Home » Canvas Host blog » Company News

Topic: Company News

Local Alignment as an Oregon Benefit Company

One of our operating principles is “supporting local”. To this extent, we have realigned our Oregon Benefit Company certification with a local Oregon-based company. This was a necessary and overdue decision, as the prior certifier (Green America) has lost credibility. With this new certification, we are better positioned to help and encourage other local businesses to do the same.

Two weeks ago, we completed and passed our final audit with Benefit Corporations for Good. The company, owned and operated by Tom Hering and Mary Anne Harmer, stands for the same principles of operation that we have built into the DNA of Canvas Host. Both Tom and Mary Anne have been at the forefront of the Oregon Benefit Company movement for many years, proving this through their recently published book, Putting Soul into Business.

At Canvas Host, we believe that supporting local is not only what it needed but what is important in our growth as a company and our transparency to our customers. If you would like to learn more about this process, requirements, or definitions, please contact us at csr@canvashost.com. We are always here to assist.


Tune-Ups For Your Website

Just like maintenance for your car, your website requires consistent tune-ups and care. By ignoring website maintenance and not taking care of outdated code, your website is vulnerable to attacks and hacks. Websites can and do breakdown just as easily as vehicles.

Over the past year, we have seen an increase in requests from companies that have needed assistance in updating their websites. Many times business owners have come to us not knowing what to do or where to start. Sometimes these fixes have been quick and sometimes we have suggested a full website rebuild due to the complexity of the deficiency. Overall, we will be 100% transparent in our professional assessment.

To simplify this further, we have created a simple maintenance program. This program will not only check your WordPress website for the latest plug ins and versions, but it will automatically back up your website to our off-site hosting facility in Bend, OR.

Were you also aware that by updating your website, you could also increase your Search Engine Optimization? If you are updating your content regularly, or even updating your code, SEO ranking can also increase.

For more information, please contact us at design@canvashost.com, or by calling 877.HOST.503.


Understanding SSL – Is Your Website Secure?

For the past 18 months, we’ve sent periodic announcements to customers about the need to secure their website with SSL. “Secure Socket Layer” is a technology available to all customers in our network. SSL is used to encrypt a browser session whenever it connects to your website. It is the most crucial step to protecting information that customers may be trying to send to you, such as credit card numbers, email addresses, or phone numbers.

As of July 1, 2018, most major website browsers (and even some operating systems) will start to alert a user when visiting a non-SSL website. Google, and other major search engines, are now penalizing non-SSL websites’ SEO rank. If website traffic is important to you, you absolutely need to move on installing SSL on your website.

The best way to tell if your website currently runs SSL, is to try to visit it at the full URL (website address), beginning with “https://”, such as “https://www.canvashost.com“. The “s” in “https” is your first clue. If your website shows up normally, and you see a green padlock appear in front of the URL, then your website has an active SSL certificate installed, and you’re all set!

If your website does not show up properly, or you are shown an error message that the site could not be loaded, then your website does not have an active SSL certificate installed. This is a problem, and it needs to be addressed.

One thing that Canvas Host does, which distinguishes us from our competition, is that we make free AutoSSL certificates available on most hosting plans. These certificates do not include a warranty against data breaches, and we do not recommend them for e-commerce or business websites. They also do not work in our PCI compliant environment. Still, for basic blogging, a free AutoSSL certificate is a simple way to run a successful and secure website in the eyes of search engines and browsers alike.

If you aren’t sure if your website is correctly configured, contact us at support@canvashost.com, and we’ll be happy to review your website. If you have SSL installed on the hosting account, but your website isn’t working properly, you may need to reconfigure some settings. At your request, our team can perform a complete review of the site, and convert it to work properly with SSL, starting at $200.

SSL is here to stay, and it’s important to keep your site secured, to protect not only your site’s operations, but your customer’s browsing experience as well.

Thank you,

David Anderson


Dealing With Hacks

At Canvas Host, we pride ourselves in operating as secure a network as we can. We work hard every day to provide a safe hosting environment, to help you run a successful website. In recent months, a few hacks have circulated around the Internet, and we thought this would be a good time to update you on the steps we have taken, and changes to our procedures we continually employ, to protect you and your data.

