FreePgs.com Forum

FreePgs Related => Support Requests => Topic started by: admin on April 16, 2014, 02:33:37 PM

Title: Not worth the aggravation
Post by: admin on April 16, 2014, 02:33:37 PM
Running this service is not worth the aggravation.

We have to constantly deal with spammers exploiting users that do not keep their scripts up to date, our servers getting blacklisted, threatened to unplug our servers on a daily basis, etc.  It is an endless cycle at least every week.

For this reason, we are seriously considering shutting this service down.

The next time we find outdated scripts on a users site, spam coming from a users site, or other activities that are against our terms of service or our providers terms of service, we will be cancelling those accounts permanently.  In most cases, the exploits are either due to outdated CMS/forum/blog scripts that allow users to upload files to your site (then use those files to send massive amounts of spam), or by exploited passwords.  It is important that every change ALL of their passwords, including control panel, FTP, mail accounts, etc.

When updating to a new version of WordPress (for example) be sure to check for malicious files that could have been placed there from an exploited version (especially if you are upgrading from a version older than 3.7.1).
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on April 16, 2014, 02:57:03 PM
Quote from: admin on April 16, 2014, 02:33:37 PM
Running this service is not worth the aggravation.

We have to constantly deal with spammers exploiting users that do not keep their scripts up to date, our servers getting blacklisted, threatened to unplug our servers on a daily basis, etc.  It is an endless cycle at least every week.

For this reason, we are seriously considering shutting this service down.

The next time we find outdated scripts on a users site, spam coming from a users site, or other activities that are against our terms of service or our providers terms of service, we will be cancelling those accounts permanently.  In most cases, the exploits are either due to outdated CMS/forum/blog scripts that allow users to upload files to your site (then use those files to send massive amounts of spam), or by exploited passwords.  It is important that every change ALL of their passwords, including control panel, FTP, mail accounts, etc.

When updating to a new version of WordPress (for example) be sure to check for malicious files that could have been placed there from an exploited version (especially if you are upgrading from a version older than 3.7.1).
That would be very unfortinate and unfair to the users who legitamitly use this wonderful service and have paid for a couple of years. It would punish them more then those who are causing harm. As there aren't many hosts with such great services and very low limits, it would mean laginimate users would have to either pay a bigger fee on a different service or migrate to a free host(and we all know whats that like :P). Please keep this wonderful service running, many people depend on it. :)

Sincerely,

Customer
Title: Re: Not worth the aggravation
Post by: admin on April 16, 2014, 04:27:52 PM
I hope it does not have to be shut down, but unfortunately, a small number of users can cause heaps of problems.  Most of the problem users have been eliminated from the other transitions, so hopefully this will improve.

Quote from: Aleeious on April 16, 2014, 02:57:03 PM
Quote from: admin on April 16, 2014, 02:33:37 PM
Running this service is not worth the aggravation.

We have to constantly deal with spammers exploiting users that do not keep their scripts up to date, our servers getting blacklisted, threatened to unplug our servers on a daily basis, etc.  It is an endless cycle at least every week.

For this reason, we are seriously considering shutting this service down.

The next time we find outdated scripts on a users site, spam coming from a users site, or other activities that are against our terms of service or our providers terms of service, we will be cancelling those accounts permanently.  In most cases, the exploits are either due to outdated CMS/forum/blog scripts that allow users to upload files to your site (then use those files to send massive amounts of spam), or by exploited passwords.  It is important that every change ALL of their passwords, including control panel, FTP, mail accounts, etc.

When updating to a new version of WordPress (for example) be sure to check for malicious files that could have been placed there from an exploited version (especially if you are upgrading from a version older than 3.7.1).
That would be very unfortinate and unfair to the users who legitamitly use this wonderful service and have paid for a couple of years. It would punish them more then those who are causing harm. As there aren't many hosts with such great services and very low limits, it would mean laginimate users would have to either pay a bigger fee on a different service or migrate to a free host(and we all know whats that like :P). Please keep this wonderful service running, many people depend on it. :)

Sincerely,

Customer
Title: Re: Not worth the aggravation
Post by: markjay on April 17, 2014, 02:14:39 AM
FreePgs.com has been one of my favorite hosting service since I hopped-in since way back in 2004. We hope that we can somehow retain legitimate users and eliminate those who abuse this service for spamming.

