Phi 9 Official Blog

Web Hosting Phenomenon

Make your wordpress blog bulletproof.


Make your wordpress blog bulletproof.

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.


This article is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts, you should discuss them with people whom you trust to have sufficient knowledge of computer security and WordPress.


What is Security?

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.


Qualities of a trusted web host might include:


Readily discusses your security concerns and which security features and processes they offer with their hosting.

Provides the most recent stable versions of all server software.

Provides reliable methods for backup and recovery.

Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.


Security Themes

Keep in mind some general ideas while considering security for each aspect of your system:


Limiting access

Making smart choices that reduce possible entry points available to a malicious person.


Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.

Preparation and knowledge

Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

Vulnerabilities on Your Computer

Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.


Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.


Vulnerabilities in WordPress

Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.


Updating WordPress

Main article: Updating WordPress.


The latest version of WordPress is always available from the main WordPress website at Official releases are not available from other sites — never download or install WordPress from any website other than


Since version 2.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure.


If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.


If you are an administrator in charge of more than one WordPress installation, consider using Subversion to make management easier.


Reporting Security Issues

If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues.


If you think you have found a bug, report it. See Submitting Bugs for how to do this. You might have uncovered a vulnerability, or a bug that could lead to one.


Web Server Vulnerabilities

The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.


If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.


Network Vulnerabilities

The network on both ends — the WordPress server side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network.


Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.



Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.


The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.


WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.


Things to avoid when choosing a password:


Any permutation of your own real name, username, company name, or name of your website.

A word from a dictionary, in any language.

A short password.

Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.



When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.


Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.


File Permissions

Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.


It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.


Here is one possible permission scheme.


All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.



The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.


The WordPress administration area: all files should be writable only by your user account.


The bulk of WordPress application logic: all files should be writable only by your user account.


User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:



Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.


Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.


Changing file permissions

If you have shell access to your server, you can change file permissions recursively with the following command:


For Directories:


find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:


find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Regarding Automatic Updates

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.


Database Security

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one WordPress installation, this makes it that much harder to alter your other blogs.


If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction.


Securing wp-admin

Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots.


Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php. See the Resources section for more documentation on how to password protect your wp-admin/ directory properly.


The most common attacks against a WordPress blog usually fall into two categories.


Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.

Attempting to gain access to your blog by using “brute-force” password guessing.

The ultimate implementation of this “second layer” password protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted. See Administration Over SSL.


Securing wp-includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.


# Block the include-only files.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]


# BEGIN WordPress

Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.


Securing wp-config.php

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.


Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.

Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).


If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:


<files wp-config.php>

order allow,deny

deny from all


Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:


define(‘DISALLOW_FILE_EDIT’, true);

This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.



First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.


Firewall Plugins

There are a few plugins that purport to screen out suspicious-looking requests based on rule databases and/or whitelists. BlogSecurity’s WPIDS plugin installs PHPIDS, a generic security layer for PHP applications, while WordPress Firewall uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration.


Plugins that need write access

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.


Code execution plugins

As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins which allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack.


A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.


Security through obscurity

Security through obscurity is generally an unsound primary strategy. However, there are areas in WordPress where obscuring information might help with security:


Rename the administrative account: On a new install you can simply create a new Administrative account and delete the default admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin';, or by using a MySQL frontend like phpMyAdmin.

Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

Data Backups

Back up your data regularly, including your MySQL databases. See the main article: Backing Up Your Database.


Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media increases your confidence that your data has not been tampered with.


A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.



When performing forensics logs are your best friend. Contrary to popular beliefs, logs allow you to see what was done and by who and when. Unfortunately the logs will not tell you who, username, logged in, but it will allow you to identify the IP and time. Additionally, you will be able to see any of these attacks via the logs – Cross Site Scripting (XSS), Remote File Inclusion (RFI), Local File Inclusion (LFI) and Directory Traversal attempts. You will also be able to see brute force attempts.


