MDDHosting Blog

May 8, 2026May 8, 2026

cPanel & WHM Security Update: CVE-2026-29201, 29202, and 29203 Patched

cPanel released a coordinated security update today, May 8, 2026, addressing three separate vulnerabilities in cPanel & WHM. We received advance notice of the patch yesterday evening, monitored for its release at noon EDT, and applied it across our fleet as soon as it became available.

This post summarizes what cPanel disclosed, when the patch actually landed, and what we did about it.

What cPanel Disclosed in Advance

On the evening of May 7, cPanel sent affected partners an early-warning email letting us know a security update was coming the following day at 12:00 PM EDT. The advance notice covered three CVEs being patched together: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203.

The notice specified the minimum patched build for every supported tier from 11.86 through 11.136, including the WP Squared (11.136 WP2) line. cPanel recommended performing a manual update via /scripts/upcp once the patch was made available, rather than waiting for the standard automatic update window.

Full technical details were embargoed until the patch itself was released.

April 25, 2026April 25, 2026

The Cloudflare 520 Mystery: How a Threat Intel Feed Took Down One Customer Through One Specific PoP

The Setup

A client running an OpenCart store and a WordPress site reported intermittent Cloudflare 520 errors. Initial reports mentioned issues with custom security software they were running (a proof-of-work challenge being injected via auto_prepend_file), which we helped them disable. The 520s continued.

The Pattern That Made No Sense

Over the following days, the client did remarkably thorough testing on their end and identified a pattern none of us could explain:

520 errors only occurred when traffic routed through Cloudflare’s LAX (Los Angeles) PoP
Other Cloudflare PoPs worked perfectly
DNS-only mode (no proxy) worked perfectly
Direct origin access via hosts file worked perfectly
A clone of the site on a different host, behind the same Cloudflare configuration, worked perfectly

By every measure available to them, the issue was specific to the combination of their site + Cloudflare LAX + our infrastructure.

October 12, 2024October 12, 2024

SPF and DKIM – What is it and why block the failures?

Email is inherently flawed.

Email is built on trust. Yes, trust, and many hacked-together solutions, such as SPF and DKIM, are slapped on top of it. That doesn’t mean those systems are bad, though; just that they are “added on” and not a core part of email.

In the early days of email, you connected to the mail server where you wanted to deliver a message, told the server who you were and to whom to deliver the message, and then the contents of your message. That was it – you delivered an email. The astute among you may have already realized the problem and have probably experienced it yourself: spoofing.

Spoofing is when an email’s “from” header is forged to look like it came from someone it did not. We’ve all received emails addressed from us to us that we didn’t send – and that’s an example of spoofing.

Email is built on trust – trust that the sender is who they claim to be. How do you really know, though? How can you be sure that the email from your bank is really from your bank and not someone pretending to be your bank to steal your information?

August 1, 2024August 1, 2024

Migrating email made easy – IMAPSync

We offer full-service migrations for our clients, including email migration, so if you’re a client, don’t hesitate to ask us for help! For those who aren’t our clients or wish to perform email migrations themselves, we offer a public IMAPSync installation at https://imapsync.net/.

Using IMAPSync.net

Once you have navigated to our IMAPSync you will see the web form for performing IMAP migrations. To perform a migration, you will need at minimum:

The login for the source and destination servers (usually the email address).
The password for the email account on both servers (this may be different for each).
The IMAP Server name for the source and destination servers.

To test the details without performing a migration, you can check the box “Just verbose, no real sync” towards the middle of the form.

Once you have entered the details of both email accounts for the source and destination mailboxes, all you need to do is click “Sync or resync!” and the process will run. During the migration, you will see details of the run in the log at the bottom of the page.

Using IMAPSync on the command line

If you are an MDDHosting customer, we make the imapsync binary available to you via SSH/Terminal. The process will require the same details as above, but the big differences are that you will be running it from your service with us and that there is no easy-to-fill form to get it started.

July 30, 2024July 30, 2024

Hosting Resource Series – CPU Cores

Most web hosting providers offer resource limits on their services. Understanding these resource limits can help you make an informed decision when purchasing or upgrading a hosting service.

Layman Explanation – “The Car Analogy”

I often like to use what I call “The Car Analogy” to explain CPU cores. I use a car to represent a CPU core and people being transported to represent website visits.

Single CPU Core:

Imagine for a moment that you have one car instead of one CPU core. One individual car (CPU core) can move people (website visits) from one location to another, and it is designed and intended for this purpose.

Let us also imagine that the car will always move as fast as it is capable of doing. You do, after all, want to get where you’re going as quickly as you can, right? Your one car can only move people so fast, and it can go no faster.