Cheers for FreePgs.com and for many years to come...
Title: Re: Not worth the aggravation
Post by: admin on April 18, 2014, 01:05:53 AM
The problem is not with users spamming, but users not keeping their scripts up to date that then allow others to inject files, setup phishing sites, and send massive amounts of spam.
Title: Re: Not worth the aggravation
Post by: zen on April 18, 2014, 06:29:52 AM
Users who don't upgrade their script after reminders had been sent are not serious about their site or they just don't care. This show their site are either not important to them or they had an attitude problem. They should be using facebook instead of making website. Should consider suspend them for the first and second time and let them explains why their script is not updated and on the 3rd time they should be kick  out. I think this have been going on for ages something need to be done otherwise these people just don't paid attention to our problem.
Title: Re: Not worth the aggravation
Post by: namhuy on April 19, 2014, 04:13:32 PM
Admin, are you Ed? install rkhunter, chkrootkit, ClamAV, and mod_security. If you can limit sending mail or block it completely.

For wordpress users, I believe there is a plugin to let auto update plugins/theme (not sure auto update wordpress core or not).
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on April 20, 2014, 06:36:25 AM
Quote from: namhuy on April 19, 2014, 04:13:32 PM
Admin, are you Ed? install rkhunter, chkrootkit, ClamAV, and mod_security. If you can limit sending mail or block it completely.

For wordpress users, I believe there is a plugin to let auto update plugins/theme (not sure auto update wordpress core or not).
Those are for rootkits and viruses which while useful don't really do much since I suspect many of the scripts sending the spam are normal php scripts that exploit a security hole somewhere down the line or simply scripts that run indefinitely using the mail() function to send a predetermined email message. mod_security seems like  very good answer as well as Suhosin (http://www.hardened-php.net/suhosin.127.html). Limiting emails may pose a problem when the person hosing the site can no longer send password reset instructions or registration info to users.
Title: Re: Not worth the aggravation
Post by: namhuy on April 20, 2014, 09:24:07 AM
you can always setup smtp with mandrill or google/yahoo smtp
Title: Re: Not worth the aggravation
Post by: admin on April 20, 2014, 10:14:21 PM
Thank you.  We will take these under advisement.

Most likely, we will just stop all mail() functions, but unfortunately, sending of spam is not the only thing that is happening with users and their outdated scripts nor is it just malicious scripts injected on sites, but files being added to phish, etc that themselves are not malicious (in that antivirus, mod_security, rkhunter (which we already use) would catch.

We will go through all users searching for outdated scripts.  If a site is found to contain outdated scripts we will be forced to disable all of the users sites permanently without notice.  This is unfortunate, but there are too many users that load a script and never use it.  Be sure you either keep every script updated or remove scripts you are not using.  This includes scripts in /old directories, etc.

In the past, we blocked the mail function and only allowed it upon request.  This may need to happen again.  (As said above, this would not stop all of the abuse.)

Everyone needs to keep every script they use up to date.  They need to be using the highest PHP version their scripts will allow.  We will be removing 5.2/5.3 from all servers in the near future.  If your scripts do not run with PHP 5.4 or later, it is time to find something else to use.

Due to all of the breaches of late, be sure you are changing all passwords regularly.  Especially control panel, FTP, and mail account passwords, but it is also a good idea to change database passwords as well.
Title: Re: Not worth the aggravation
Post by: admin on April 20, 2014, 10:51:54 PM
We will be doing additional scans for outdated WordPress versions on all servers tomorrow at some point.  If your site is found to not be running the latest version, your site will be suspended.

If more than 15 sites are found that contain outdated scripts, we will seriously consider disabling the mail function globally.
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on April 21, 2014, 02:33:41 AM
Quote from: namhuy on April 20, 2014, 09:24:07 AM
you can always setup smtp with mandrill or google/yahoo smtp
While this can be done easily it would look very suspicious and unprofessional to do this. The reason is anyone can easily open a gmail account and send messages claiming to have your account banned for whatever and asking for your username and password. Believe me this happens more often then you think and people fall for it all the time.

Quote from: admin on April 20, 2014, 10:14:21 PM
Thank you.  We will take these under advisement.

