Blesta 4.0.1 Patch Released

May 2, 2017 | Posted by Paul

A patch has been released for Blesta that addresses bugs discovered since 4.0.0 was released. As usual, a big thanks to everyone who reported and confirmed these bugs on our forums, we appreciate your help.

The release notes are available at

Always run /admin/upgrade in your browser after patching or upgrading your installation.

Download 4.0.1 Patch Download 4.0.1 Full

SHA256 Sums

// (


To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Blesta 4.0 Released

March 16, 2017 | Posted by Paul

It’s been a wild ride, but the time has finally come for FOUR. This is our largest release since version 3 with over 400 tasks completed, and it’s available right now.

Download 4.0

See the documentation for details on how to install or upgrade.

What’s new in 4.0?

  • PHP 7 is now supported.
  • Major codebase upgrade to new version of the minPHP framework.
  • Mass Mailer plugin lets you send email to specific customers, or export the data.
  • Clean new FOUR staff and client area themes, and new dropdown staff menu.
  • Fantastic looking interactive graphs let you see a breakdown of revenue by payment type.
  • New client order link and permissions based order form listing page.
  • Many order form improvements like reCAPTCHA 2, GeoIP state/province selection & more.
  • Fantastic new The SSL Store module and plugin. Create an account and start selling now.
  • Blesta License Module is now included with Blesta for Blesta resellers.

And so much more that the changelog can’t even show them all!

Directories removed in 4.0

The following directories are not in the 4.0 distribution, but were in 3.x. If upgrading, you may remove them.

  • ~/helpers/date
  • ~/helpers/form
  • ~/helpers/html
  • ~/helpers/javascript
  • ~/helpers/pagination
  • ~/helpers/xml

A big shout out to KnownHost for sponsoring development again for several new items in 4.0! If your company is interested in sponsored development, we would love to hear from you!

Other New Developments

What’s next?

Smaller, more frequent releases. The next couple releases are likely to include some minor, frequently requested features and improvements. We are also working on some bigger things behind the scenes, like better support for domains. Those things will be pushed out as they become available.

Blesta 4.0 Beta Released

September 15, 2016 | Posted by Paul

With much anticipation, we are pleased to announce that Blesta 4.0.0 BETA 1 has been released! This release is shaping up to be the biggest since 3.0 with over 300 tasks completed.

Can I participate in the beta?

If you have an owned or monthly license with us directly, you may download in the client area now (Login Required). If you obtained your license from a reseller or distributor, you may be able to participate. Contact your reseller to find out. As with any beta, and especially a major release like this one this is for non-production use only and is unsupported. During installation, choose to start a free trial or use your dev license if you have one.

Once you are up and running, head to the forums to report any issues and let us know what you think!

Visit the Beta Forums!

MassMailer included in Blesta FOUR

So what is new in 4.0?

Version 4.0 includes an upgrade to minPHP 1.0, our PHP framework, and raises the minimum system requirements to PHP 5.4. We recommend running the beta under PHP 5.6. If you plan to run v4 under PHP 7, please wait for a subsequent beta release as there are known issues with PHP 7 in beta 1.

New or Updated Extensions

  • Mass Mailer Plugin lets you filter and email specific clients, or export to use in your email campaign software
  • Blesta License Module is now included with Blesta for Blesta resellers
  • Multicraft - Add support for v2 of API and force port 25565 (configurable) for dedicated IPs
  • SolusVM - Allow base IP quantity to be set for the Package
  • Order - Float order summary box to the top on order forms if page scrolls
  • Order - Preselect country and state/province using GeoIP during checkout
  • Order - Update ReCaptcha to version 2
  • Order - New order form visibility options: Public, Shared, Client Only
  • Order - Add link to client area to show available order forms
  • Order - Store IP address of order and add tag to order notifications

Also, an exciting new module will be included in a subsequent beta.

Changes to the Core

  • Add an “In Review” dialog for services at the top of the client dashboard (beta 2)
  • Added the ability to bulk void invoices on client profile pages (beta 2)
  • Refresh admin and client themes to give a new, cleaner look and feel
  • Updated buttons in the admin UI in favor of Bootstrap buttons
  • Updated all icons in the admin UI in favor of Font Awesome
  • Replaced navigation with a drop down menu instead for the admin area
  • Improved client area navigation and made it always visible
  • Replaced admin Dashboard and Billing Overview graphs with interactive nvd3 graphs

And a whole lot more! There’s over 300 tasks in this release, see the release notes for more details.

When is the final release?

Version 4.0 will be officially released after the beta phase has completed. Given that 4.0 is a major release, we expect there will be more betas than typical with a minor release. Once we deem 4.0 stable for production, a final release will be issued. You can help speed things along by participating in the beta!

Goodbye Wordpress

August 3, 2016 | Posted by Paul

When it comes to Content Management Systems, Wordpress dominates the market. ManageWP reports that nearly 75 Million websites are running Wordpress.

Wordpress is convenient. It’s easy to install, easy to use, and easy to customize. There are a seemingly endless supply of themes and plugins available to suit your every need. This very website has used Wordpress for many years, until now.

So why the change?

Consider the following:

  • There have been, and continue to be many vulnerabilities for Wordpress
  • Wordpress installations are the frequent target of brute force attacks and penetration tests
  • While caching can help to some degree, Wordpress is very slow and expensive to scale

Introducing Hugo

Hugo: A fast and modern static site generator

Hugo is a fast and modern static site generator. Like other static site generators, Hugo builds your website rather than serving it on the fly through a runtime like PHP, or a database like MySQL. Web servers are really good at serving static content, so this eliminates much of the overhead.

With all of the static site generators out there, why did we go with Hugo?

  1. Hugo is written in Go and is really, really fast. (~1 ms write time per page)
  2. Hugo builds pages and blog posts from Markdown files.
  3. Hugo has a built in web server for development, rendering changes on the fly.
  4. There is a wordpress-to-hugo exporter, so we were able to import existing posts.
  5. You can create your own themes.

Getting started with Hugo is really simple and Hugo will run on Windows, Linux, and OSX. Remember, Hugo is a static site generator, so you’ll install it on your computer and upload the distribution to your web server after it’s generated. Alternatively, you could run hugo on your web server and use source control to check out your updates and re-build your site.

If you want to try Hugo, take a look at their Quickstart guide. It’s quick and simple to get up and running with a prebuilt theme.

Creating a new theme is really the most difficult part of using Hugo, and their documentation is not great in this area but we were able to find a solution to most of our issues on their community forum.

This post was generated from a simple Markdown text file, cool right?


Some of us remember the days of Dreamweaver, and FrontPage, or writing our own HTML pages in Notepad. In a way, the Internet has come full circle. Static site generators are becoming the wave of the future, only this time for all the right reasons.

Hugo is for those of us that like to break free of the norm and try something different and better. Much like Blesta. Never settle.

Security Advisory

August 2, 2016 | Posted by Paul

We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.


This update addresses two security concerns:

  1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
  2. Full Path Disclosure.


If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231


It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

Configure::set("System.debug", true);

Change this to:

Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).


These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.