«
»

A Few Policy Changes


Security

Security is a big issue for us–and we think it’s important to you.

As any of you who have been with us for a while know, we work hard to keep our servers–and your sites–secure.  Unfortunately, our superhero-like abilities have their limits.

Many of you are running sites built on the WordPress CMS.  It’s a great program and allows you to do great things with your site.  There’s a small downside, however:  Because it’s so popular with users, it’s also popular with hackers.

Automattic–the company that created and maintains WordPress–is constantly on top of things.  As soon as a security hole or flaw is found, they fix it and release an updated version.   That makes it simple to keep ahead of the bad guys.  However… it requires that you actually install the updates.

That’s the first issue.

We’ve done our best to keep people up to date with upgrades.  It’s getting to the point, however, that we just can’t afford to do it anymore for free.

If you’re handy with computers at all, it’s very simple for you to do your own upgrades.  When you see a notice to upgrade on your dashboard, simply go to www.wordpress.org to download the latest version.  Then use FTP to upload it to your account. Overwrite the old files with the new ones, and it’s all good to go.

There are also ways to automatically update right from your dashboard.

If you’re not comfortable doing that, however, we’ve got a solution: Our new Upgrade Service.

Upgrade Service works in 2 ways (well… 2-1/2):

1) Per-incident:  When there are major version changes or important upgrades, we’ll let you know.  For $5 we’ll upgrade your site.  In most cases, we’ll wait 7 days after the release of the new version to make sure that any new bugs are found and fixed.  We’ll also pay attention to information regarding any plug-ins you might have, and make sure that upgrading won’t break your site.

2) Annual Service:  If you want to just keep on top of things without having to worry, you can sign up for annual security protection.  For $35/year, we’ll automatically upgrade and update your WordPress installation AND all plug-ins every time a new version comes out.  We’ll wait 7 days on non-emergency upgrades to make sure that any bugs are found and fixed.  For high-priority security upgrades, we’ll have them in place in less than 48 hours.  This means your website will be as up-to-date and secure as it can be.

2.5) When your website is compromised, it doesn’t just affect you; it affects everybody else on the server, and our entire company.  Because of this, if we find that you haven’t upgraded in a long time and your site presents a severe risk to other clients or the server as a whole, we will immediately upgrade your site and charge you the $5 fee.  We don’t like having to do this, but we’re simply not willing to risk the security of our clients.  We hope you can understand.

This brings me to the 2nd major aspect of our new security policy.

Cleaning Services

Up until now, Paul and I have taken a very understanding and forgiving attitude towards sites that have been hacked.   As I’ve stated previously, we’ve put in hundreds of free hours of support for you guys.   Some of it, however, simply can’t go on.

If your site is hacked because our security wasn’t up to the task, or because nobody knew that an exploit existed, then it’s our responsibility and we’ll do what we can to make it right–for free. This means it’s up to us to keep on top of things and let you know when there are dangerous beasties roaming the internet.

If, however, your site is hacked because you’ve been careless and left the door open?  We’re going to have to start charging.  Most webhosts, when they find a hacked site, simply shut it down and tell you to fix it.  They don’t care what happened or whose fault it is.  We’re not that callus.  There are limits, however.

We will do our best to keep you informed of security vulnerabilities and help you patch them before they become a problem.  If you fail to heed our warnings–or (shame on you!) continue with actions we’ve told you to stop–then we simply can’t deal with that for free.  In these cases, we’ll will now be charging $50/hour to clean and restore your site if it’s hacked.

Now, if all you do is update your posts and write new pages, this won’t be an issue for you.  If you’re going in and playing with the advanced toys, we expect you to know what you’re doing–at least enough to be safe about it.

As always, if you have  any questions about what to do, feel free to ask.  We’re more than happy to help you do thing right and keep it safe.  That kind of help is always free.  That’s just good business sense, after all.   And we’re not going to come kicking in your (metaphorical) door if you make an honest mistake.

All we’re saying is:  If we tell you there’s a problem, and you refuse to fix it… you’re going to end up paying for it.

If you’re going to be playing around with advanced options, just fire off a quick e-mail and ask us if we think it’ll cause any problems.  If we tell you to go ahead, it’s on our shoulders.

Over the next couple weeks, we’ll be posting a few quick pointers to help you decide what is and is not safe to do.

We should have the Update Service “officially” in place starting October 1st.  If you want to sign up before that, just let us know; we can get it all set up for you.

If you have ANY questions about any of this, PLEASE ask.  We’d really rather help you avoid problems than have to fix them.


M Blaze Miskulin
Security Goon
Geek Niche, Inc.

This entry was posted on Sunday, September 27th, 2009 and is filed under Uncategorized. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.

Comments are closed.