We also received the following testimonial from them:

Wolverley CE Secondary School used DSA media to assist us in creating an in house school management and VLE system. DSA Media went above and beyond our expectations with a difficult, bespoke brief – with fast and efficient product delivery, support and advice.

We would (and do) actively recommend them to those who are looking for any of the services they offer.

Wolverley CE Secondary School – www.wolverley.worcs.sch.uk

The script was updated and secured soon after the vulnerability was found however, we have recently been made aware of the second theme on our server still using the vulnerable code. Thankfully our security scanner picked up an attempt to upload a virus via the exploit and quarantined it, and the theme has now been upgraded by the site owner.

However, this highlights the fact that site owners need to be more active in keeping their plugins and themes up to date. Modern WordPress themes can contain just as many potential exploits as plugins can, and must be kept up to date at all times. Often the reason for not upgrading themes is due to modifications made to an off the shelf theme, however this should not be a reason to leave a potentially insecure theme running. If you need to make code modifications to a theme then you should be using a child theme instead, which leaves your main theme untouched and thereby allowing you to continue to keep it upgraded as soon as new versions are released.

So we are asking all hosting clients to check their sites, and if they have the TimThumb script running (note, this isn’t WordPress dependent) then please ensure it is updated to the latest version, and if you are running a WordPress site, please ensure all themes, whether in use or not, are always kept up to date with the latest release.

To help with keeping on top of updates we recommend that you install and use the WP Updates Notifier plugin which will email you as soon as there is an update available for either the core files, a plugin or theme from the WordPress repository. However, this will not notify you for themes or plugins not available on the WordPress website, therefore you will still need to make regular checks to ensure any updates are carried out as soon as possible.

Whilst we have been able to track down a number of the problem sites, and provide guidance on making them more efficient so that they can continue to be hosted on a shared hosting environment, it hasn’t yet been possible to track down all of the problem sites and to take action.

Consequently we have been compelled to purchase new hardware to compensate for the continuing increased load in order to try to prevent further outages. Following on from an outage earlier today we have made the decision to carry out the upgrade as soon as possible. The upgrade will be done outside of UK standard business hours this evening, at 8pm.

As the new hardware will need to be installed whilst the server is off-line there will be a short period when your web sites will be unavailable, however this should only be for a few minutes and no longer than 30.

We apologise for any inconvenience that arises as a result of this essential upgrade work and will aim to complete it as soon as technically possible. We will also work to identify any sites that continue to cause problems and to work with the owners of those sites in order to improve their efficiency and enable the server to work at its optimum.

• Upgrade PHP to the latest version (5.3.8)
• Install Suhosin to secure PHP further
• Disable the ability to run certain (rarely used) PHP functions that could potentially cause a security risk (for a full list of disabled functions please contact us)
• Disable displaying PHP errors on-screen, which should not be used in a production environment. All fatal errors and warnings are still logged to the error_log file in the file’s directory location.

Whilst we have seen a couple of minor issues arise from these updates, which have been dealt with as quickly as possible, most sites are still running as normal and are unaffected.

The main issue that we have seen is due to old or badly coded scripts causing numerous errors. These scripts should be removed from the server or updated immediately as per points 4(a) and (b) on our hosting terms (please note, both are excerpts of the full points):

1. Clients are solely responsible for ensuring that all scripts installed by them (including any available within your account control panel) are patched and kept up to date.
2. Any client not keeping their scripts up-to-date and secure is liable to have their site suspended with immediate effect in order to protect the integrity of the server and other accounts hosted on it.

If you find an issue on your site then please first check the relevant error_log file and your Error Log in cPanel, to ensure that it’s not a simple script issue. For any off the shelf scripts, a search on the error will often give you further information with regards to this.

If you do find an unexplainable issue with your site or an issue that you cannot fix then please do not hesitate to contact us, providing as much information as possible including any search results or further information you have found online.

Please be aware that if we have to take time to support and/or fix an out-of-date or unsecure script then we may have to charge for this at our hourly rate of £40 + VAT (this does not include issues that have arisen from adding Suhosin, Mod Security or disabling certain PHP functions).

Whilst we don’t expect there to be any disruption, there may be potential issues for some clients or their visitors as a consequence of the more stringent security measures. In the eventuality that you discover issues with your site during the evaluation period it would be extremely helpful if you could contact us as soon as possible with as much information as possible regarding the issue, what you were doing that led up to the issue manifesting itself, which browser or other software you were using at the time (including version number), and importantly your IP number; please also advise us of any software that you have installed on your hosting account, including any content management systems (such as WordPress, Joomla, etc.).

If you find yourself unable to connect to your web site or hosting control panel, as a result of the security measures put in place, you should use the form on our external status site, at: www.dsamedia-status.co.uk/supportform.php.

We often find clients don’t want to download their email, or at least not right away, so that they can access it from multiple locations, perhaps at home and work. However, we unfortunately have to impose storage limits on accounts otherwise we would run out of space very quickly. We’ve found on a number of occasions clients let their mailboxes fill very quickly, or they give too high a space limit to their mailbox and their entire hosting account gets full. This causes all types of problems as you cannot access your mailbox via webmail once it’s full. So if you want to set up an online system to ‘hold’ your email temporarily or permanently then we recommend using Google Mail. You get 7GB of space with Google Mail. That should be plenty for temporary storage or it should cope with quite a few emails!

Setting up POP on GMail

To download email to GMail you need to use your POP3 mail settings. To set up your POP account on GMail you will need to create and/or log into your Google account. Then follow these instructions.