If you get more comfortable with your logs you’ll be able to see things like, when the theme and plugin editors are being used, when someone updates your widgets and when posts and pages are added. All key elements when doing forensic work on your web server.


There are two key open-source solutions you’ll want on your web server from a security perspective, this is a layered approach to security.


ModSecurity – This is an Apache module that functions as a Web Application Firewall (WAF). WAF’s are key today, it’s what you see folks like Cloudflare and Incapsula employing to filter the traffic. It filters all the traffic as it comes from your site and parses it out before it hits your site. I won’t lie, configuring can be tricky with WordPress but it’s possible. The other challenge is it doesn’t work on NGINX, it’s tailored for Apache web servers. The good news is Apache still makes up 90% of the web servers. I should clarify that there is a NGINX version, but it’s less stable than Apache and currently undergoing a rehaul.


OSSEC can run on any NIX distribution and will also run on Windows. When configured correctly its very powerful. The idea is correlate and aggregate all the logs. You have to be sure to configure it to capture all access_logs and error_logs and if you have multiple websites on the server account for that. You’ll also want to be sure to filter out the noise. By default you’ll see a lot of noise and you’ll want to configure it to be really effective.



Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site.


Monitoring your logs

If you are on a dedicated or virtual private server, in which you have the luxury of root access, you have the ability easily configure things so that you can see what’s going on. OSSEC easily facilitates this and here is a little write up that might help you out OSSEC for Website Security – Part I.


Monitoring your files for changes

When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc). If you are using OSSEC for example, it will monitor your files and alert you when they change.


Monitoring your web server externally

If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution. This comes in many forms today, use your favorite search engine and look for Web Malware Detection and Remediation and you’ll likely get a long list of service providers.

Written by Phi 9 World

March 27th, 2014 at 12:49 am

Posted in Sales Promotion

Cloud Hosting


Cloud Hosting at Phi 9

Phi 9 is proud to announce the transition of all of our servers to a Cloud Hosting enviornment. Cloud hosting is a groundbreaking emerging technology that allow many machines to act as one unified system. While in the past, web hosting was limited to just one machine, cloud hosting allows a load to be evenly shared among many. In the unlikely even that one machine in a cloud cluster is to fail, the other machines will seamlessly shift the load without any down time. Another advantage of Cloud Hosting is that additional resources, RAM or hard drive space, can be added to a Cloud cluster allowing it to grow as customers’ websites grow.

Benefits of Cloud Hosting include:

  • Maximum website performance by spreading server load over multiple machines
  • Guaranteed resource allocation (CPU, RAM, Disk Space, Bandwidth)
  • Servers immune to failure
  • Scalable website resources
  • More features at a better price

With this new technology, combined with our Phenomenal Support™, it is a better time than ever to trust your web hosting to Phi 9.

Phi 9 offers a combination of tiered hosting packages along with customizable hosting solutions. From small personal sites to large entreprises, we have a hosting package to suit your needs. Cloud Virtualization allows any website, big or small, to have dedicated resources and to only pay for the resources that they need.

To learn more about Cloud Hosting, please contact one of our Customer Service Account Representatives by clicking here.

Written by Michael

April 1st, 2013 at 1:41 pm

Posted in Announcements

Happy Easter / Happy Spring from Phi 9



We would like to wish a very happy Easter to our customers that celebrate Easter and a very happy Spring time to everyone who doesn’t celebrate!

The days are beginning to get longer and we are starting to see many green things growing around our San Diego office. It’s simply beautiful!

Instead of buying candy for our staff this year, we have instead made a donation on their behalf to a company called Heifer International. Heifer International is an international nonprofit organization that works to end poverty and hunger around the world.

Specifically, we have purchased a couple flocks of chicks, flocks of ducks and trios of rabbits for families in need. Rather than providing aid in the form of food or money, Heifer uses a sustainable approach to teach families how to raise animals and use them to their long-term advantage. Chicks and ducks provide eggs and food while rabbits provide fertilizer and food.

