Server Management SSH Tips & Tricks

Copying a website over FTP quickly using SSH terminal.

Earlier this week, I was presented with a challenge to copy over a website that wasn’t having a control panel like cPanel; and moving it over to cPanel web hosting service provided by Extreme Web Technologies.

The traditional approach for such type of migration is to either; archive all the contents if a tool like File Manager exists and lets you do that — or download all the contents first.

Here’s a quick way to copy over all contents recursively – or ‘mirror’ as its called using a handy wget utility.

If you’re using cPanel/WHM – you can go to WHM > Terminal or just SSH into the server you want to copy into; and run the command below:

cd /home/cpanel_user_here
mkdir ftpcopyfolder
wget -m --user="ftp_user_here" --password="ftp_pass_here" ftp://ftp_server_here

It can take a bit of time depending on the data to be copied. Once done, don’t forget to change ownership of these files using the following command:

chown -fR cpanel_user_here:cpanel_user_here /home/cpanel_user_here/ftpcopyfolder

I hope you find this useful.

Security Web Hosting Wordpress

Cleaning .class-wp-cache.php WordPress Hacked Site

WordPress websites are commonly compromised to do a variety of malicious behaviours so there isn’t a one fix solution to all the WordPress problems out there.

I hope that this quick read helps someone sometime to clear off left behind files from a recent WordPress compromise that I was looking into where I spotted a certain file appearing in each and every folder on the account.

The file at first seemed part of WordPress due to its name – “.class-wp-cache.php” – but after seeing it a number of times, I thought I’d take a look and see what it actually is.

Google search for “.class-wp-cache.php” shows some similar names; so it may be misleading to think it is part of WordPress. Digging in, the code was not obfuscated so I was able to quickly skim through and see it was going to be used to do some cURL requests.

Due to time constraint, I didn’t investigate further on what it was used to do and how it was put in every folder. I imagine the attacker left these behind to come back to the site after it was fixed, hoping to re-infect it again.

I proceeded to clean this infection; and realised that it would take a long time to do this manually. For anyone else needing to clean this sort of attack quickly, here are some shell commands.

1. Use the following to find where the file exists;

[[email protected] public_html]# find . -name .class-wp-cache.php

2. Use the following to delete these files from everywhere;

[[email protected] public_html]# find . -name ".class-wp-cache.php" -exec rm -rf {} \;

Don’t forget to secure WordPress instance with the usual best practices:

  • Use a very strong password for WordPress admin
  • Make sure to have a username that is not called admin
  • Update WordPress core to the latest version
  • Remove plugins that are not active or in-use
  • Update all the Plugins to their latest versions
  • Remove themes not in use
  • Update the theme in use to the latest version
  • Setup a firewall plugin like Wordfence

All the best.

Extreme Web Technologies Web Hosting Web Presence

What is DNS, and why is it important.

DNS is short for domain name system. It’s at the core of every domain without which nothing on the internet as you know it would work.

Every time you browse the web, send an email or make audio/video calls – it relies on the DNS system to know where to send your request to.

Think of the DNS as an operator. Let’s say you want to access a website and type in Your computer asks your router, which in itself asks some other servers like your ISP’s which then asks your domain system — “where do I find this website?” — and gets an IP address, a server where to direct your request to.

All that happens in just a split of a second!

This is why it’s crucial to ensure your domain is setup correctly, and to do that – the very first thing you come across while registering a domain is called nameservers.

Nameservers are DNS servers that are associated with your domain. It’s basically where your DNS records are published; and anyone who wants to find your site, send you an email, asks these servers where that request should be forwarded to.

A domain must point to atleast two nameservers, which should also be distributed geographically. In case one goes down, is not responsive or simply can’t provide the necessary information timely… then the other one can take up and serve the request otherwise you end up facing all sort of issues like email delivery problems and website not reachable problems.

Most free DNS services, including the one Extreme Web Technologies provides you for free with every domain – doesn’t support redundancy. In fact, many low cost hosting providers don’t provide redundancy for DNS.

If you plan to have especially emails configured on your domain, you should check with your provider to ensure your nameservers are redundant.

You’re better off hosting your site with a reputable provider like Extreme Web Technologies, or at the least, our Basic Starter plan to take advantage of redundant DNS servers, website redirection as well as under construction pages.

Not sure if your domain nameservers are redundant? Reach out to us on [email protected] with your domain name and we’ll be happy to check it for you.

Photo Credits: (


What is a web address?

A web address, also called a domain name, is the starting point of a web presence.