Most likely, we will just stop all mail() functions, but unfortunately, sending of spam is not the only thing that is happening with users and their outdated scripts nor is it just malicious scripts injected on sites, but files being added to phish, etc that themselves are not malicious (in that antivirus, mod_security, rkhunter (which we already use) would catch.

We will go through all users searching for outdated scripts.  If a site is found to contain outdated scripts we will be forced to disable all of the users sites permanently without notice.  This is unfortunate, but there are too many users that load a script and never use it.  Be sure you either keep every script updated or remove scripts you are not using.  This includes scripts in /old directories, etc.

In the past, we blocked the mail function and only allowed it upon request.  This may need to happen again.  (As said above, this would not stop all of the abuse.)

Everyone needs to keep every script they use up to date.  They need to be using the highest PHP version their scripts will allow.  We will be removing 5.2/5.3 from all servers in the near future.  If your scripts do not run with PHP 5.4 or later, it is time to find something else to use.

Due to all of the breaches of late, be sure you are changing all passwords regularly.  Especially control panel, FTP, and mail account passwords, but it is also a good idea to change database passwords as well.
This is all very sound advice and disabling mail globally and requiring users to ask to have the function enabled individually would mean only those who truly need it have it enabled. I am developing a php game and just switched on version 5.5 and hope to get it working on that version. As for my script, i try to write my script with security in mind, and as my script doesn't upload and all input is sanitized and checked for validity. :P I have changed all my passwords recently as a security precaution.

EDIT: You should also remove PHP versions that have reached EOL(end-of-life) PHP 5.3 EOL Announcement (http://php.net/archive/2013.php#id2013-07-11-1) and require the site owners to use the next higher version. If the scripts on the site stops working then the owner will hopefully "wake up" and can either upgrade the script to a newer version, ask the script publisher to support the latest PHP version or move to a different script. I once had a very bad experience with a host that refuses to upgrade past 5.2.17 because:
Quote
It will break existing customers scripts.
Not only is this a security hazard, but it is very bad advice in general. I'll spare the host embarrassment and not mention who it was but, i will say it was a paid host. Surface to say I asked for a refund and used the money to pay for 10 years of freepgs hosting at the then $3 a year annual fee. That was the best well spent money I have payed. :P.
Sincerely,

Aleeious

P.S. Could you please change the Pong Master text next to my name to Aleeious Lead Developer Thanks.
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on April 21, 2014, 05:54:30 AM
Not sure why it won't let me edit my original post but, here is a literately 3 minute video on updating your Wordpress installation with just a couple of clicks. Now there is no excuse for why you didn't do it.

Sincerely,

Aleeious

Link - here (http://www.youtube.com/watch?v=5ENxlugkiUg)
Title: Re: Not worth the aggravation
Post by: namhuy on April 21, 2014, 08:57:08 AM
I didnt realized default php from centos yum is 5.3 x_x I just upgraded to 5.5 using remi/epel repo on my vps just now. centos is too slow to get to packages.

Aleeious, there is an auto update plugin for wordpress, I tried before and It works, you might want to looking into it :)
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on April 22, 2014, 05:45:49 AM
Quote from: namhuy on April 21, 2014, 08:57:08 AM
I didnt realized default php from centos yum is 5.3 x_x I just upgraded to 5.5 using remi/epel repo on my vps just now. centos is too slow to get to packages.

Aleeious, there is an auto update plugin for wordpress, I tried before and It works, you might want to looking into it :)
There is no need to install a plug-in, Wordpress 2.7+ includes it as part of the core software and for reference i currently don't use Wordpress but, have in the past.

Sincerely,

Aleeious
Title: Re: Not worth the aggravation
Post by: admin on April 22, 2014, 04:02:07 PM
Quote from: Aleeious on April 21, 2014, 02:33:41 AM
P.S. Could you please change the Pong Master text next to my name to Aleeious Lead Developer Thanks.