• In GMail click on the small ‘cog’ icon in the top right of your screen which should give you a drop down menu with Mail settings and Mail help in it.
• Select Mail settings.
• In the settings you need to select “Accounts and Import”.
• On the Accounts setting screen there is a section called “Check mail using POP3″. Click on the button to the right of this titled “Add POP3 email account”.
• In the pop up box it will first ask for your email address. Enter the email address for your account on our server. Then click Next Step.
• In the next screen you will need to enter your username, which is your email address except replace the @ with a + (plus sign).
• Then enter your email password in the password box.
• The POP server will probably be prefilled by Google with mail.yourdomain.com (where yourdomain.com is your web address). If it isn’t then please set it to be mail.yourdomain.com.
• The port number should be set at 110.
• You then have some checkboxes. We do not recommend that you leave a copy of your mail on the server as this defeats the object of setting up GMail to access and download your email.
• You can leave the SSL connection unchecked, and the final two boxes are optional and your own choice.

Once finished you can click on Add Account. It will then check that your login details are correct. If they come up as invalid, please check that you’ve entered the details correctly. If you’re not sure if your password is correct then please use your cPanel account to reset it. Too many incorrect attempts may cause the server firewall to temporarily block Google’s IP.

If you later need to download copies of your emails to your computer then you can download them from Google. You will find the information to do this under Settings -> Forwarding and POP/IMAP from within your GMail account.

If you wish to use this method to check your email but are unsure how to proceed, or the steps above seem slightly daunting, then we can provide a service to set up one or more email accounts on your GMail account for you for a small fee. Please contact us to discuss this.

Kashflow is ideal for sole traders, companies and also whether you are VAT registered or not. It allows you to store all of your accounts online securely, and access them from any web enabled computer or even an iPhone via their dedicated app. Kashflow allows not only your standard accounts but also an easy way to generate invoices and quotes for your customers, including setting up repeating billing, so once the repeat invoice is set up it can go out every X weeks, months or years. Invoices are automatically added to your turnover once they’re paid too.

For VAT registered businesses, the VAT liability for the quarter is always shown to you on the front overview page as soon as you log in, which is useful to know how much you need to be putting aside towards the VAT bill each quarter. You can also set your account up with your HMRC login details to submit your VAT return directly from Kashflow, saving you the hassle of copying the figures over to HMRC and doing it directly on there.

Finally, the number of reports available are excellent. There is a self assessment report, useful for sole traders, plus profit and loss reports, VAT reports and more. Kashflow isn’t just applicable to only web businesses such as ours, but any type of business would find it easier and more efficient to use than most of the standard accountancy packages such as Sage. Our Accountant has a login to our account too which means we can easily ask him to log in and check over items that we’re not sure if they’ve been correctly entered, or he can just get the end of year accounts and reports direct from the system, saving us the time having to download the accounts and take or email them over to him.

Kashflow has a 60 day trial period available, where you can sign up and try all of the account’s features for free. You don’t even need to give any card details. This is certainly a decent length of time to be able to assess whether it’s ideal for you. If you do then choose to pay for it, it costs £15.99 + VAT, however if you visit them by clicking on the icon above, this reduces the price by £1 + VAT per month.

It’s certainly worth a try if you haven’t got a suitable accounts system or you’re thinking about switching. It’s a major time saver for us which frees us up to be able to do more work!

We will need to charge £30 + VAT to cover the time to download your files, make the changes, update the main admin password if necessary, and run a quick test over the site. There are no guarantees that these fixes will solve all security problems within the software, however it will go some way to providing a better level of security than the current version has.

If you wish to hire us to make these changes then please contact us with the following details:

1. Site URL
2. Invoice name and address
3. FTP username and password
4. Tradingeye username and password ONLY IF your password contains any of the following characters ‘ ” < > =

We will require payment before any work commences. We will initially give you an estimated date for the day which the work can be completed however this will not be secured until payment is received.

The email system should not be used for mass transfer of data or for virus transfer and we have a no-tolerance approach to spam mail being sent by any of our users. If you are found to be taking part in spam mailing then your account will be terminated, no compensation will be given and you may be fined up to £5,000 for your illegal use of spam (or an unlimited fine for trials by jury). To help combat spam we limit users to sending 100 outbound emails per hourly session.

Hosting Terms – 6a

We have taken the decision to increase this limit to 250 emails per hour, however we are also going to be enforcing this on the server. We are giving 48 hours notice of the enforcement to give any website that requires a higher limit to make alternative arrangements for moving to a dedicated mailing list provider such as MailChimp or Campaign Monitor.

If you have any questions with regards to this change or you require help in moving your mailing list over to an external service then please do not hesitate to contact us.

We have recently found a number of sites under attack from spammers who were exploiting the contact form 7 plugin. From our investigations we could easily see the version of the plugin in use, as it inserts it as a hidden form field, which means it’s easy for any spammer to determine whether the plugin is up to date and if it can be exploited. One such exploit resulted in 40,000 emails being sent via our server and over 9000 bounced emails received back which eventually crashed the server.

Whilst we can appreciate that scripts and plugins are required to help a website’s functionality, and exploit attempts will always be made and can happen on up to date versions of these scripts, if there are steps to reduce the likelihood of this happening, such as upgrading a plugin or looking into a more secure method, then we request that you do so. This is not a recommendation, this is a requirement.

As per our Hosting Terms & Conditions:

4a. Clients are solely responsible for ensuring that all scripts installed by them (including any available within your account control panel) are patched and kept up to date.