They’re registered for minimum duration of 1 year upto 5 to 10 years in depending on the extension. A dot TZ can be registered for 5 years where as generic ones like a dot COM can be for 10 years.

Some registration providers like Extreme Web Technologies include free domain name service (DNS) with every domain that is registered, with an option of premium DNS if you require it.

Don’t have a domain yet? Head on to to register yours today! It’s fast, easy and takes a couple of minutes with online payments.

Editors Note: This article was written by Mohsin Sumar (@mohsinsumar) who is the Founder and CEO of Extreme Web Technologies. Mohsin with his Customer Happiness team constantly strive to deliver top notch quality web hosting in Tanzania.

Photo Credits: GraphiqaStock (


Security Advisory: New Email Scam claiming hackers have your password

Over the past few weeks, some people have received emails from themselves claiming that a hacker has stolen their passwords and hacked their webcam, threatening to expose your data, as well as browsing habits if you do not remit to them some bitcoins valued between $1000-$1500 US dollars.

The hackers use publicly exposed data from massive breaches that have happened across various popular services including Yahoo, LinkedIn and others.

In this new type of email scam, the hacker spoofs your email address appearing as if he has logged into your email account and sent yourself an email. This can be easily achieved and could be minimized following best practices detailed in my earlier post about preventing email spoofing with SPF.

The hackers claim they have your password, which they get from publicly exposed data, and hope to intimidate you into paying them a ransom.

The hackers deploy automated processes to mass email and spoof the users addresses appearing to be sent from their own mailboxes.

Security Best Practices

Whether you are a victim of this email scam, or not — you should follow some best practices to avoid being compromised:

  • Check your password on Have I Been Pwned. It will let you know if the password exists in publicly exposed data from previous breaches.
  • Change your passwords immediately.
  • Ensure the use of strong passwords which contain lower case, upper case, numbers and symbols
  • Ensure your password is unique for every website or service that you use.
  • Use multi factor authentication wherever available.
  • Always make sure you are entering your passwords on secure websites. Learn more on how to check if a website is secured or not here.
  • Make sure you’re using SSL/TLS in your email clients.
Words of Wisdom

“There is nothing so useless as doing efficiently that which should not be done at all.”  —  Peter Drucker

“There is nothing so useless as doing efficiently that which should not be done at all.”  —  Peter Drucker

Extreme Web Technologies Security Tutorials Web Hosting Web Presence

SSL is no longer optional for your website.

Your website should most likely be labelled with “Not Secure”. What does it mean, and how do you get it fixed?


Nearly two years ago, Google announced that Chrome would eventually start marking all sites that are not encrypted with HTTPS as ‘Not Secure’ as an attempt to motivate site owners to improve the security of their websites.

On July 24th 2018, Google officially launched Chrome 68 and with it rolled out the warning labels on all websites.

Chrome is a widely used browser accounting to about 80% based on statistics by W3Schools, where their website receives 50 million visitors a month.

What do these labels mean?

As seen above, there are three (3) types of labels.

i) Not Secure

This means that you do not have an SSL certificate installed on your website. I’ll explain what that is, and how it helps in a bit.

ii) Secure

This means that everything is good – and you don’t need to do anything more.

iii) Notice

This usually means that while the site itself is secured, there may be some content that has been loaded on the website which is not secure. If you’re getting this, your website developer or webmaster will need to fix it. The most common things that cause these are external links using http:// instead of https:// or preferred simply as // to support both.

Some examples include:

  • External images shown on your website.
  • External links to javascript files such as jQuery.
  • External links to CSS files such as Bootstrap.
  • Embedding of Google Fonts, Analytics and pretty much any other services.

Note that, using https:// on any of these require the external service/server to have a valid SSL installed on their end too!

What does Secure mean?

Any communication over the internet could either be secured, or not. A secured communication means that the data that is received or transmitted is encrypted which prevents prying eyes from looking at it.

Let’s say – you’ve typed in your username and password on a website. If that information, when sent over the internet is not secure – then anyone between your computer — and the server/service — could potentially “see” that data. However, if the website is secured, then the same information is encrypted making it extremely difficult for someone to see it.

Should I care if my website doesn’t have any login forms?

Yes, you should. Login forms are just one example. Maybe, you have a contact form where you ask your website visitors to fill in a message to reach you. The information that they type in there would be transmitted insecurely which could allow someone to see it.

SSL is no longer optional. Add SSL to your website today to avoid losing visitor confidence and sales. Plus, with SSL you get all these benefits too:The other benefits of having your website secure include:

  • More secure user experience
  • Protect user privacy
  • Increased conversions
  • Boost search rankings
  • Increased user trust
  • Show you care about users’ data

How do I secure my website?