Are you not able to update your title in the forum?  If not, I will do this for you.
Title: Re: Not worth the aggravation
Post by: admin on April 22, 2014, 04:07:11 PM
Quote from: Aleeious on April 21, 2014, 02:33:41 AM

EDIT: You should also remove PHP versions that have reached EOL(end-of-life) PHP 5.3 EOL Announcement (http://php.net/archive/2013.php#id2013-07-11-1) and require the site owners to use the next higher version. If the scripts on the site stops working then the owner will hopefully "wake up" and can either upgrade the script to a newer version, ask the script publisher to support the latest PHP version or move to a different script. I once had a very bad experience with a host that refuses to upgrade past 5.2.17 because:

Sorry for the double post.  Our plans are to remove 5.2 and 5.3 once 5.6 is released.  (5.2 may very well be removed before that.  It has only been kept due to compatibility reasons for some users, but honestly it is not worth the risk.)  The problem is that some have 5.2.17 selected that can use a newer version.
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on April 22, 2014, 09:11:21 PM
Quote from: admin on April 22, 2014, 04:07:11 PM
Quote from: Aleeious on April 21, 2014, 02:33:41 AM

EDIT: You should also remove PHP versions that have reached EOL(end-of-life) PHP 5.3 EOL Announcement (http://php.net/archive/2013.php#id2013-07-11-1) and require the site owners to use the next higher version. If the scripts on the site stops working then the owner will hopefully "wake up" and can either upgrade the script to a newer version, ask the script publisher to support the latest PHP version or move to a different script. I once had a very bad experience with a host that refuses to upgrade past 5.2.17 because:

Sorry for the double post.  Our plans are to remove 5.2 and 5.3 once 5.6 is released.  (5.2 may very well be removed before that.  It has only been kept due to compatibility reasons for some users, but honestly it is not worth the risk.)  The problem is that some have 5.2.17 selected that can use a newer version.
True, however they will be running newer versions of PHP that are more secure and compatibility won't maa difference throwing out the whole "5.2.17 for compatibility" issue. As for the others that aren't compatible my last comment still stands.

Quote from: admin on April 22, 2014, 04:02:07 PM
Quote from: Aleeious on April 21, 2014, 02:33:41 AM
P.S. Could you please change the Pong Master text next to my name to Aleeious Lead Developer Thanks.

Are you not able to update your title in the forum?  If not, I will do this for you.
Nope, seems when you upgraded the forum you removed the permissions required to self update it. Thanks for updating it.

Sincerely,

Aleeious
Title: Re: Not worth the aggravation
Post by: admin on April 23, 2014, 01:08:37 AM
Quote from: Aleeious on April 22, 2014, 09:11:21 PM
Quote from: admin on April 22, 2014, 04:07:11 PM
Quote from: Aleeious on April 21, 2014, 02:33:41 AM

EDIT: You should also remove PHP versions that have reached EOL(end-of-life) PHP 5.3 EOL Announcement (http://php.net/archive/2013.php#id2013-07-11-1) and require the site owners to use the next higher version. If the scripts on the site stops working then the owner will hopefully "wake up" and can either upgrade the script to a newer version, ask the script publisher to support the latest PHP version or move to a different script. I once had a very bad experience with a host that refuses to upgrade past 5.2.17 because:

Sorry for the double post.  Our plans are to remove 5.2 and 5.3 once 5.6 is released.  (5.2 may very well be removed before that.  It has only been kept due to compatibility reasons for some users, but honestly it is not worth the risk.)  The problem is that some have 5.2.17 selected that can use a newer version.
True, however they will be running newer versions of PHP that are more secure and compatibility won't maa difference throwing out the whole "5.2.17 for compatibility" issue. As for the others that aren't compatible my last comment still stands.

Quote from: admin on April 22, 2014, 04:02:07 PM
Quote from: Aleeious on April 21, 2014, 02:33:41 AM
P.S. Could you please change the Pong Master text next to my name to Aleeious Lead Developer Thanks.

Are you not able to update your title in the forum?  If not, I will do this for you.
Nope, seems when you upgraded the forum you removed the permissions required to self update it. Thanks for updating it.

