Web hosting

Questions about Apache, file upload, permissions, CGI, .htaccess, statistics and shell access.

Questions

• Which file transfer programs can I use?
• How do I configure my file transfer client?
• Why do I get FTP error 530 or too many simultaneous connections?
• How can I send website form data by email?
• Where are sendmail and Perl located?
• How do I set file permissions correctly?
• How do I configure Apache using .htaccess files?
• How do I set up password protection with Apache?
• How do I access and read website statistics?
• How do I activate version control and shell access?
• Can you help when my website is hacked?
• My WordPress site seems hacked or redirects: what should I do?
• Why does my Let’s Encrypt certificate not renew?
• My site stopped working after migration: what should I check?
• Why is my hosting space full?

Which file transfer programs can I use?

Choose a client that supports encrypted transfer, preferably SFTP. FTP remains available mainly for legacy compatibility.

Common recommendations:

• FileZilla: the universal classic on Windows, macOS and Linux; good for quick drag-and-drop hosting work. Download it from the official project site, not from third-party mirrors.
• WinSCP: the Windows power-user choice; strong for SFTP, scripting, automation and synchronisation
• Cyberduck: clean and simple on macOS and Windows; useful for occasional transfers and cloud storage workflows
• Transmit: polished macOS-native client; appreciated by professional Mac web workflows, but paid and macOS-only
• rsync: command-line tool for Linux/server/admin work; excellent for backups, migration and incremental synchronisation

In practice, FileZilla, WinSCP and Cyberduck are the tools most often encountered in hosting support. For larger migrations or repeated synchronisation, rsync, scp and sftp from the command line are often more reliable than manual drag-and-drop.

all2all hosting accounts include shell access, so files can also be transferred directly on the server when needed.

How do I configure my file transfer client?

Use the credentials provided when the hosting account is activated.

Typical settings:

• hostname: server hostname
• username: all2all username
• password: all2all password
• protocol: SFTP recommended; SCP for command-line or automation; FTP only for legacy compatibility

SFTP and SCP are handled through SSH/OpenSSH, usually on port 22. Legacy FTP is handled by the FTP service, typically ProFTPD, usually on port 21 plus passive data ports.

With FTP, the client usually opens directly in the hosting home directory. With SFTP or SCP, you may need to change into the hosting home directory manually; it is normally located under /var/www/htdocs/username.

Use the server hostname rather than the domain name when DNS changes are still propagating or the domain is not active yet.

Upload website files into public/. If your client opens in the home directory, enter public/ before transferring files.

Alternative methods include shell access, rsync and the Virtualmin file manager.

Why do I get FTP error 530 or too many simultaneous connections?

This usually means the server refuses extra simultaneous connections from the same client.

Common causes:

• too many parallel transfers
• old sessions not closed properly
• repeated reconnect attempts
• blocked passive data sessions

Reduce the maximum number of simultaneous connections in the client settings. A value of 2 or 3 is usually enough.

If the problem persists, disconnect fully, wait a few seconds and reconnect. Restarting the client can also clear hanging sessions.

For errors such as 425 unable to build data connection, check passive mode, firewall settings and blocked sessions.

Whenever possible, use SFTP. It avoids many classic FTP session issues.

How can I send website form data by email?

The historical shared CGI FormMail service is no longer recommended.

Forms should usually be handled by the website application itself, for example through:

• PHP form handlers
• WordPress form plugins
• authenticated SMTP submission

Authenticated SMTP with a proper sender address improves delivery and reduces abuse risks. It also works better with SPF, DKIM and DMARC.

Custom form processing remains possible with shell access and standard scripting environments.

Where are sendmail and Perl located?

Some legacy scripts still need explicit system paths.

Typical paths:

• sendmail: /usr/sbin/sendmail
• Perl: /usr/bin/perl

A typical Perl script header is:

#!/usr/bin/perl

/usr/sbin/sendmail points to the local mail transport agent, usually through Postfix compatibility. Some older software may also refer to /usr/lib/sendmail.

Modern applications usually use native mail libraries or authenticated SMTP instead of direct sendmail calls.

How do I set file permissions correctly?

Permissions define who can read, write or execute files. They can be changed through SFTP/FTP, shell access with chmod, or the Virtualmin file manager.