You’ll need to get an SSL certificate installed for your website. This could be done by yourself, your webmaster, website developer or your web host.

What is an SSL certificate?

SSL is short for “Secure Sockets Layer”. It was introduced in the mid 90’s as a protocol to secure traffic. While SSL itself is depreciated, the newer versions of SSL protocols are actually known as “Transport Layer Security” (TLS). The certificates however are still commonly referred to as SSL certificates.

An SSL certificate is used by the browsers such as Chrome, Firefox, Safari or Edge to establish trust, validate that it is valid with a Certificate Authority (CA) and use it to encrypt the communication between you — and the server/service that you are communicating with.

These certificates are issued by Certificate Authorities (CA) who vet and issue the certificates. There are a few types of SSL certificates:

  • Domain Validation (DV) SSL Certificate
    Domain Validation SSL certificates are the cheapest provided by well known SSL brands. They are also freely available through Let’s Encrypt, a free – automated – and open certificate authority sponsored by big names in the internet industry.Free SSL certificates are also included in some hosting plans offered by web hosting companies like Extreme Web Technologies. They are ideal for basic security for websites and blogs, and are usually issued in minutes.
  • Organisation Validation (OV) SSL Certificate
    Organisation Validation certificates are slightly expensive as have some documentation processes required such as verifying your organisation legal information. The certificate authorities usually ask for your business incorporation documents, as well as physical address and sometimes identities of website/business owners. These are always purchased separately — and are a must have for serious businesses. These could take about a week to be issued, sometimes a bit more.
  • Extended Validation (EV)

    Extended Validation certificates are the most expensive certificates available. They could cost unto $2000 per year and go through extended validation processes including credit checks. These certificates also include a special feature supported across browsers which makes the address bar green showing your company name. These certificates are a must have for internet banking portals, as well as other applications to ensure user trust in the service. These certificates take the longest time to be issued, generally between 2-4 weeks.

I have a certificate, but my website still shows Not Secure when accessed.

When website visitors type in your website link on the address bar, they end up on the non-secure version of your site. You may need to consult your website developer or hosting company to assist you with this. 

How to fix Not Secure on WordPress.

If your website is built on WordPress, then the simplest way to make the switch is by going to your WordPress Admin (wp-admin), under the Settings > General screen, update your WordPress Address (URL) and Site Address (URL) to include https://.

How to fix Not Secure on my website which is NOT built on WordPress.

This will work on pretty much any basic website on cPanel hosting, such as the hosting plans offered by Extreme Web Technologies.

Log into your cPanel, find the File Manager, under public_html folder, look for a file named .htaccess and edit it. If it doesn’t exist, you can create it and paste the following snippet.

Make sure to update your domain name in it:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.co\.tz [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [L,R=301]

I’m stuck and need someone to do this for me.
Please contact our customer happiness team at Extreme Web Technologies to assist you get your website secured.

This blog post was written by Mohsin Sumar (@mohsinsumar) who is the Founder and CEO of Extreme Web Technologies. Mohsin with his Customer Happiness team constantly strive to deliver top notch quality web hosting in Tanzania.

Image credits: Creativeart –

Words of Wisdom

Don’t be afraid of being different

“Don’t be afraid of being different, be afraid of being the same as everyone else.” – Unknown.

Security Server Management Web Hosting

Preventing email spoofing with SPF

The very first email was sent about 45 years ago, in 1971 by Ray Tomlinson. Tomlinson is internationally known and credited as the inventor of email. The Internet Hall of Fame in account of his work commented “His email program brought about a complete revolution, fundamentally changing the way people communicate”.

Fast forward 45 years…

Over the last two decades, email has indeed revolutionised the way we communicate.

There are over 4.3 billion email accounts in the world and of all the emails being sent, about 141 million emails were classified as spam by SpamCop in the last 12 months alone!

Email is abused every day in the form of spam or phishing emails which may distribute viruses, malware, spyware, ransomware or attempt to steal information by disguising as someone else.

Make the Internet work better.

The Internet is best defined by Wikipedia as a global system of interconnected computer networks to link billions of devices worldwide. Every server on the internet can make the internet work better by following some standards to prevent abuse.

What most don’t know of, is the existence of Internet Engineering Task Force (IETF). IETF develops and promotes voluntary internet standards with the mission to make the Internet work better. These internet standards are published as RFC’s which stand for Request for Comments.

