Search Blog


Get the latest on what's happening at itomic

Informative commentary on the web industry from the experts at Itomic.

November 3, 2014

Itomic risk assessment re: the serious Drupal vulnerability SA-CORE-2014-005 of Oct 2014

By Ross Gerring

On Oct 15th 2014 a serious security vulnerability in the Drupal CMS was reported by the Drupal Security Team:

with additional articles here:

The issue also made the headlines of some major news agencies, e.g.

Itomic hosts and/or supports some 40+ Drupal sites. Within 24 hours of the issue being announced, all Drupal sites covered by Itomic’s Drupal Security Contract (DSC) were patched. Where Drupal site owners did not have a DSC, their sites were patched some time afterwards.

In common with the experience of others (see the FAQ), Itomic noticed that some sites (4, to be precise) had already been patched, but not by us. This was a clear indication of  interference by hackers. First they used the security vulnerability to write a malicious script (a single file) to the hosting account, then they closed the backdoor to other hackers by patching the vulnerability. This technique might have tricked some website owners into thinking that, because their websites were patched, everything was fine. In each of the 4 compromised websites Itomic was able to quickly and easily delete the malicious scripts.

All Drupal sites hosted and/or supported by Itomic, including the 4 above, were individually reviewed for malicious activity. This included the use of the tool Drupalgeddon. No additional malicious activity was discovered. 

We acknowledge that, just because no additional malicious activity was discovered, this does not guarantee that some of the sites were not compromised in ways we have not yet been able to detect. That said, because of our prompt action and follow-up site reviews, we deem this to be very unlikely.

If indeed there are some sites on our systems that remain compromised, we’re as confident as we can be that our hosting systems and procedures are extremely well equipped to a) detect and report any significant malicious activities emanating from the compromised sites, and b) prevent those malicious activities from negatively impacting other hosting accounts on the same hosting server.

Here’s a quick overview of why Itomic hosting is superior website hosting. With the odd exception (for legacy and/or decommissioning reasons) all our servers use/employ:

  1. CloudLinux, arguably the most secure operating system for shared and dedicated website hosting.
  2. suPHP and CageFS. These make it theoretically impossible for an infected hosting account to interfere with other hosting accounts or the broader server environment. 
  3. OSSEC. Intrusion detection system.
  4. Maldet. Realtime malware detection.
  5. OpenNMS. Performance and health monitoring.
  6. KernelCare. Rapid automatic patching of core server software.


  1. In collaboration with our advanced tech support partners in the USA (a very successful 10+ year relationship), we have a 24/7 human response team in place to deal with critical issues.
  2. With the odd temporary exception, our hosting policy is to only run a single CMS-type per server. So for example we have Drupal-only servers and WordPress-only servers. This has two primary benefits: 1) we can optimise the hosting environment for that particular CMS, 2) security issues with one CMS-type do not impact other CMS types.

Above we’ve described what Itomic does to protect the website assets of our valued clients. And yet the fact remains that if a person (or ‘bot’) is in possession of a valid username and password, all the above provides little or no protection. Which is why always using very ‘nasty’ (hard to guess) passwords is imperative for all persons who login to electronic systems – especially those with elevated privileges such as administrators or super-users. We acknowledge that really nasty passwords are, by definition, hard to remember. We therefore strongly recommend the use of password management systems such as LastPass or other reputable alternatives. If you’re not comfortable with electronic systems storing all your passwords, here’s an article about how to create and remember good ones.

Are you knowingly using a relatively easy-to-guess password? We urge you to change it today.

October 17, 2014

Myth Busting Paypal [Protip]

By Izumi Mitsui

Over the years I’ve noticed there’s a common misunderstanding of Paypal which resulted in some kick-back as a payment method selection. I’ll address the 3 topics most often covered in conversations.

Myth 1 – I have to sign up to Paypal to use it. 

FALSE. This is the conversation that comes up the most. While it makes it more effortless if you do own an account (with pre-filled fields etc), you can choose to pay as a guest.


Myth 2 – I can’t use my credit card with Paypal 

FALSE. Refer to the graphic above, paying as a guest allows you to pay with your standard credit cards (VISA, MASTERCARD, AMEX and DISCOVER)

Myth 3 – Paypal is not recognised enough around the world 

FALSE. Paypal is used by a myriad of companies globally across numerous industries/markets. A comprehensive list of Aus companies that use Paypal see here (I bet you’ll recognise more than a few of your favs in the list) 

Development Cost Advantages

When developing an e-commerce solution using Paypal will allow you to avoid the following costs: 

  • Merchant account with the bank. | Costs vary depending on the bank.
  • Payment gateway programming | Costs vary depending no the bank.  
  • SSL Certificate - to handle sensitive information such as payment details in an encrypted format

I hope this serves to be helpful information in understanding Paypal better. 
Got questions? Let’s chat!  

September 30, 2014

Itomic Security Announcement | Shellshock Vulnerability

Public Announcement

You may have recently heard about a new security vulnerability affecting many millions of computers worldwide. It’s been dubbed ‘Shellshock’, and you can read more about it here:

This message is to reassure you that the affected software, “Bash”, is 100% up-to-date across all Itomic’s hosting servers.

In collaboration with our technology partners we will continue to monitor the situation closely. If/when additional recommended security patches are released, we are well prepared to respond very quickly to apply them.

If you have any questions or concerns, please don’t hesitate to contact us.


Team Itomic

September 15, 2014

Webmail Access [How to]

By Izumi Mitsui

Using POP email? need access to emails when you’re traveling or not near the home computer? Here’s a quick tip!
To access your webmail login portal type ‘/webmail’ at the end of your web address.


This will take you to a login portal that looks like this:

Enter in your email address and password and you’re in!
If you can’t remember your password contact our team and we’ll be happy to reset it for you.

Happy days!

September 8, 2014

WordPress 4.0 is here. Welcome Benny! [FAQs]

By Izumi Mitsui

It’s about that time again, the latest version of WordPress has now been released. This time in honor of a Jazz Clarinet player, Benny Goodman (aka The King of Swing).


What does Benny bring to the table?

This update focuses on smooth management and delivery of your content with less clicks and scrolling.

Quick cap of Benny’s highlights:

  • Intuitive Editing

  • Seamless Media Embeds

  • New Plugin Browser

  • Media Library Grid

For detailed information visit here:

Why is Benny good for me?

Since relevant content is a crucial factor with organic SEO, WordPress has done a great job with Benny by allowing you (as the website admin) more effortless control over your content.

Should I update to Benny?

Our best recommendation is you contact your web developer to get advice.

As with any other updates, there’s a chance it could result in unexpected behaviour or causing the site to break. Please take precaution before updating the platform yourself.

Do I have to update?

The short answer is no, however there are many reasons why you should keep your platform updated at all times. If you’d like more information on this topic please let us know.

Don’t have a web developer/consultant? We’re more than happy to have a chat and offer you assistance.

Feel free to contact us at anytime!