Patching Is Crucial

Every software vendor on the planet has at some point or another issued a patch for their code. Some providers and frameworks, like WordPress, are constantly releasing updates, not only for the core code base, but also themes and plugins. While some of the updates are to roll out functionality improvements, many of the incremental releases are to patch vulnerabilities — weakness in the code that can be exploited — and which have come to light through testing, or in some cases, pure chance.

Code updates are a good thing. They are necessary to ensuring your website and hosting environment are kept running quickly and securely. Update notices can be annoying, but they’re there for a good reason.

Alerts Are There For A Reason

If you subscribe to our WordPress hosting service line, you should receive regular alerts about vulnerabilities our own scanning systems have detected in your installations. It could be due to an outdated code base or old plugin, or we may have detected a suspicious file that is lying dormant in your website.

In our notifications, we try to address the precise file or set of files that are of concern. As a customer, it is your responsibility to clean up your website, have your webmaster/webmistress do it for you, or hire us to do it. If you don’t act on our warnings, and we later determine that your site has been compromised, we will most likely suspend the account until you have a chance to address and resolve the issue(s).

We understand how this may impact you, and even informing you of potential concerns may be alarming, but that’s the point. It’s our responsibility to protect our systems and network, so in turn we can protect you and all customers of our services.

That said, no system is foolproof. Inevitably, any system is going to have weakness. Sometimes, those weaknesses will be exploited.

Understanding The Impact Of Vulnerabilities

In January, we issued a statement about a previously unknown set of vulnerabilities that potentially impacted every CPU on the planet, including those in our web servers, that we had been made aware of, known as Spectre and Meltdown. Hardware vendors worldwide scrambled to release patches for operating systems, including some that we use, to prevent the vulnerabilities from becoming a major issue. We applied those patches, and all was well.

In mid-April, we became aware of an update to an operating system technology we utilize called CloudLinux. CloudLinux provides a virtualized environment that functions in ways very similar to virtual private servers, in that we can allocate precise amounts of RAM and CPU processes to a given website. It’s a fantastic technology that can prevent server spikes and website outages.

It was not indicated that the release was an urgent patch. At that same time, we were diagnosing a mystery hack for a handful of websites hosted on one of our servers that use CloudLinux. In the release notes, we learned the patch corrected an issue that was related to the site hacks. We applied the patch as soon as we became aware of it, but unfortunately, the hack had already occurred. Though not considered a zero day exploit, it is our belief hackers immediately seized upon the vulnerability, before we and other providers had an opportunity to apply the patch. In the end, fewer than 40 websites were defaced, and we communicated directly with those customers throughout the process.

It could have been much, much worse. Take, for example, this release from Drupal about an extremely critical vulnerability that could lead to an entire server becoming compromised. We have been in communication with several Drupal developers whose own websites were hit by that vulnerability, and unfortunately, it impacted their entire server.

Responding To A Hack

When a hack happens, how a service provider responds is crucial. And yet, disclosure of a vulnerability is one of the greatest challenges in dealing with a hack. As a B Corporation, we champion transparency throughout our operations, including admitting errors or faults in our systems. At the same time, when we’re dealing with a potential security risk, we don’t want to broadcast it to the world. It’s not because we’re afraid of admitting fault; Rather, we don’t want to draw additional attention and risk to the situation than is necessary. We also don’t want to unnecessarily raise alarms to customers that were not affected.

Every situation is a learning opportunity, and a chance to improve a process. In the case of the CloudLinux hack, we identified a weakness in one our Managed WordPress service line, and have implemented a change to how we manage backups for those websites. The change has dramatically improved its utility, not to mention added security for those customers subscribed to it.

As part of the service, we make weekly backups of WordPress websites prior to applying patches and other updates. Historically, those backups were being stored locally, within the customer’s hosting account. We have amended this process, and are now storing those backups at our secondary datacenter in Bend. Beyond protecting those backups from a potentially compromised hosting account, the data is also stored in an Earthquake-proof hosting environment. This is one silver lining that has come out of a situation of concern.

How You Can Protect Your Website

Here are a few tips you can employ to protect your website against hacks:

  1. Patch, patch, and patch again! Keep your website updated.
  2. When we notify you of a vulnerability, act on it.
  3. If you’re managing your own website, look for announcements from the application’s project team.
  4. If you’re not sure how to patch or manage your website, ask us for help.
  5. Change your website and hosting account passwords frequently.
  6. If it’s been a while since you last patched your website, revisit step 1, or ask us to perform a free vulnerability scan of your website.