If you would like to get involved, you can help a family for as little as $10. Click here to find our more.

Written by Michael

March 31st, 2013 at 2:47 pm

Venti Sized Relationship Marketing


Starbucks Coffee Header

As someone who has had coffee on three continents and at least 25 states in the US, I like to think I’m a coffee connoisseur. I also worked as a store manager for Starbucks Coffee for over a year. To say I love coffee would be an understatement.

During my tenure at Starbucks Coffee, I tried all of their coffees, including the special roasts. And of course I tried all of the espresso drinks as well. Starbucks coffee is good, but it’s not great. I personally think it is roasted too dark and just a mediocre bean. The best coffee I’ve ever tasted was in Vietnam, brewed fresh, in a single cup filter, at my table.

If Starbucks’ Coffee is just okay, why do people wait in line up to 30 minutes for it? Why do they pay two to three times more for a latte than they would in the family owned cafe down the street (odds are the family owned place will taste better too)? It boils down to marketing. In Starbucks’ case, relationship marketing. Starbucks knows what their customers want and goes the extra mile to make them feel like royalty.

Starbucks began in Seattle, Washington in 1971. The original store, which is still there, is at Pikes Place Market. Their claim to fame was fresh, high quality coffee beans and brewing equipment. However, in 1988 the company was purchased by Howard Schultz who changed coffee consumption as we know it.

The company expanded from plain drip coffee to hand crafted espresso drinks, inspired by espresso bars in Italy.  This is where the relationship marketing revolution began.

Baristas were trained to have a “just say yes” attitude with customers. Customers could customize their drink any way they like, from a simple dopio espresso to a complex quad venti soy upside-down extra caramel sauce caramel macchiato. Any barista will craft the drink (mostly) the same, at any Starbucks in the world.

In order to focus on their customer rather than a coffee assembly line, baristas only make one or two drinks at a time, giving them a chance to create a warm personal connection with their consumer. In my store, regular customers didn’t even have to order their drink, when a barista noticed them in line, the drink order would be automatically placed and waiting for the customer when they reached the register.

As the overall brand and the “just say yes” culture grew, Starbucks expanded their marketing to include a “third place” concept. The place between home and work that people go to connect with their community. They encouraged customers to hold business meetings, relax with friends, read books and magazines and organize for the community. To encourage stores to organize philanthropic projects in their community, Starbucks pays baristas up to 40 hours a year for community service work they do.

Using this “third place” approach, Starbucks slowly but surely connected the majority of Americans with their local Starbucks store by providing a safe, comfortable environment with oversized furniture and free wifi.

Once the brand went international, Starbucks moved away from the “third place” culture and went more for a consistent, mass-produced feel while maintaining strong personal relationships. This is where drive-thru locations, Starbucks music stores, licensed stores and kiosks and mass market packaged goods came into play.

One of their most successful relationship marketing tools has been the Starbucks card. Everyone I know has gotten a Starbucks card at some point, either as a prize or as a gift. Starbucks expanded this program beyond a simple gift card into a relationship-building tool by creating the Starbucks Rewards Program.

Using the power of database marketing, they collect information about their clients and incentivize them to return again and again. At the first level, just for registering their card, Starbucks gives rewards program members a free birthday drink, discounts on coffee beans and retail products and special discounts in the mail. At the next level, more frequent guests receive free drink upgrades (syrup, extra shots, soy milk, etc). And at the final level, the Starbucks Gold Card, members receive a special gold gift card in the mail with their name on it. Not only do they get all of the benefits of the other levels, but they receive a free drink for every 10 that they buy as well as better discounts on products.

Starbucks’ ultimate success lies in integrated marketing communications. They coordinate their communication between text, e-mail, direct mail and social media to spread their message to the largest possible audience. They have pioneered new ways to pay like the Starbucks app for smartphones where customers can just scan their phone to get rewards without having to carry around their Starbucks Card.