35 years after the first email, IETF published RFC 4408 in 2006 which describes Sender Policy Framework, commonly known as SPF. The original SPF document was then replaced by another version RFC 7208 published in 2014.

Sender Policy Framework (SPF) is amongst the widely adopted ways of preventing email abuse.

So, what does SPF do?

SPF is a simple email validation system designed to detect email spoofing and provides a mechanism for email servers to check the incoming email to verify whether it originated from a trusted source.

It allows your domain name administrator to publish your authorised email source servers, and provides a way for receiving email servers verify the email origin. It then evaluates the test and produces results such as Pass, Neutral, Fail amongst others and lets the servers email policies decide what to do.

Email Policies

Anyone setting up or managing an email server needs to set some sort of policies. These policies help protect the email system from abuse of resources. Luckily, most of these policies already come bundled in with the mail server software including Exim and Microsoft Exchange Server or hosted services such as cPanel hosting, Office 365 and Google Apps for Work.

However, SPF fail policy needs to be configured. There are 3 choices:

  1. Reject the email (recommended)
  2. Accept and deliver the email with additional actions (move to Junk Mail, change the subject line, and so on)
  3. Accept, but delete the email (not recommended)

This is well documented in Appendix G2 of RFC 7208.

What is the best way to handle unauthorised email messages?

The most logical way to handle unauthorised email messages (SPF fail) is to reject it before it is received. This protects the system from unnecessary handling of incoming email including data transfer of the email content as well as other processes such as spam filtering and email delivery.

Doing this, also notifies the sender that their email was rejected because it failed SPF check and, if the sender is legitimate, they will appropriately rectify their systems.

Can someone spoof my emails, even after deploying SPF?

Yes, someone can still spoof your emails. SPF does not define the standard of sending email itself, but rather a standard for checking if the sender server is trusted.

Prevent unauthorised emails to go out in the first place.

It’s unfortunate to see many servers allow emails to be sent without authentication, either through website scripts or SMTP. Any email that goes out from an email system should be authenticated to prevent abuse. Doing so makes it easier for system administrators to block that user in the event of a SPAM outbreak.

At Extreme Web Technologies, we block a simple PHP mail function that is commonly used to send out unauthenticated emails. It is widely used in contact forms. When a website is compromised, a spammer can leverage that function to send out large volumes of spam email.

We also properly reject emails that are not from a trusted source. I have come across some email servers that do not have the appropriate reject policy set for SPF failure. They are putting their users at risk of receiving spoofed emails from untrusted sources.

I hope that future RFC revisions will be in favor of rejecting the email message, instead of allowing the option for it to be handled by email policies. Till then, the best way to prevent email abuse is to use a strong SPF record, and have DKIM setup too, host your emails & website with a professional hosting company and HOPE that the recipients use a mailserver with realistic mail policies!

This blog post was written by Mohsin Sumar (@mohsinsumar) who is the co-founder and CEO of Extreme Web Technologies. Mohsin with his Customer Happiness team constantly strive to deliver top notch quality web hosting in Tanzania.

Image credits: Background vector designed by Dooder –; modified by Mohsin Sumar.

Server Management SSH Tips & Tricks

Using find to compress new or modified files after a particular date

One of our customers had a unique challenge of moving web servers. Their site was huge, with one directory having over 200GB of images. They opted to do a partial migration, copying over the website as is first before the final switch over.

The final switch over required to copy over only the latest files created or modified after a particular date.

The most efficient way would have been the rsync utility. Unfortunately, this was not an option as we did not have SSH access on the new service, so we had to find an alternate way.

The objective was simple;

  • Find the files
  • Archive/compress them

There are two commands that required to be run, the first one was to search for new or modified files after a particular date and the second one was to create a tar file.

The dry run command looked like so:

find /path/to/folder -type f -newermt '2017-04-01T00:00:00' -print0

Let’s break this down:

  • find /path/to/folder
    • This defines where to search
  • -type f 
    • We’ll be looking for files only, recursively.
  • -newermt ‘2017-04-01T00:00:00’ 
    • The date from where we want to search from
  • -print0
    • This outputs the files so it can be piped into the tar command

For the second objective, we piped in the tar command to accept the output from the first. This would be appended to the original command.

  • | tar -czvf /backup/archive-name.tar -T –
    • Begin piping into the tar
    • The tar will compress and output the progress (verbose)
    • -T – takes in the files to archive from the previous output

Here is the final command:

find /path/to/folder -type f -newermt '2017-04-01T00:00:00' -print0 | tar -czvf /backup/archive-name.tar -T -

I hope this will be useful for anyone with a similar requirement.