Moving web hosts

16 February 2021 by Lincoln Ramsay

I have written about how my site was hosted at nosupportlinuxhosting a few times. They were recently hacked, and since it was their admin server, rather than just their hosting servers that were broken into, they were apparently unable to continue and have shut down. RIP nosupportlinuxhosting.

Of course… that meant I had to move my site to a new host.

While I had apparently started with rsync for backups and moved to lftp (when they removed rsync), they must have re-added rsync because that’s what I was using at the end.

Since there had been a breach, I didn’t feel so good about just trusting that my files hadn’t been accessed, so I wanted to change all the secrets. That turned out to be the most time-consuming part of moving to a new host 🙂

I went through my local backup (which includes a text-based dump of the DB) and replaced all of the secrets with new ones. There’s quite a few of them too. The username + password to login, the DB username + password, the table prefix, some wordpress salts. Mostly this was all fairly straightforward although there were a few surprising places where the login username appeared in the DB (in the form of a path).

Once that was done, and I had secured a new hosting provider (namecheap), it was a fairly simple matter of creating the DB user and uploading the DB + the website files. But there were a few other things I had to do…

Because of the way nosupportlinuxhosting handled PHP, I had php.ini and .htaccess files with php stuff in them everywhere. I manually cleaned these up.

After cutting over DNS, I could access files using http, but https was broken, which is kind of a problem when your site forces https. I got acme.sh to request new certs and deployed them into cpanel, at which point I had working https.

I was expecting a bit of strangeness from WordPress since I had changed so much underneath it, but apart from an initial error message about a missing php module (that mysteriously went away by itself), there wasn’t really anything to do. I did have to re-create the temp directory (outside of public_html, so not part of any backup). I also took a bit of time to review and cleanup plugins and security settings.

An unexpected thing I had to do was move over my kids’ emails. I set them up addresses using my domain before they were old enough to have a google account, and they are still using these addresses. Since I was already familiar with it, I used offlineimap to pull down, then push up the emails so that they wouldn’t lose anything. As a nice bonus, my domain now has valid SPF and DKIM records. Before, I could only setup one of those.