RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://test-cpanel.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://test-cpanel.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.test-cpanel.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.test-cpanel.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

It actually checks for the line “RewriteEngine on” and does not add it a second time into the .htaccess which is smart… The problem comes when you remove hotlink protection.

cPanel goes through all domains, subdomains, add-on domains once again this time and removes the code but it removes all instances of “RewriteEngine On” in every .htaccess. The problem that comes with this is that if you’re running something such as WordPress, vBulletin, IPB, or any other script that uses mod_rewrite, as most do, suddenly all of your rewrite rules no longer work.

I contacted cPanel about this issue and the technician confirmed that this was a bug and this is what I got back:

I responded back asking a simple curious question:

Their response (same technician):

Now don’t get me wrong … I fully understand why a large organization would take such a stance on issues with their software, but that doesn’t stop me from disagreeing with this stance.

Being fairly irritated with this issue (and others in the past) that I have reported and seen it take 6+ months to resolve I responded with this:

The tech did go ahead and pass my message on to management:

I won’t be holding my breath.

Point of the story: be careful with “Hotlink Protection.”

The individual signed up using a first name and last initial only, their mailing address was a mail forwarding address, and many other red flags were sent up when this individual attempted to order services.

Here is a complete view of the email conversation with all personally identifying information redacted and by all means read it over and let me know what you think in the comments.

This individual came to us from WebHostingTalk.com so I’m curious how they are going to portray this email conversation.  I guess we’ll just have to wait and see what they have to say.

The most important quality required in a person starting their own web hosting provider is resourcefulness – when you are new to hosting there are certainly going to be roadblocks that you come across and questions that you do not know the answers to.  Being resourceful means that even if you don’t know the answer immediately you know where to look to find the answer.  The vast majority of support issues that clients raise could be answered simply by visiting Google.com and typing in the question or a description of the issue.  Unless you are an expert on everything (keep dreaming) then you either need to be resourceful or you will very quickly find yourself being asked questions you cannot answer which leads to very unhappy customers and bad reviews.

The second most important quality required is good business sense – such as knowing that offering unlimited master reseller accounts for $7/month is not going to lead to anything but a quick rise and and even quicker fall. It is very important that any entrepreneur sits down and writes up a solid business plan setting both short-term and long-term goals as well as planning out how the business is going to achieve these goals.  While it is possible to start a business and be successful without a business plan it is highly unlikely and I would say personally that it is the exception to the rule.  Without a business plan not only is it impossible to know if you are getting where you need to be but it is impossible to determine what changes should be made to help meet any goals that you may have in mind.  You need to be able to make the big decisions without having to go to your friends, family, or others in the hosting industry to ask them what they suggest.

The third most important quality is a basic understanding of marketing. Many new hosting providers try to compete on price with the major players in the industry which is another issue that anybody with solid business sense is going to know from the start is simply not going to work 99% of the time.  Larger providers are able to offer more features and resources at lower prices simply due to their ability to obtain hardware, software licenses, and other necessary tools at much lower prices by dealing in bulk.  As a small provider you will not have the ability to get such good deals on your resources and as such attempting to compete on price with the larger providers in most cases will lead quickly to the demise of your company.  Understanding the basics of marketing will help you not only get your company’s name out there but will also help to convert potential customers that do make it to your web site.

I will post more on Starting and Running a Web Hosting Business within the next few days so be sure to check back for Part Two!

Let’s face it – the world tends to be a very hostile environment and the internet is not much different.  From viruses and trojans to distruption of service attacks – it happens all day every day and it is only a matter of time before it affects you.  I have personally dealt with two DoS attacks in the last two weeks and both for very different reasons although the end result is about the same.

Last week the DDoS, or distributed disruption of service, attack was motivated entirely by financial gain for the attacker.  The attacker had previously attacked another hosting company called A Small Orange and had attempted to extort $7,000 from the company to stop the attack.  ASO did not bow to the demands of the attacker and simply worked to filter out the attack and return service to their customers.  While some of ASO’s customers were not satisfied, many times when a provider is put in this situation there is not much that can be done.

