel.

What is Laravel?

Let’s start with the Laravel Philosophy in full:Laravel logo

Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable, creative experience to be truly fulfilling. Laravel attempts to take the pain out of development by easing common tasks used in the majority of web projects, such as authentication, routing, sessions, and caching.

Laravel aims to make the development process a pleasing one for the developer without sacrificing application functionality. Happy developers make the best code. To this end, we’ve attempted to combine the very best of what we have seen in other web frameworks, including frameworks implemented in other languages, such as Ruby on Rails, ASP.NET MVC, and Sinatra.

Laravel is accessible, yet powerful, providing powerful tools needed for large, robust applications. A superb inversion of control container, expressive migration system, and tightly integrated unit testing support give you the tools you need to build any application with which you are tasked.”

A web application framework is a faster, more flexible way of building highly custom (“bespoke“) web-based software projects. It’s a “looser” construct than a CMS, but not as loose as the programming or scripting language in which it is written, which in Laravel’s case is PHP.

Laravel isn’t a CMS, and a CMS isn’t a framework, but:

  1. Drupal sits somewhere in between a CMS and framework by sometimes calling itself a CMF: a content management framework. This is in recognition of the higher-than-average opportunity to more heavily customise it relative to other CMS.
  2. A CMS can – and often is – built using frameworks such as Laravel. For example, two CMS built with Laravel are October and AsgardCms. And the latest version of Drupal – version 8 – has Symfony at its core. Which framework an application is built with is transparent to the end users.
  3. A framework can be built from a framework! Indeed Laravel itself has some Symfony components at its core.

When to use a CMS, and when to use a framework?

When the core of what you want to achieve online is all about the efficient, easy, management of online content (text, graphics, etc.), perhaps by multiple authors, then you should start your project – but not necessarily finish it – with a CMS like Drupal or WordPress. Conversely, where content management is not the core deliverable, then you should consider going down the framework path. But note that this is not a strictly “choose one or the other” scenario. Choosing some blend of both may well be smartest approach. Use a CMS for the content management, and then Laravel or similar for the highly custom components – and integrate the two if relevant. In other words, some projects scream “CMS!”, other projects scream “Framework!”, and there’s lots of grey area in between. Assuming your web developer or web agency is familiar with both, then naturally you should allow yourself to be guided by them. And always get a 2nd or 3rd opinion if unsure.

Why did Itomic choose Laravel?

In the same way we kept an eye on Drupal and WordPress for some years before we jumped on board, so too we’ve been keeping an eye on Laravel. And its time is now, as you can see from the graph below.

Google trends shows the rise in popularity of Laravel
source: Google Trends Jan 2004 – May 2016. Click on graph to see the latest trends.


More specifically:

  1. We really enjoy creating amazing online solutions, and Laravel gives us the opportunity to break free of the constraints that Drupal and WordPress necessarily impose.
  2. Laravel is indeed a pleasure to work with. It’s been built by developers, for developers. As the Laravel Philosophy states, happy developers make the best code, and the best code will result in better business outcomes.
  3. Laravel is extremely well supported & documented, including some of the most professional online tutorials for developers we’ve ever seen over at Laracasts.

Will Itomic continue to build and support Drupal & WordPress?

Of course! For the foreseeable future, CMS-driven websites will be the principal online representations of organisations. We see our adoption of Laravel as highly complementary (not competitive) to the business of building and supporting CMS websites.

What has Itomic achieved with Laravel (so far)?

Some examples:

  1. We’ve nearly finished building our own CRM for Itomic. It will allow us to provide an enhanced, more customised service for our valued clients.
  2. We’ve built a system to help manage the distribution of early learning books and resources to new parents in Western Australia.
  3. We’re building a large, flexible product database for a major Australian car parts manufacturer.
  4. We’re putting the finishing touches to a virtual tour management system for a major new hospital.
  5. We’re about to start rebuilding, in Laravel, an aging website directory service that we originally built in Drupal 6. Today, Laravel is the optimal choice.

In summary

One of the most over-used phrases in IT is “we’re excited”. But we really, really are 🙂 . With Laravel we’ve a new-found freedom to innovate for our clients and ourselves.

Want to talk web applications and Laravel? Call us, 24/7, on 1300 ITOMIC, or +61 8 6210 1364 if outside Australia. Or contact us via our website.

May 23, 2016

Itomic’s Firewall. How we protect the websites we host

By Ross Gerring

… a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.

source: Wikipedia

firewall image

A firewall helps to protect a server from unwanted visitors

Itomic has been hosting websites since 2000, a responsibility we take very seriously. After all, your website will likely be the first impression your prospective clients have of your organisation, and we want this to be a great one.

A wise man once said that a truly secure server is one that is unplugged from everything, encased in concrete, and sitting at the bottom of the ocean. But that wouldn’t making for a very good website hosting service, so we have to make compromises 🙂

One of the ways we make compromises is to employ a firewall. It’s a service that attempts to permit the good guys (e.g. yourself, your clients, and other stakeholders) to view and interact with your website, and block everyone else – the bad guys – from doing so.

But how to tell the good guys from the bad guys? Sometimes it’s obvious, sometime less so. When it’s less so, should we give the visitor the benefit of the doubt and let them in regardless? Or should we block them just-in-case, and risk a “false positive” block? It’s the firewall and associated services that are responsible for making these decisions in the blink of an eye, and taking appropriate action(s). Firewalls don’t get it right every time, but through manual and automatic intervention they tend to get better over time.

Getting a lot more technical (you have been warned!)…

We use ModSecurity and CSF in tandem.

The purpose of ModSecurity is to prevent common malicious web based attacks and close security holes in applications. ModSecurity focuses on HTTP(s) traffic. ModSecurity prevents attacks in real time but does not permanently/temporarily block IP addresses, it assumes other software will be used to parse the log entries for this purpose. Modsecurity works at the application level.