To better understand their consumers, they conduct frequent market research to see what their customers think. At the most basic level they use in-store observations and at the most technical level they conduct formal market research using surveys and focus groups.

As small business owners we don’t have the multi-billion dollar marketing budget that Starbucks has, but that doesn’t mean that we can’t employ some of these same strategies to better connect with our consumers.

  1. Setup a Client Relationship Management (CRM) database to track information about your customers, past interactions, future opportunities and important dates like birthdays.
  2. Send thank you cards, happy birthday cards and sales promotions to customers (with their permission) using an integrated marketing approach.
  3. Make your customer feel special: address them by name, establish a human connection beyond business, if possible have the customer always work with the same person at your business.
  4. When something goes wrong, own it and make it right. Most of us can’t solve a problem by just giving someone a free drink, but it is important to make every customer feel special and appreciated, even the difficult ones.
  5. Reward loyal and repeat customers.

Written by Michael

November 11th, 2012 at 2:19 pm

WordPress editor and its font


You have to admit, WordPress is a pretty damn serious blogging tool. From start to end it’s just designed for you to make you write. Take a look at its editor, for instance. It goes in full screen mode and hides its tool bar. Though this editor, TinyMCE has everything you need to begin but the default font *Georgia* in it is just hard coded and cannot be easily changed. It’s inherited from a file called content.css in tinymce directory but overriding it directly in that file may not be a good idea, because:

  • WordPress system updates will revert the changes, and
  • Even if you directly edit the content.css file, you’ll still see Georgia font when you’ll use the editor in full screen

Because this blog uses a different web font, Open Sans, so the best I would like to see when writing a post is that the editor carries the same font as well.

STEP # 1:

Look for functions.php in root of your themes directory inside /wp-content/themes/yourtheme/, open it up and add one line after php tag.


STEP # 2:

In the same directory, create a file called custom-editor-style.css with below lines in it

@import url(,700);
* { font-family: 'Open Sans', sans-serif, Arial, Helvetica;}

Go ahead, clear your browsers cache and this is what you’ll see. Note the title font, it’s set to sans-serif, taken from my browser settings  (I’m using Firefox on Linux).

Written by Phi 9 World

October 13th, 2012 at 10:38 am

Is The Customer Really Always Right?


business, communication, customer service, ethics, KPI, marketing, objectives

Conventional knowledge says that the customer is always right. Period. But is the customer really always right?

Working in the marketing and web design industry, we do not believe the client is always right. In fact, in my experience, the client is often wrong. And usually doesn’t know what they want until you tell them.

Some examples from web design: musical flash intros. Blinking text and flashing graphics. Splash pages. Graphical mascots. Guest books. These things were great in the 90s. But they are obsolete (and distracting) when it comes to conventional Web 2.0 standards of design.

Is The Client Wrong?

When considering what is right or wrong for a client, we must remove any emotion from the equation. We must distance ego from from the project, perhaps asking the advice of an uninvolved third party, to be as objective as possible. What are the client objectives? What are the pros and cons of this specific client request? Will it help their overall objective or hurt it?

In many cases, the client will know their target audience better than marketers will. After all, they deal with their market on a daily basis. Keeping this in mind, if it still seems that a client is wrong, suggest some alternatives. Compromise on an alternative rather than just telling them they are wrong.

At the end of the day, the client is paying us to meet their needs, not necessarily industry conventions. If a request helps their bottom line, even if it is absurd, just do it.

Speak The Client’s Language

Remember that a client may not necessarily speak “techno babble”. They may not realize that a seemingly simple request may take 20 hours of coding. It is important to communicate with a client in a language that they can understand.

When in doubt, help the client define the following things:

  1. Overall Objective(s)
  2. Measurable KPIs (Key Performance Indicators)
  3. A Marketing Communications Plan
  4. Set & Execute Milestones
  5. Compare Results to KPIs
  6. Make Changes As Necessary

When client requests can be directly and objectively measured against KPIs, a client is much more likely to take marketer advice.