Typical values:

• ordinary files: 644
• directories: 755
• executable CGI or shell scripts: 755
• sensitive configuration files: often 600

Use the minimum permissions required. Avoid 777, because it gives write access to everyone and creates serious security risks.

Do not manually change system directory permissions such as cgi-bin/ unless there is a specific technical reason.

How do I configure Apache using .htaccess files?

A .htaccess file applies Apache directives inside a website directory.

Typical uses:

• redirects and URL rewriting
• forcing HTTPS
• directory protection
• MIME type adjustments
• custom index behaviour

Place the file in public/ or in a subdirectory. Rules apply from that directory downward.

On current all2all hosting environments, .htaccess support is normally enabled by default.

If Apache returns 500 Internal Server Error after a change, rename the file temporarily or undo the last directive. Invalid syntax is the most common cause. Also check the Apache error log, because it often contains the precise directive, path or syntax error that caused the failure.

More examples are available in the documentation section. Contact support if you need a specific rule and are unsure whether it is allowed.

How do I set up password protection with Apache?

Apache authentication can protect a directory with a username and password.

It usually requires:

• a .htaccess file in the protected directory
• a password file with authorised users

Virtualmin also provides an interface for protected directories. It can create realms, define paths and manage authorised users without editing files manually.

Use Apache authentication for temporary private areas, staging pages, restricted downloads or internal documents.

For modern websites with user accounts, application-level authentication is often better, for example WordPress users, PHP login systems or framework authentication modules.

How do I access and read website statistics?

Website statistics are available through Virtualmin. Depending on the hosting setup, Webalizer and AWStats may be available.

In many cases statistics can also be reached at:

• https://your-domain.example/stats/

Authentication may be required.

Webalizer gives a compact overview. AWStats usually provides more detail, including user agents, robots, downloads and monthly comparisons.

Useful indicators:

• Visits: visit sessions
• Pages: actual page views
• Hits: all file requests, including images and scripts
• Bandwidth: transferred data volume

Hits are often much higher than visits because each page loads images, CSS, JavaScript and fonts. Visits and pages usually better represent real audience activity.

How do I activate version control and shell access?

Current hosting accounts include shell access by default. This allows SSH, SFTP, SCP and command-line maintenance.

For version-controlled deployments, Git is the usual choice. Subversion (SVN) can still be used when required for existing workflows.

Shell access is useful for:

• direct file management
• script execution
• log inspection
• repository checkout
• command-line maintenance

Use dedicated users for separate tasks when useful, for example deployment, application or maintenance users. This improves traceability and limits accidental changes.

For repository support or server-side integration, contact support with the domain name, preferred tool and expected workflow.

Can you help when my website is hacked?

Yes, but it is important to distinguish server responsibility from website responsibility. all2all manages the hosting platform, operating system, mail and server infrastructure. The website, CMS, plugins, themes and web applications installed by the user remain the responsibility of the site owner or webmaster.

Most shared hosting providers simply suspend compromised sites when they send spam, host malware, redirect visitors or overload the server. At all2all we usually try to do more: we protect the infrastructure first, then help the responsible person understand what happened and what options exist.

The usual workflow is:

1. detection of spam, phishing, malware, suspicious files, redirects, high load or abuse reports
2. protective mode for the site when needed, for example disabling vulnerable scripts or limiting web access
3. contact with the responsible webmaster or site owner
4. escalation to the website contact address, then the account contact, and finally historical contact addresses if needed
5. remediation by the client, by their webmaster, by a third-party specialist, or by all2all if availability allows

The client may clean the site independently. If they need help, we can suggest a webmaster or, when we have availability, make an estimate for direct intervention by all2all. A typical compromised WordPress cleanup often takes around 2 to 3 hours at EUR 60/hour, depending on the state of the site, plugins, backups and logs.

For technical first steps, see also: My WordPress site seems hacked or redirects: what should I do?

When useful, we can also create a forensic archive snapshot and make a first assessment. This may include suspicious files, relevant logs, IP addresses involved in the attack, timestamps, redirects, cron jobs or injected code. Such a report can help if the incident must be documented internally, sent to insurance, or reported to public authorities.