CSF is an IPtables frontend used to automate/simplify firewall tasks. LFD (part of the CSF suite) watches logs to count how many times an attack occurs from an IP address and the timeframe. CSF/LFD work at the server/account level.

This ties in with ModSecurity since attacks are logged each time they are triggered. Here’s an actual example from our log files of a specific IP address ( being repeatedly flagged as malicious because the activity coming from that IP matched a certain ‘bad guy’ rule (id 210831):

root@ariel [/home] # grep /usr/local/apache/logs/error_log|grep mod_sec
2016-05-11 00:11:02.644 [NOTICE] [] mod_security rule [Id ‘210831’] triggered!
2016-05-12 20:46:56.986 [NOTICE] [] mod_security rule [Id ‘210831’] triggered!
2016-05-13 02:26:24.048 [NOTICE] [] mod_security rule [Id ‘210831’] triggered!
2016-05-13 13:20:25.426 [NOTICE] [] mod_security rule [Id ‘210831’] triggered!
2016-05-20 09:20:54.438 [NOTICE] [] mod_security rule [Id ‘210831’] triggered!

LFD obtains the IP address from the log and creates a counter and a timer. The counter increases by 1 each time a rule is triggered up to 10. If an IP address triggers a certain number of rules (e.g. 10) within a certain time frame (e.g. 1 hour) the IP is blocked using CSF. If an hour passes and the IP did not trigger 10 rules the counter is reset to 0 for that IP.

Need assistance with your website hosting, shared or dedicated? Call Itomic today on 1300 ITOMIC for all-Australian website hosting.

February 12, 2016

Drupal 6 end of life. Official support drops from 24 Feb 2016. Your choices.

By Ross Gerring

It’s been standard Drupal policy for some time that only the current and the previous major versions are officially supported, at least as far as core security updates are concerned.

Drupal 8 was released in late 2015, and the official Drupal 6 end of life date for Drupal 6 sites was set at 24 Feb 2016.

So as an owner of a Drupal 6 site, what to do?

Option 1: Do Nothing

Drupal 6 end of life doesn’t mean site is going to collapse in a heap on 25 Feb 2016. As at 31 Jan 2016 you’re still in very good company, with over 100,000 sites worldwide still using Drupal 6, see:

Although support might no longer be “official”, there will still be a great deal of unofficial support going on for Drupal 6 sites for some time to come. That said, especially where security updates are concerned, such support will likely take longer to deliver, and therefore be more expensive in terms of labour. This is because Drupal 6 developers are no longer going to be given free security updates through official channels, and therefore will have to work on patches for themselves, which may or may not get shared with the wider Drupal community.

Is your Drupal 6 website hosted by a reputable, good quality hosting provider? In the event that your Drupal 6 site gets hacked, a common sign is that it starts sending out spam. A good quality hosting provider will have the appropriate security controls and monitoring in place to ensure that malicious activity is detected and minimised quickly. Also, a good quality hosting provider will have multiple backups of your site in the event that your site needs to be restored.

How security sensitive is your website? Does it contain financial, personal, or otherwise confidential (e.g. client) information? If it does, then you should be more concerned about the reducing security profile of your Drupal 6 site.

How concerned are you that your Drupal 6 website should be upgradeable to play nicely with the latest industry standards and technologies, such as HTML5, mobile-friendly (“responsive”), web services, etc? The chances are the Drupal 6 will be either difficult (= expensive) or effectively impossible to upgrade. That’s nothing to do with the ending of official support. It’s all to do with the fact that many of today’s standards and technologies weren’t even dreamt of when the core of Drupal 6 was being architectured. And compatible modules to extend the features and functionality of Drupal 6 will only take you so far.

Option 2: Rebuild your site in Drupal 8 (or Drupal 7, or another CMS)

If you have the budget, there’s absolutely no doubt that a rebuild of your site is highly recommended. You can go for an “as is” rebuild, i.e. the same as your current Drupal 6 site, which will keep costs down. Or you can take the opportunity to review every aspect of your current site (design, mobile-friendliness, functionality, content, etc.) with a view to making your next site a significant improvement over your current site.

Notice we deliberately used the work “rebuild” instead of “upgrade” or “migration”. The brutal reality is that Drupal, in common with many other CMS, doesn’t offer a smooth, quick, comprehensive upgrade path between major versions (5, 6, 7, etc.). There are valid reasons for this that are beyond the scope of this article, but the main reason is that the major versions are so significantly re-architectured that, unless your site is a really simple brochure site, all the features and functions will not naturally map from version 6 to version 7/8. Yes, there are Drupal modules and documentation that can assist with moving (primarily) content from Drupal 6 to Drupal 7 or 8… but moving content is typically only a small % of the overall effort.

As stable, popular and supported as Drupal 7 is, Drupal 8 truly is a major leap forward in all areas, so you really want to target Drupal 8 first for your new site. The only, and rapidly diminishing, reason why you might still consider rebuilding your Drupal 6 site in Drupal 7 is if Drupal 8 doesn’t (yet) include some critical functionality that your new site must have, and is too expense to custom-develop.

Of course Drupal isn’t the answer to all the world’s CMS needs. Although generally not considered to be as enterprise-grade as Drupal, WordPress is the world’s most popular CMS. So if your site doesn’t have sophisticated enterprise-grade requirements, you shouldn’t completely rule out other CMS. Do your own research (Google is your friend!), and/or chat with your favourite website development person or agency about this.

Further reading: Drupal 6 end of life

What Happens if You Keep Using Unsupported Software? (OSTraining)
Drupal 6 end of life announcement (