Ser­vices and Prod­ucts

Legacy PHP code is a prime tar­get for mali­cious par­ties attempt­ing to gain unau­tho­rized access or deface your web appli­ca­tion . Older ver­sions of PHP which are marked as "unsup­ported" or "end of life" (EOL) by the devel­op­ers of PHP no longer receive secu­rity updates, and may also con­tain bugs which are fixed in sub­se­quent major releases only. It is in your best inter­est to remain­ing up-to-date.

PHP 5.3 was marked EOL in August 2014. As a cour­tesy to our clients, our Man­aged Host­ing reg­u­larly offers extended sup­port for EOL PHP, while we help our clients to upgrade their web appli­ca­tions to more recent PHP ver­sions.

In order to ensure the safety of our server envi­ron­ments and your hosted appli­ca­tions , our Man­aged Host­ing will remove sup­port for PHP 5.3 by the end of Feb­ru­ary 2017. We will even­tu­ally also dis­con­tinue sup­port for the 5.4 and 5.5 branches of PHP (both of which are also EOL) by the mid­dle of this year.

What does this mean for you as a Managed Hosting client?

We already iden­ti­fied all client sites still using PHP 5.3 and con­tacted you accord­ingly about upgrad­ing your web appli­ca­tions to PHP 5.6 or 7.x respec­tively. If you did not get any mes­sage from us, the above changes may not affect your sites.

It's been a long and hot debate among our client ser­vice, web experts and devel­oper teams. As a full-range IT solu­tions provider, we should of course pro­vide ser­vices for one of the most famous con­tent man­age­ment sys­tems. Its user base is enor­mous. Plenty of com­mu­nity-dri­ven add-ons are avail­able for almost every use-case one may think of when it comes to web­sites. On the other hand, keep­ing a run­ning Word­Press web­site up-to-date and con­stantly hard­en­ing it against secu­rity leaks and hacker attacks requires a huge amount of work.

We needed more insights. So SHORELESS spent almost two years observ­ing the per­for­mance of the four PHP based con­tent man­age­ment sys­tems we reg­u­larly use for client web­sites: Word­Press, Con­tao, TYPO3 and Dru­pal. We mea­sured entry costs, time-to-mar­ket, and costs for main­te­nance and sup­port of com­pa­ra­bly com­plex sites. To no sur­prise, Word­Press sites have been fastest and cheap­est to setup and get run­ning for sim­ple sites. How­ever, by the end of the sec­ond year already, the costs for main­te­nance and sup­port of most Word­Press sites sig­nif­i­cantly out­grew their advan­tages and low entry costs com­pared to all other CMS. As SHORELESS always strives to pro­vide best ser­vices and long last­ing easy-to-main­tain solu­tions, these find­ings led us to not actively offer Word­Press any­more for new client web­sites.

While our Word­Press devel­op­ers still main­tain and sup­port exist­ing Word­Press sites for our clients, they will now pri­mar­ily focus on improv­ing and extend­ing our web­site base pack­ages for Con­tao, TYPO3 and Dru­pal. This way, we're still able to offer low-cost, entry level web­sites to our small to mid-sized clients. They fea­ture highly cus­tomiz­able themes and include the most com­mon fea­tures out of the box. And our con­fi­dence in pro­vid­ing last­ing, extend­able and secure solu­tions that really meet the needs of our clients. Even when our clients are on a low bud­get.

The Heart­bleed bug was dis­closed on 1st of April 2014. This mas­sive secu­rity vul­ner­a­bil­ity in OpenSSL pro­to­col has been pre­sent since the relase of OpenSSL ver­sion 1.0.1 on March 2012. While it left peo­ple scram­bling to change their pass­words left, right and cen­ter, we'd like to inform our cus­tomers, that our web­sites and the man­aged host­ing accounts have been save and secure.

Our servers used OpenSSL ver­sion 1.0.0 and 0.9.8 which where not affected by the Heart­bleed bug . To ensure none of our cer­tifi­cates have been com­pro­mised dur­ing its issu­ing process on third party servers and com­mu­ni­ca­tion chan­nels, we renewed all our SSL certfi­cates.

What should you/your customers do next?

No data on our servers has been breached. The cer­tifi­cates on your man­aged host­ing have been reis­sued as well. You don’t need to take any action regard­ing our site or ser­vices. How­ever, this bug has been out there for a long time and it's pos­si­ble that sites you or your cus­tomers reg­u­larly visit would be sus­cep­ti­ble the vul­ner­a­bil­ity.

You can check whether or not sites are sus­cep­ti­ble using this tool: http://fil­ippo.io/Heart­bleed/

We rec­om­mend you and your cus­tomers gen­er­ate new pass­words for any web­site in which sen­si­tive infor­ma­tion is stored, such as email, bank­ing, etc. How­ever, you should wait until these sites have updated their OpenSSL ver­sion and replaced their cer­tifi­cates with new cer­tifi­cates being issued on 8th of April 2014 or later.