-
Posts
-
Hi,
Total Upkeep was working well on the staging site (hosted by DreamHost) but now we’re live on the actual site, which uses a different server (hosted by Simply Hosting) it says “Total Upkeep is not compatible with your hosting account. For further help please see: Making your web hosting account compatible with Total Upkeep” which links to the page “Using The Preflight Check In Total Upkeep”. However there is no information on this page for troubleshooting.Specifically:
In the General section, Execution functions available = None (in RED)In the Available compressors section, System ZIP available? = No (in yellow) /usr/bin/zip is not available.
In the Cron section, everything = No (in yellow), with Can fetch a remote url via CLI? = No (in red)
Thanks in advance for any advice.
Hi Ralph-
Thanks for reaching out, I’m sorry to hear about the trouble using Total Upkeep on your live site. DreamHost is one of our Platinum WordPress Hosting providers, but I don’t have much experience with Simply Hosting.
I’ll start with the easiest one first, the Available Compressors section. As long as there is at least one of the compressors showing as available, you can safely ignore the System Zip warning.
In the Cron section, you mentioned that “everything = No.” Does that include WP Cron enabled? Generally speaking, WP Cron should always be available as a fall-back unless it’s been manually disabled in your
wp-config.phpfile, with the linedefine('DISABLE_WP_CRON', true);, or if it has been disabled intentionally by another plugin or possibly your hosting provider.Last, the Execution Functions. At least one of the following is necessary for Total Upkeep to function:
- popen
- proc_open
- exec
- shell_exec
- passthru
- system
It’s possible that you can resolve this yourself if you have access to the cPanel Multi PHP INI Editor. Look for the option to Disable functions and remove at least one of the above items from the list. I checked on Simply Hosting’s knowledgebase, but I couldn’t find an article instructing you how to edit your PHP INI settings.
If you don’t see the Multi PHP INI Editor in your cPanel, or you don’t have access to the Disable functions section, you’ll need to get in touch with Simply Hosting to enable one of them.
Hi Jesse,
Thanks for replying! There are other compressors available, so that’s good.
Sorry, in the Cron section WP Cron is actually enabled – it’s just the first four that are showing “No” (Can fetch a remote url via CLI?, Curl SSL enabled?, PHP allow_url_fopen enabled? & System crontab available?)
With regard to the Execution Functions showing “None”, I’ve just had a look in Simply Hosting’s CPanel and unfortunately I can’t locate the Multi PHP INI Editor so I guess I’ll need to reach out to Simply Hosting about that.
Thanks for your help and if I manage to get it running I’ll post back here with the results.
Further to my previous reply (awaiting moderation at the time of writing this) –
With regard to the Multi PHP INI Editor being missing from Simply Hosting’s CPanel, SH tech support have replied:“By default, the cloud Linux alt-php version is enabled for your account. If you are trying to enable any particular extension for your domain, That can be done by using the PHP selector tool.
cPanel -> Select PHP version.
Where you can see the PHP extensions and Options that can be changed according to your requirements.”I tried using that tool but couldn’t see any of the Execution Functions you listed in your first reply, so I’m not sure it’s the right advice from them. This is pretty much all Greek to me, but if you can advise how best to reply to SH with regard to that, I’ll give it a shot!
Hi Ralph-
Thanks for the updates! I checked out your site, and I did find that you have a phpinfo.php file available. To find it go to this address, substituting your website,
example.org.au/phpinfo.php.There, you’ll find the disable_functions I mentioned earlier:
Simply Hosting’s response is talking about PHP Extensions, which are not the same as disabled functions. Disabled functions are a part of native PHP, but have been intentionally disabled by them for “security” reasons. It’s true that abuse of these functions can be a security risk, so some web hosts disable them, but most WordPress Web Hosts (like DreamHost) have more sophisticated security systems than simply disabling them.
When you reply to Support, include your phpinfo.php link and let them know that at least one of the execution functions in the
disable_functionsfield needs to be enabled for your website.Hi Jesse,
Thanks for that info, and I can now see that the disable_functions value is exactly as in your image above.
For interest’s sake, I also created a phpinfo.php file on another WordPress site, one hosted at DreamHost (it didn’t have one so I created it) and on that site the disable_functions has no value.
I assume this is because, as you mentioned, Dreamhost has more sophisticated security systems than simply disabling them, and I assume that’s because they’re more appropriately set up for WordPress than Simply Hosting.
This leads me to worry, of course, that if I ask for one of the execution functions to be enabled in order to get Total Upkeep working on Simply Hosting, I may be leaving the site open to some other security vulnerability – your thoughts?
Hi Ralph-
Let me preface this by saying that a lot of this answer is my own opinion, and there are some aspects of it that reasonable people could disagree about.
That being said, there are a lot of perfectly legitimate needs for your website to be able to execute commands on your server, including making backups like Total Upkeep in this case. The risks from opening these functions up primarily come from two categories.
First, a careless programmer could use them to accidentally cause issues on the server. For example, a very resource-intensive command could cause your website to affect your neighbors on a shared server. Most web hosts will have resource abuse monitoring systems to terminate this kind of command automatically.
Second, a malicious actor could use them. The most common things I’ve seen in this category are sending Spam and mining cryptocurrency. However, for this to occur, your website must have already been hacked to inject the malicious code into your account. Again, most web hosts will have automatic virus scanning for this kind of attack.
For you, the website owner, to avoid these risks really boils down to following a few simple best-practices. First, only use software (i.e. Plugins and Themes) from trustworthy sources. Keep your software up-to-date, use strong passwords, and consider some other steps for hardening WordPress security.
And of course, keeping regular backups is a vital part of security so that you can recover in the event of a hack or some other catastrophic event on your site.
I’m not familiar enough with Simply Hosting to pass any kind of judgement on them, and it may be that they have a backup system you could use in place of Total Upkeep. They may have reasons I haven’t considered for disabling the execution functions as well. But, again in my own opinion, hobbling your website’s functionality to provide more “security” is a bit like presuming you’re “guilty until proven innocent.”
Thanks Jesse, I appreciate your thorough assessment!
I raised a support issue with Simply Hosting and they explained how the PHP Selector tool’s ‘Options’ section contains a disable_functions field where you can manually type the names of any functions you want to disable, and remove any of the default disabled functions if you wish to enable them. I suppose this mimics what the Multi PHP INI Editor would do.
SH support did this for me, and has left the show_source & popen functions disabled; plus they also disabled the allow_url_fopen function.
In other words (if I’m understanding this correctly) they have enabled system, shell_exec, passthru, exec & proc_open.
It’s all Greek to me, but it has indeed allowed Total Upkeep to pass the Preflight Check.
If you have any concerns about the changes that were made, please let me know; otherwise, if no concerns, I think we can consider this solved, in which case thank you for your invaluable and timely support!
PS: forgot to add, at the end of their support reply they said “By default we disable PHP functions that could lead to code injection and other vulnerabilities to your account so we suggest you to contact your developer or plugin/theme vendor and enable only the functions that they recommend to avoid any attacks, hacking etc.”
Hi Ralph-
Awesome, I’m glad to hear that you were able to get it all taken care of!
As I mentioned above, any “attacks, hacking etc” that makes use of these functions must already have access to your account. So the “enemy is already through the gate” in that scenario. As long as you’re following good security best-practices, you’ll be OK with these functions enabled.
Thanks for your assistance Jesse! And I’ll take a look through the link you provided on hardening WP security as well.
Cheers, Ralph
- The topic ‘Preflight check fails No execution functions available, no Crons available’ is closed to new replies.