When To Say No

It is important to remember who is the expert. Clients don’t hire consultants to complete tasks they can do themselves, in-house. They hire consultants to help them improve their business because we are experts in our fields.

As such, it is important to maintain credibility. My motto is to “under-promise and over-deliver”. Set realistic goals and exceed clients’ expectations by meeting and exceeding these goals.

Ethical Conflicts

The following are situations where a client is always wrong and it is okay to say no:

  • Being asked to work for for non-monetary compensation or for significantly less than the market rate of compensation.
  • Being asked to commit to an unrealistic timeline.
  • Being asked to do something you find ethnically questionable.
  • Being asked to take on more work when you are already overextended.

In all of these situations, there is big potential to disappoint a client. And as a result, not only fail to help a client, but perhaps hurt a client.

When it comes to ethical conflicts, always say no. It is not worth hurting your reputation for a client. There are plenty of shady companies out there who will take their project. Choose the ethical high-road by saying no. The universe will send you plenty of new business to make up for the one lost contract.

Continuous Changes

In the web design industry, some clients have the idea that they own their designer for life once a website is designed. They expect changes to be made to their website frequently, instantly and for free. Therefore it is important to set boundaries and proper expectations to what is and isn’t included in your service.

At my company, we explain to a client up-front the scope of our service. We outline our 90 day satisfaction guarantee and what services carry additional cost. We still encounter the occasional client who expects free updates, but we can refer them to our written policies, offer to make changes as a one time courtesy and then explain to them that future changes will be billed at our standard rate.

This is not the answer most clients want to hear, but it has enabled us to save a lot of relationships while earning a fair rate for our services.

Photo Credit stratfordcollege on Flickr

Written by Michael

October 11th, 2012 at 4:32 pm

Install, publish DNN or other web applications from WebMatrix


Earlier we wrote a tutorial on how to install and deploy DNN (DotNetNuke) manually via an FTP client. But since WebMatrix is becoming more of a standard for web deployment, it’s the right time to let you guys know how to publish your existing DNN site from WebMatrix to your Phi 9 account. The process being straight-forward is still almost the same but this is a step-by-step tutorial for people who are still starting to use WebMatrix and our control panel.

To sum up the overall process, all you  need to do is:

  • Download WebMatrix profile from our control panel, add connection string to it and import it to WebMatrix
  • Publish
  • Complete post-publish installation wizard, if any

So, this process is same if you want to publishing any other applications from WebMatrix except there’ll be different post-setup wizard depending upon the web app you’ll be using!

This tutorial assumes that you just have downloaded the DNN on your local system in WebMatrix; which in most cases does require post-setup.
Below are the detailed steps.

1. This tutorial assumes that you’ve a working installation of WebMatrix and DNN from it’s gallery on your computer. If not open up WebMatrix and install DNN or any other web application you want. We’ll use DNN for this example.

2. Login to your Windows control panel (usually at, yours may be different; consult emails from Phi 9). Go to Web Sites > Click on your website name > Under Home Folder tab, make sure that “Enable Write Permissions” checkbox is enabled.

3. From Databases section in control panel, create an SQL Server 2008 database, also its db user and assign the db user to your database. Simply click the mentioned buttons.

4. From Web Sites section > your website > Web Publishing tab > Enter your control panel username and password > Click Enable.

5. From the same screen, click on Rebuild Publishing Profile link. Select the database you  just created, its db user, leave FTP field to default and click on OK button.

6. Finally click on “Download Publish Profile” on the same screen. Save the file on your computer.

7. Open WebMatrix, open your web application site or DNN site in it, go to “Remote” tab, click “Publish” and “Import Publish Settings”.

8. Finally publish the site making sure to select checkbox saying, “Delete files on the remote server that are not on my computer” .

