Goodbye Wordpress

August 3, 2016 | Posted by Paul

When it comes to Content Management Systems, Wordpress dominates the market. ManageWP reports that nearly 75 Million websites are running Wordpress.

Wordpress is convenient. It’s easy to install, easy to use, and easy to customize. There are a seemingly endless supply of themes and plugins available to suit your every need. This very website has used Wordpress for many years, until now.

So why the change?

Consider the following:

  • There have been, and continue to be many vulnerabilities for Wordpress
  • Wordpress installations are the frequent target of brute force attacks and penetration tests
  • While caching can help to some degree, Wordpress is very slow and expensive to scale

Introducing Hugo

Hugo: A fast and modern static site generator

Hugo is a fast and modern static site generator. Like other static site generators, Hugo builds your website rather than serving it on the fly through a runtime like PHP, or a database like MySQL. Web servers are really good at serving static content, so this eliminates much of the overhead.

With all of the static site generators out there, why did we go with Hugo?

  1. Hugo is written in Go and is really, really fast. (~1 ms write time per page)
  2. Hugo builds pages and blog posts from Markdown files.
  3. Hugo has a built in web server for development, rendering changes on the fly.
  4. There is a wordpress-to-hugo exporter, so we were able to import existing posts.
  5. You can create your own themes.

Getting started with Hugo is really simple and Hugo will run on Windows, Linux, and OSX. Remember, Hugo is a static site generator, so you’ll install it on your computer and upload the distribution to your web server after it’s generated. Alternatively, you could run hugo on your web server and use source control to check out your updates and re-build your site.

If you want to try Hugo, take a look at their Quickstart guide. It’s quick and simple to get up and running with a prebuilt theme.

Creating a new theme is really the most difficult part of using Hugo, and their documentation is not great in this area but we were able to find a solution to most of our issues on their community forum.

This post was generated from a simple Markdown text file, cool right?


Some of us remember the days of Dreamweaver, and FrontPage, or writing our own HTML pages in Notepad. In a way, the Internet has come full circle. Static site generators are becoming the wave of the future, only this time for all the right reasons.

Hugo is for those of us that like to break free of the norm and try something different and better. Much like Blesta. Never settle.

Security Advisory

August 2, 2016 | Posted by Paul

We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.


This update addresses two security concerns:

  1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
  2. Full Path Disclosure.


If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231


It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

Configure::set("System.debug", true);

Change this to:

Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).


These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.


Blesta 3.6.1 Patch Released

November 9, 2015 | Posted by Paul

A patch has been released for Blesta that addresses bugs discovered since 3.6.0 was released. As usual, a big thanks to everyone who reported and confirmed these bugs on our forums, we appreciate your help.

The release notes are available at

Always run /admin/upgrade in your browser after patching or upgrading your installation.

Download 3.6.1 Patch Download 3.6.1 Full

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

We recently migrated from Subversion to Git for version control as part of our effort to further streamline our development and build processes. We are also now using Composer for all Blesta extensions and have integrated this into our build process. As a result, you may see composer.json files included with extensions, which is normal going forward.

Blesta 3.6: Now Available

October 14, 2015 | Posted by Paul

Three SIX is here and it includes the ability to mass schedule cancellation of services, automatic cancellation of suspended services, new payment gateways and more.

Download 3.6

See the documentation for details on how to install or upgrade.

What’s new in 3.6?

  • Mass edit for scheduling cancellation of services
  • Automatic cancellation of suspended services
  • Ability to invoice renewing services separately
  • Move services to packages in different groups with the “Reassign Pricing” plugin

And more, see everything in the changelog!

A big shout out to KnownHost for sponsoring development again for several new items in 3.6! If your company is interested in sponsored development, we would love to hear from you!

The Marketplace

The Marketplace is now available. If you are a developer, list your extensions now if you haven’t already. If you have a developer license with us, you can log in to The Marketplace using the same credentials you use to manage your account at


Paymentwall recently released a payment gateway for Blesta. Download the gateway and find out more about Paymentwall in our new marketplace.

What’s next?

We are raising the minimum requirements to PHP 5.4 for Blesta 4.0. We recommend PHP 5.6 as active support for all older releases has ended. Here are a couple things to look forward to:

  • Mass Mailer
  • Usability Improvements
  • And..? :) Stay tuned. (or poke around for clues)

Also, it’s looking like 4.1 will be dedicated to improving domain registration support.

We do our best to prioritize development based on demand. Is there a feature you really want to see in a future release? Let us know on our feature requests forum!

Blesta 3.6 Beta Released

September 28, 2015 | Posted by Paul

We are excited to announce that 3.6.0 BETA 1 has been released! If you purchased Blesta direct, you may download from the client area now (Login Required). During installation, choose to start a free trial unless you have a dev license you can use. Then, head over to our 3.6 beta forums to report any bugs and let us know what you think.

Beta releases are for non-production use and are not supported.

Knowledge Base

So what is new in 3.6?

Version 3.6 is intended to bridge the gap between 3.5 and the next major release, 4.0 and includes many improvements. Here are some of the new features in 3.6:

  • New Gateways: Converge (aka VirtualMerchant), and Braintree
  • Payment types can be designated as non-income
  • Automatically set Payment Accounts for auto-debit when saved
  • Improved performance of Invoice and Transaction searches
  • Added ability to invoice each service independently
  • Added ability to mass schedule cancellation of services
  • Show invoice line items on client pay page when paying a single invoice

There’s a lot more in this release, see the release notes for details.

When is the final release?

Version 3.6 will be officially released after the beta phase is completed. Generally the beta for a minor release lasts around 2-3 weeks, but it can vary. An official release is only made once we deem it to be stable.

What are you waiting for? Download the beta and let us know what you think!