The importance of choosing the right webhosting company.
We moved Digitalapplejuice.com to Polurnet.com within one month of launching our site as a result of a 5 day outage with our previous webhost. I chose Polurnet because of their stellar reviews at webhostingjury.com.
In the last 10 years, I have worked with a number of webhosts: Interland, Cyan Global, AN Hosting/Midphase, MacHighway, GoDaddy to name a few. While I wouldn’t consider myself an expert, I am certainly no shy wallflower noobie when it comes to web servers and website management.
Therefore, when all the images for DigitalAppleJuice disappeared last Wednesday I didn’t panic. Not that I noticed initially. The problem came to my attention as an all-together-different problem.
That day I was in a holding pattern, waiting for a client to email me the new FTP login for the project I was working on. While I waited, I decided to upgrade and schedule DigitalApplejuice, starting with updating to WordPress 2.7.1 from 2.7.
As always: first the backups- I used the server’s backup wizards , plus I copied the root folder to my hard drive using my FTP program.
Then I upgraded to WordPress 2.7.1 manually. I copied all the files over leaving the wp-config.php intact.
I was trying to upload and schedule our next spree of posts. David Turton ‘s Illustrator tutorial, 3 additions to my series of tutorials for Pixelmator, an episode or two of The Tao of I. T. Al. Because our e-zine is heavily invested in supporting images, we have been using Dean’s FCK Editor since our inception. The real advantage to using Dean’s FCK WYSIWYG Editor (http://www.deanlee.cn/wordpress/fckeditor-for-wordpress-plugin/) has been the upload/file manager which allows for sub-folders. That means our images can be organized by author, subject: a real timesaver when publishing an article per day with an average of 6-8 images.
When the upload manager for Dean’s FCK started giving me a "404/ File cannot be found" error, I ran through the basic wordpress troubleshooting: clear my cache, deactivate all plugins and turn on only the plugin in question and check it, reinstall the plugin in case it got corrupted, repaired the database through cpanel, reinstalled the wordpress files in case something got corrupted. When the 404 errors continued, I figured that the plugin didn’t work with wp 2.7.1. Time to decide what I needed to accomplish on that day: schedule the next two weeks of articles or fix the back end.
Backend problems are governed by the whims of chance- problem-solving can take a minute, a day or a week to fix. I believed I had 1 day at best before I had to return to my paying project. I decided to insert images directly using urls.
When the links to the images themselves started giving me 404 errors (even though I could see in my FTP program that the image was in fact where the URL said it was), I realized I had another problem.
From past experience I know that Mod_security updates can cause these errors. So i emailed my webhost, Polurnet.com, asking if they had done a recent security update. If so, i wondered if it was necessary to change file permissions, or do something else altogether, to get the site working properly.
In the mean time, I uploaded and activated the Maintenance Mode plugin by Michael Wöhrer ( available at http://sw-guide.de/wordpress/plugins/maintenance-mode/ and http://wordpress.org/extend/plugins/maintenance-mode/). Then I undid my upgrade to WP 2.7.1, stepping back wp 2.7, hoping this would cure my problems.
It didn’t.
What I didn’t realize at the time was that Brian S. from Polurnet had emailed me a couple of times, said that there had not been a recent security update, that files and folders needed specific permissions (644 and 755 respectively), and suggesting I delay downgrading WordPress because he had a another client whose WordPress site was triggering mod_security that same day.
I emailed him the last 10 error messages I was getting that day. They all looked kind of like this:
[Tue Feb 24 11:56:42 2009] [crit] [client 66.253.84.165] (13)Permission denied: /home/juice/public_html/wp-content/uploads/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Brian S. , in collusion with Richard P., performed some mod-security magic that should have solved our issues.
The magic failed us. (read- "Time To Panic")
So I emailed Brian S. the content of the .htaccess for digitalapplejuice. The error logs were still showing that odd request for an htaccess in the uploads folder. I wondered if I needed an htaccess for that folder and what exactly it should say.
In the meantime, I started scouring the internet for possible answers for this problem.
Since my problem was specific to images I found this:
A Real SolutionSo what we need to do is work out what is tripping up the ModSecurity.
I was lucky I knew it was just the image html code. So after a bit of an elimination I have determined that there must be a rule on my host that stops the source code “src=http:”. This also means that I can’t use the built in media insert functionality within WordPress as that generates code with the offending string in it.
This type of rule will be in place to stop cross-site javascript injection attacks. It is most likely the result of a sloppy custom rule generation.
The real solution in this case, is to get the host to remove or amend the rule to one that allows for the detection of the <script> tag as well as the offending src linking code.
(excerpt from
http://manwithnoblog.com/2009/01/24/wordpress-404-after-saving-a-post/)
Then I emailed Brian S. some additional sites with information about specific exceptions for wordpress 2.7 and mod_security 2.5.
http://www.gray.me.uk/linux-administration-and-management/adding-an-exception-to-mod_security
At no time would I consider taking matters into my own hands. These 2 articles specify exceptions by ID, something I know NOTHING about and mucking about willy nilly is not the most prudent thing when dealing with server security. In my research, I discovered that DreamHost allows its users to turn off mod_security at will. It might be a good idea for advance programming geniuses but for persistent (read ‘stubborn’) graphic designers like me, well, I don’t think that would be the brightest thing to be able to do. I don’t have enough time to understand all the ramifications of turning off mod_security, manage digitalapplejuice, and make a living.
So I waited for Brian S. to contact me. A few hours later, I received an email:
Hello,
The problem is not actually with mod_security (we already disabled it completely on your domain) or even .htaccess, but rather CHMOD permissions for your uploads folder. We changed many of the permissions, but since you have hundreds of files, you’ll need to continue where we left off. Basically, all folders must be CHMOD 0755 and all files (including images like jpg and gif) must be set to 0644. For example, /home/juice/public_html/wp-content/uploads/image/arnold has all images set to 0774 which will not make them work. You’ll need to fix these via your FTP client to 644. Your images and site will then work properly, just as we have done with http://digitalapplejuice.com/wp-content/uploads/image/aikido_thmb/52.jpg
Please let us know if you have any further questions.
Regards,Brian S.
Technical Support
PolurNET Communications
I can only assume that while I was mucking about, installing Wp 2.7.1 manually and then reinstalling WP2.7, I had somehow reset all the folder and file permission, which caused a bit of misdirection during the problem-solving phase. Plus I created an encoding issue that, unfortunately, I will have to solved all on my own.
I will never know for sure but I suspect that the initial problem was caused by mod_security and upgrading wordpress compounded the problem by interjecting a red herring. I do know that, without Brian S.’s persistence and Polurnet’s extraordinary customer service policy, DigitalAppleJuice.com would not be up and running now.
It’s good to know that I made a good decision when I settled on Polurnet.com.