The attacker moved on from ASO to my company and sent a message to our sales department informing us that we were next.  The attack began about an hour later and peaked at about 4.5GBPS which is enough to  bring down most small data centers in their entirety however our data center SoftLayer Dallas was able to filter out the attack within 10 minutes to restore full service.  The attacker subsequently moved on to their next target which was VectorLevel who was hosted with Colo4Dallas at the time.  The attack at VectorLevel brought Colo4Dallas to it’s knees until the attack was null-routed at C4D’s upstream provider.  At the time of this writing Colo4Dallas’ web site was unreachable and as such I am not directly linking to it.

Fast forward a week and a half and another one of my servers was under a new attack from a new source.  This time the attack was not monetary and the goal was simply to take a particular site offline.  The target of the attack was a fairly popular forum that centers around firearms manufactured by a particular company.  The forum has information such as cleaning and maintenance of the guns and in my looking over the site is nothing apparently negative.  My guess is that whoever wanted to bring the site offline was more of a “pro gun control” type of person.

This attack was a bit more difficult to stop as it was smaller and “flew under the radar” of our automatic filtering systems but was still large enough to cause intermittent connection issues over the period of about two hours.  We worked to filter out the attack however whoever was administering this particular attack was doing a pretty good job of countering the counter-measures were putting in place to mitigate the attack.  Ultimately we were able to fully mitigate the attack after quite a bit of work and effort.

It seems that there are malicious people out there whose only goal is to cause harm and to disrupt the services of others.  If you do find yourself in a situation where your web site or hosting service is being disrupted by a DoS attack please do be patient with your provider and understand that there isn’t always something that can be done to fully mitigate the attack.  If your provider is able to restore full service to you within a fairly short period of time (less than 2 to 4 hours) you should consider yourself lucky as many DoS and DDoS attacks can last days if not weeks.

I have in the past fought tooth-and-nail for Apache’s ability to match LiteSpeed Web Server’s speed when serving web sites.  Apache can be configured to be nearly as fast if not just as fast as LiteSpeed but the problem is that Apache requires in my own personal testing nearly two times as much memory and FastCGI to come close to LiteSpeed comes out of the box.  LiteSpeed claims to serve static content up to 9 times faster than Apache and PHP up to 50% faster.  While I won’t go into depth as to which one can do what faster, I will go into why I chose to move my company from Apache to LiteSpeed and what benefits we have seen.  If you want to see benchmarks that compare LiteSpeed and Apache I recommend you search Google.

My company has relied upon Apache for years however I recently began testing the latest version of LiteSpeed which has come a long way.  LiteSpeed out of the box offers the performance of an extremely-optimized Apache installation with half or less memory consumption in my testing which is a major benefit.  Apache is very weak against certain DoS attacks such as a HTTP Request DoS which doesn’t require a large amount of outgoing bandwidth but can be devastating to an Apache web server where as LightSpeed takes such attacks in stride in my testing.

I found personally that the overall “feel” of browsing various test sites, both dynamic and static, felt snappier or zippier which is an additional benefit to running LiteSpeed.  In the end if you know what you are doing and you have the RAM in your server to accomplish it you can match LightSpeed Web Server’s speed at the cost of efficiency.

LiteSpeed’s Web Server is a direct replacement for Apache and installation was a breeze.  LiteSpeed supports all of the popular control panels and all of the features of Apache except for your old Server Side Includes but who uses those any more?  In my experience on a cPanel based web server you can log into WHM and switch between LiteSpeed and Apache at any time and you can run LiteSpeed on an alternate port for testing any sites that you wish to make sure will function correctly before “making the switch.”  I have yet to run into any issues that are caused by LiteSpeed however I will post an update if I do run into any.

At the end of the day my advice is to spend the extra money you would be paying to add additional RAM into your server on a LiteSpeed Web Server license.

Edit: LiteSpeed 4.0 *does* support Server Side Includes even though the current FAQ on LiteSpeedTech.com says that it does not.