If ever you have questions or concerns about our hosting services, please ask us. We’re always open to your inquiries and suggestions. We recognize that no system is perfect, and it is our goal to learn from a situation, and from it create an even better service to you.

Thank you,

David Anderson


Meeting GDPR Compliance

Hello! I say this because it’s probably the only article you’ve read about GDPR compliance that will ever begin with “Hello!”

GDPR is a set of regulations that protect the personal contact information of all residents of the European Union, that take effect on May 25, 2018. It sets forth rules for which companies worldwide must protect how they process and store information about their EU-residing customers, up to and including how those customers’ personal data is to be destroyed on request. Failure to protect the data can be costly, albeit through international litigation. The basic point is, EU-based customers have rights over their personal information, and if you’re a company working with those customers, you need to pay attention, and now, or else.

That sounds a bit dire, but GDPR is here and real. It’s something we all need to talk about, and it’s not something to be feared. Believe it or not, it is to be celebrated and supported. It is a platform from which companies worldwide can learn many lessons from which to ensure their own customers’ personal data is protected, whether they reside within the EU or not.

Since the creation of Canvas Host in 2002, we have endeavored to protect the personal information about all of our customers. From day one, we have held in our minds the notion that each customer is like a member of our family. Each of you have entrusted us with your business and personal data. Since that point, we have always maintained a hard line that we will never sell your data, nor use your data in any way other than to provide you the services for which you have contracted us to deliver you.

In recent months, as GDPR’s launch has approached, our company has reflected on the many things we already do to protect your personal information, and steps we take to further protect your hosting account’s data backups. We’ve taken pride in a strict Privacy Policy, and we have amended it to signify our compliance with GDPR.

As a B Corporation, we go to the ends of the Earth to be an ethical host amidst a sea of swirling uncertainty.

We’ve also resisted the tide towards “all things cloud”, and to this day host 100% of our data within our network and direct control. We do operate a secondary data center space in Bend, Oregon, for the sole purpose of storing and serving data for select customers.

What does that mean towards GDPR?

As a Data Controller and Data Controller, we have legal basis to store and manage your personal contact information. In layman’s terms, because you are a customer, we need to store your name, email address, credit card number, IP address, and so forth, because that is all part of how we are able to provide you service to your hosting account, authenticate you as a paying customer in your hosting account and the Support area, and tell you apart from a random hacker.

It is true that in the “Latest Patch” emails we send to customers, there are links we provide for services and special deals we are running. At the same time, that is solely driven by us. We have not, nor will ever sell or provide your personal contact information to a third party, unless forced by a court order. We treat the protection of your personal contact information extremely seriously.

Because of the global reach of GDPR, we have decided to apply its restrictions to all customers residing outside of the United States. And, if you are a resident of the United States, we will honor your request that we abide by GDPR’s same requirements.

If you are a resident of the EU, we have already unsubscribed you from our Latest Patch newsletter. If you wish to re-subscribe to it, you may do so at this link:

Latest Patch Newsletter Signup Form

If you have any concerns whatsoever about the protection of your personal data, please email sales@canvashost.com and let us know. We are here, we are listening, and we want only to serve your needs as best we can.

Additionally, if you are a EU resident, and you are concerned about your own website visitors’ activities on the site you host with us, please contact us if you need a contract (composed in English) noting how Canvas Host acts to protect your website and its visitors. We understand this is a complex component of GDPR, and are still working to understand the full scope of how this may impact our customers in various countries.

Finally, I want to state this to every single customer: One of GDPR’s requirements is that a company elect a Data Protection Officer (DPO), who regularly reviews the company’s policies to ensure it is meeting compliance, and corrects any lapses in those spaces. Canvas Host is a relatively small team, but I have elected to take on that role. As the company’s founder, and now as the DPO, I want to personally communicate to you my intent, as I have since 2002, that this company is here because of you; We are here to serve you; And we will never sell your data, nor intentionally compromise your privacy.

Canvas Host is the only certified B Corporation web host in the world. GDPR is but a formal set of policies that for many years, we have already upheld, and we are here to learn from it. We are not a perfect business; We are a human business; And together, you have our commitment that we will work to improve what we do, and how we do it.

Thank you,

David Anderson, Founder and Co-Owner