Sincerely,

Aleeious

I agree with you about older PHP versions, especially 5.2.17.  We will force these to at least 5.3.28 and remove 5.2.17 as a selection.  I have found some users still using 5.2.17 because that is what they were using on the old servers, even though they are running newer scripts.  Once 5.6.x is released, the same thing will be done with 5.3, moving all that have 5.3 set to 5.4.  The choices will be 5.4/5.5/5.6 at that time.
Title: Re: Not worth the aggravation
Post by: Speedline Z on May 11, 2014, 04:08:39 PM
I have, i believe an outdated vBulletin or phpbb installed on a subscription or two i asked to be suspended a while back (since i shut the sites down), and thus granted it's not accessible to the web, I also don't have the ability to access it to delete it ... I think i'll shoot you an email shortly about doing some general clean up on my account for all of the things I am no longer using. 
Title: Re: Not worth the aggravation
Post by: admin on August 03, 2014, 06:15:46 PM
This service is starting to get out of hand again.  Users using well beyond their CPU resources, a large number of mysql tables and queries not optimized, outdated scripts, insecure permissions, etc.

I guess our only choice will be to shut this down.
Title: Re: Not worth the aggravation
Post by: namhuy on August 04, 2014, 08:10:35 AM
no way to throttle cpu?
Title: Re: Not worth the aggravation
Post by: admin on August 04, 2014, 05:40:05 PM
Quote from: namhuy on August 04, 2014, 08:10:35 AM
no way to throttle cpu?

Not easily with the way things are setup.  It is not just CPU but overall I/O wait that causes problems.

The West server was recently using much CPU, but it was used by Qmail due to a spammer injecting some scripts in an outdated site.  Restricting the user wouldn't have stopped this since it was the Qmail process using a good portion of the resources.  (The rest of the systems are not running Qmail and have less of these issues.)
Title: Re: Not worth the aggravation
Post by: markjay on August 04, 2014, 10:15:09 PM
It so sad that some users are abusing this kind of service that you never find elsewhere. I don't want to see this great service gone... FreePgs.com is still the best and greatest hosting service I have ever found.
Title: Re: Not worth the aggravation
Post by: admin on August 05, 2014, 12:37:48 PM
I feel bad for the users that don't cause problems, but unfortunately, there are numerous problems being caused, most are not intentional (while some are).

-Dormant sites/scripts that then get exploited (because they are not kept up to date)
-Users using too many resources (page loads taking 10+ seconds, easily DoS'd)
-Improperly indexed tables (likely no indexes at all on some)
-Inefficient database queries
-Selection of lower PHP versions that is necessary to run their script.
Title: Re: Not worth the aggravation
Post by: Leirosa on August 06, 2014, 12:10:41 AM
I would be quite sad if this service shut down since I have used it for so long.

After the problems started, I started keeping all my forum scripts up to date, but I am not knowledgeable with optimizing databases. If there is something I can do to help on my end I will though.

If it does close, will there be an option to transfer to an lvcs plan? Although I don't relish paying a lot more to keep my site open, I still have users and my sites mean to much to me and them to shut them down.
Title: Re: Not worth the aggravation
Post by: admin on August 06, 2014, 05:00:06 AM
We are starting to force the few new users into plans where number of connections can be limited.  Hopefully this will help reduce the problem (to some extent), especially if this is extended to the rest of the users.  Existing users of the system are excluded from some of the rules, so we will need to design a custom plan for these users.

For tables: If a field is in the ORDER BY or WHERE clauses, be sure those fields are indexed.  (i.e. If you are filtering for something and/or sorting by something, those fields you are sorting and filtering by should be indexed at the very minimum.)
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on August 06, 2014, 08:52:29 PM
Quote from: admin on August 05, 2014, 12:37:48 PM
I feel bad for the users that don't cause problems, but unfortunately, there are numerous problems being caused, most are not intentional (while some are).

-Dormant sites/scripts that then get exploited (because they are not kept up to date)
-Users using too many resources (page loads taking 10+ seconds, easily DoS'd)
-Improperly indexed tables (likely no indexes at all on some)
-Inefficient database queries
-Selection of lower PHP versions that is necessary to run their script.
So do i, a few bad apples ruining it for everyone is very unfair.
Quote
For tables: If a field is in the ORDER BY or WHERE clauses, be sure those fields are indexed.  (i.e. If you are filtering for something and/or sorting by something, those fields you are sorting and filtering by should be indexed at the very minimum.)
Could you please explain this a bit more? Does that mean I should create indexes for all my columns? Any assistance would be greatly appreciated.

Sincerely,

Aleeious
Title: Re: Not worth the aggravation
Post by: admin on August 11, 2014, 12:17:05 AM
Quote from: Aleeious on August 06, 2014, 08:52:29 PM
Quote from: admin on August 05, 2014, 12:37:48 PM
I feel bad for the users that don't cause problems, but unfortunately, there are numerous problems being caused, most are not intentional (while some are).