9. It’ll take a few minutes to complete. Then click on your site URL.

10. Complete the post-deployment installation steps. In case of DNN, just keep clicking “Next” until you are asked to set up your account with a username and password.

11. Set up completes with a success message and your DNN site is published!

Written by Phi 9 World

September 29th, 2012 at 1:27 am

Install WordPress in just 5 clicks!


WordPress started as a blogging engine but has rapidly evolved more than that, over out the years. It is now one of the easiest and quickest content management system. Every fifth or so website on the internet uses WordPress — and it doesn’t stop there! It keeps growing every day with thousands of addons and tons of functionality.

At Phi 9, you can actually install and deploy as many WordPress instances as you want, with just a few clicks each.

Just follow these steps.

1. Login to your Windows control panel, go to your website under Websites menu and click on it. Once there, all you need to do is to enable ‘write’ permissions.

2. Then go to Microsoft Web App Gallery within the control panel, select Blog from category drop down menu on top of the page and then go to page 3. Then click install for application “WordPress” as shown in the below screenshot.

3. Click ‘Next’ to proceed.

4. Now you’ll have to setup WordPress installation. Simply select the site, leave application name to blank, choose ‘create a new MySQL5 database’ and then input the database name and database user name. These must be unique so always try different names. Then select a password and click next.

5. Now, you’ll see a screen like below. Just click on ‘Launch Worpdress’ link to proceed.

6. Give WordPress your desired information and click ‘Install Worpdress’ button.

7. Success, now login!!

8. Now is the time to make your WordPress up-to-date. Simply click on ‘Update WordPress’ link on the top to proceed.


9. Congratulations. That was pretty easy? Isn’t it? Welcome to The Web Hosting Phenomenon!

How to configure and publish apps from Visual Studio with Web Deploy on Phi 9?


Whether you just discovered the Web Deploy or if you an experienced developer wanting to publish your application directly to your website without fuss of manual uploads, you likely need to have access to your Web Publishing profile. It’s easier, if you want to deploy from WebMatrix – because all you need to do is to download the profile from your Phi 9 Windows control panel and import it in WebMatrix or Visual Studio Pro. However if you are using Visual Studio Express or Visual Web Developer, you’ll have to input the settings manually because Visual Studio doesn’t support importing of your publish profiles.

Just follow the following steps.

1. Login to your Phi 9 Windows control panel

2. Go to ‘Web > Websites’ under your default hosting space (your plan name).

3. Click on your desired website name.

4. Click on ‘Web Publishing’ tab

5. Choose, enter your username, password and click on ‘Enable’.

6. Click on ‘Download Publishing Profile’ link.

7. Open up the downloaded profile in any text editor or in Notepad.

8. Open up Visual Studio, the version you have. Go to Build > Publish. Choose Publish Method as Web Deploy.
Copy the value of ‘publishUrl’ from the file you just opened in text editor and paste ‘Service URL’ in Visual Studio.  Do the same for ‘msdeploySite’ and paste it into ‘Site/application’ field of Visual Studio publish settings.
Check ‘Allow untrustred certificate’ checkbox. Enter your username and password. And that’s it. You can now publish your app through Visual Studio.


Welcome to the world of ϕ.
Welcome to The Web Hosting Phenomenon ™

Written by Phi 9 World

June 14th, 2012 at 5:43 pm

99 Days of Summer Domain Promotion


Phi 9 Org Domain Sale

Celebrate summer with your friends at Phi 9!

To help you maximize your online presence, we are offering phenomenal prices on domains through the end of summer!

Save even more money by taking an additional one percent off per year, up to 10 years, on any of our domains.

To take advantage of these amazing offers, simply sign into your Customer Account Portal at or contact the sales department by e-mail at

The promotional pricing applies to all domains including domains you already have registered with us, transfers from other registrars and new registrations.

Written by Michael

June 10th, 2012 at 11:32 pm

Posted in Sales Promotion

Tagged with , , , , ,