You normally do not need to file a formal report for a minor website defacement or a test site compromise without personal data, fraud, extortion or wider impact. A report becomes important when personal data may have been accessed or altered, when there is financial fraud, identity theft, extortion, phishing against third parties, or a legal obligation to notify a data breach. In Belgium, personal data breaches may need to be notified to the Data Protection Authority within 72 hours. Cybersecurity incidents can also be reported through Safeonweb/CCB, and criminal offences should be reported to the police.

My WordPress site seems hacked or redirects: what should I do?

Contact support first: support@all2all.org.

Avoid overwriting evidence before the situation is understood. Do not reinstall blindly, delete suspicious files or restore a backup before making a minimal assessment. We can help make a forensic assessment and create an archive snapshot of the affected site. This can be useful if you later need to document the incident for insurance, an internal report or public authorities.

Common signs are unexpected redirects, unknown administrator users, modified .htaccess rules, strange PHP files, suspicious cron jobs or old plugins calling external scripts.

Recommended first steps:

• contact support with the domain name and a short description of the symptoms
• keep the current state available until a snapshot has been made
• change WordPress administrator passwords after the snapshot or when advised
• clean up the compromised site, then update WordPress core, themes and plugins once evidence has been preserved
• remove unused plugins and themes
• check .htaccess, wp-config.php and recently modified PHP files
• restore from a clean backup if needed

You normally do not need to report a simple defacement or test-site compromise if there is no personal data, no financial fraud, no identity theft and no wider impact. Still document what happened and which steps were taken.

Reporting may be necessary when personal data may have been accessed, copied or altered. In Belgium, data breaches may need to be notified to the Data Protection Authority within 72 hours. See https://www.dataprotectionauthority.be/.

If there is fraud, extortion, identity theft, financial loss or a criminal threat, report it to the police. Belgian organisations can also report cybersecurity incidents to the Centre for Cybersecurity Belgium via https://notif.safeonweb.be/. Suspicious phishing messages can be forwarded to verdacht@safeonweb.be.

If the site sends spam, hosts malware or redirects visitors, we may temporarily disable affected scripts to protect the server and other users while the incident is handled.

Why does my Let’s Encrypt certificate not renew?

Certificate renewal needs the domain to point to the correct server and the HTTP validation path to be reachable.

Frequent causes are:

• DNS still pointing to another server
• redirects blocking /.well-known/acme-challenge/
• restrictive .htaccess rules
• missing virtual host aliases, for example www
• one or more alias domains included in the certificate are no longer active or are not pointing to the server anymore
• wrong file permissions
• an old Apache or Virtualmin configuration

This is especially important when one website has several domain names or alias domains. Check that every DNS name included in the certificate is still active, renewed and resolving to the hosting server. One out-of-order name can prevent the whole Let’s Encrypt certificate renewal process, even if the main domain itself is correct.

If an alias domain should remain active, renew the domain name and correct its DNS, or exclude that alias from the Let’s Encrypt configuration in Virtualmin. If the alias is no longer needed, delete the alias domain via Virtualmin; this also removes it from future certificate requests.

If renewal still fails, contact support with the domain name and the exact certificate error. We can check Apache, Virtualmin and the ACME validation path.

My site stopped working after migration: what should I check?

Migration issues usually come from DNS, database settings, PHP version differences or paths that still refer to the old hosting.

Check first:

• DNS points to the intended all2all server
• website files are inside public/
• database name, username, password and hostname are correct
• WordPress wp-config.php points to the new database, with the correct database name, username, password and host, rather than to the old database
• old absolute paths or hardcoded URLs were updated
• PHP version is compatible with the application
• .htaccess does not contain old redirects or rewrite rules

During migration, keep temporary access available, for example through yoursite.all2all.org, until pages, forms, media and login areas have been tested.

Why is my hosting space full?

Hosting space is often filled by local backups, cache directories, logs, uploaded media, old archives or duplicated migration copies.

Check the largest directories through shell access, SFTP or Virtualmin. WordPress backup plugins are a common cause when they store repeated full backups inside the same hosting account.

Remove obsolete archives and rotate backups outside the hosting space when possible. If the project genuinely needs more storage, contact support so the plan or quota can be reviewed.