-Dormant sites/scripts that then get exploited (because they are not kept up to date)
-Users using too many resources (page loads taking 10+ seconds, easily DoS'd)
-Improperly indexed tables (likely no indexes at all on some)
-Inefficient database queries
-Selection of lower PHP versions that is necessary to run their script.
So do i, a few bad apples ruining it for everyone is very unfair.
Quote
For tables: If a field is in the ORDER BY or WHERE clauses, be sure those fields are indexed.  (i.e. If you are filtering for something and/or sorting by something, those fields you are sorting and filtering by should be indexed at the very minimum.)
Could you please explain this a bit more? Does that mean I should create indexes for all my columns? Any assistance would be greatly appreciated.

Sincerely,

Aleeious

You should create indexes for any column your are sorting or filtering by.  If you are not sorting by that column (i.e. using it in an ORDER BY clause) or filtering by that field (using it in a WHERE clause), this will not be necessary.  [This should also be done if joining tables using these fields.]
Title: Re: Not worth the aggravation
Post by: admin on August 11, 2014, 12:29:55 AM
As long as your site isn't taking multiple seconds per page load, you are generally fine.  (We are not talking about time waiting on downloading files to the client computer, Nginx offloads that part from Apache very well, but time waiting on your pages to generate due to waiting for MySQL, waiting for a remote API, etc.)

For the most part, we try to keep the load low on the servers.  We let users exceed CPU-I/O time limits for a period of time in case they are working with their site or are getting a traffic spike.  When we get complaints on the performance of a specific server, if we find these high resource users and the reason they are using resources is Google is crawling their site (because their site takes 10 seconds to load on each pageview), we generally disable the user and attempt to help them index their tables or explain what processes are using too many resources.

If your site loads fast, you will likely never fall into this group.

By replying to this topic, we didn't want to send the message that we were thinking of discontinuing the service, because we are not.  We may need to consolidate it further in an effort to lose less money, but there is no reason the service will need to be discontinued in the near future.
Title: Re: Not worth the aggravation
Post by: Scorpion Illuminati on August 12, 2014, 03:14:22 AM
Quote from: admin on August 11, 2014, 12:29:55 AM
As long as your site isn't taking multiple seconds per page load, you are generally fine.  (We are not talking about time waiting on downloading files to the client computer, Nginx offloads that part from Apache very well, but time waiting on your pages to generate due to waiting for MySQL, waiting for a remote API, etc.)

For the most part, we try to keep the load low on the servers.  We let users exceed CPU-I/O time limits for a period of time in case they are working with their site or are getting a traffic spike.  When we get complaints on the performance of a specific server, if we find these high resource users and the reason they are using resources is Google is crawling their site (because their site takes 10 seconds to load on each pageview), we generally disable the user and attempt to help them index their tables or explain what processes are using too many resources.

If your site loads fast, you will likely never fall into this group.

By replying to this topic, we didn't want to send the message that we were thinking of discontinuing the service, because we are not.  We may need to consolidate it further in an effort to lose less money, but there is no reason the service will need to be discontinued in the near future.
I'm sorry but everytime i see:
Quote from: admin
I guess our only choice will be to shut this down.
I start to fear the worst.

Quote from: admin
You should create indexes for any column your are sorting or filtering by.  If you are not sorting by that column (i.e. using it in an ORDER BY clause) or filtering by that field (using it in a WHERE clause), this will not be necessary.  [This should also be done if joining tables using these fields.]
My app uses where clauses for user.username, username.password, matchindex.id, matchindex.challenger and matchindex.defender. You can see how everything works on my github (http://www.github.com/aleeious/aleeiousmmo) page. Any assistance would be greatly appreciated.

Sincerely,

Aleeious
Title: Re: Not worth the aggravation
Post by: admin on August 13, 2014, 02:49:48 AM
...My app uses where clauses for user.username, username.password, matchindex.id, matchindex.challenger and matchindex.defender. You can see how everything works on my github page. Any assistance would be greatly appreciated....

As long as the fields you have listed are indexed along with any fields used in your JOIN statements, you will be fine.