Just a moment...

All posts by artur

Magento 2.2.5 and 2.1.14 Security Update

Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.5.

As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information how to secure your site.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost. Visit the official Magento site for more details:

15 Updates:

APPSEC-2014: Authenticated Remote Code Execution (RCE) through the Magento admin panel (swatches module)APPSEC-2054: Remote Code Execution (RCE) via product import

APPSEC-2042: PHP Object Injection and RCE in the Magento 2 EE admin panel (Commerce Target Rule module)

APPSEC-2055: PHP Object Injection and RCE in the Magento 2 Commerce admin panel (Schedule Import/Export Configuration)

APPSEC-2048: SQL Injection through API

APPSEC-2025: Arbitrary File Delete via Product Image

APPSEC-2044: Cross-Site Scripting (XSS) through B2B quote

APPSEC-2026: Authenticated Remote Code Execution (RCE) through the Magento admin panel (currency configuration)

APPSEC-2070: Directory Traversal in Product Import

APPSEC-2062: Remote Code Execution (RCE) through dev tools

APPSEC-2027: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)

APPSEC-2010: Cross-Site Request Forgery + Frontend Stored XSS (Design Configuration)

APPSEC-2030: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)

APPSEC-1716: X-Frame-Options missing from templates

APPSEC-1993: IP Spoofing

 

Google Chrome Announces Important Security Updates Required by July 2018

The date is fast approaching for Google’s deadline to encrypt your site. This will include acquiring an SSL Certificate and moving to HTTPS. If these steps are not taken, it could impact your customers, your SEO rankings and ultimately, your reputation.

Maintaining the security and compliance of your site is a top priority for our team. If you require any assistance, our dedicated Magento engineers are available 24/7 to offer support and guidance. Please take a few minutes to learn more about these requirements below and feel free to reach out to us if you have any questions.  

Security Requirements

If your site is not fully compliant with these requirements, you have until July 2018 to make the necessary modifications. Not sure if your site will be impacted or how to become compliant?  Here is a step-by-step guide to verify and update your site’s security protocols.

SSL Certificates

If you do not currently have an SSL Certificate, you will need to purchase one as a first step in gaining security compliance. We provide free SSL Certificates and installation to all our Magento Clients.

If you do have an SSL Certificate but your site is using a SSL/TLS Certificate from Symantec that was issued before June 1, 2016, it will stop functioning as a secure site in Chrome 70 this coming July. This could already be impacting your customers.

Symantec SSLs that were issued before June 1, 2016, utilized an older Secure Hash Algorithm (SHA-128) which came equipped with a renewal date that extended past Google’s preferred expiration timeframe. To be compatible with the release of Google Chrome 70, requirements for SSL Certificates will need to be updated to the newest version (SHA-265). You will want to replace your certificate as soon as possible before the Chrome 70 release. If the certificates are not replaced, users will begin seeing certificate errors on your site. If you are unsure if you have the latest version of SSL certification, continue reading to learn how you can verify your compliance.   

Testing Your Site For Compliance

To gain HTTPS full encryption compliance, your first step is to ensure your SSL Certificate is up to date. You can test the security of your site and your SSL status by going to Qualys SSL Labs. The desired outcome is to receive an “A” in all 4 sections. The sections include Certificate, Protocol Support, Key Exchange, and Cipher Strength. Receiving a passing score in all four sections means that your SSL Certificate will function securely under the Chrome 70 release. This will also be important for gaining and maintaining PCI Compliance. Our servers are configured to be fully secured and HTTPS encrypted out of the box.

How to Gain SSL Certificates and HTTPS Compliance

As a fully managed service provider, eBoundHost – JetRails can assist you in purchasing and installing your SSL Certificate. We can also help you manage your encryption configurations through our technology stack. However, your development team will need to ensure all required coding is ready for HTTPS.

Additional Resources:

https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

 

 

 

 

 

Magento case study: Refusing to settle helped this multi-million-dollar family business make more money

Moon Audio: From the garage to the main stage

Started by a husband and wife team in their garage 15 years ago, Moon Audio is a leader in its field – but don’t call it a ‘mom & pop shop’. They found success building ultra-high-end silver audio cables for music lovers, audiophiles, sound recording engineers and producers who want to hear more nuance, detail and resolution in their original recordings.  They also make stock cables for JH Audio now used on stage by the likes of Beyoncé, Maroon 5, Bruce Springsteen, and The Pixies. Before long, they expanded into retailing high-end listening equipment online and have built a loyal, worldwide customer base.

This case study follows Moon Audio’s journey :

  • Their host couldn’t improve their speed
  • Downtime and outages became intolerable
  • The team took a leap of faith to find a new host
  • eBoundHost increased speed, conversion and SEO performance

Problem: Bad Speeds, Worse Communication

“our load times sucked, it was awful!”

In early 2016, co-owner Nichole Baird was unhappy with the speed of the Moon Audio site. Google Analytics showed average load times around 6 seconds. “We needed to get less than 2 seconds,” but her hosting provider maintained it was actually 3 seconds. “They wouldn’t ever say ‘let’s find a common way to measure this.’ I never felt like I was on the same page as him…  I felt like I was at a disadvantage because I didn’t speak his language well enough to ask the right question.” Nothing improved, and eventually the host told Nichole “I’ve done everything I can do.”

Frustrated by stagnating load times and stonewalling from her host, her site was deliberately taken down for over an hour over a domain mix-up while she was on vacation.  “I was in Nashville on vacation with my daughters, trying to relax, and… all of a sudden I was down.”  Outages that long aren’t easy to shrug off –  “literally, an hour for me could be $10,000…  we don’t have small orders.”

Lack of communication added insult to injury.  “… there was no apology, no nothing! … Our host routinely would take a day or two to get back to me, it was ridiculous!  The worst thing you can do is not answer your client when they’ve had a problem like that.”  

Nichole was trying to enjoy a trip to Nashville when hosting issues cropped up.

 

“It’s just like anything in life. If you can seek an expert, you’re going to get so much farther ahead of the game.”

Time For a Change  

Nichole was finally fed up with the poor communication, slow speeds, and downtime. She started working with her developer and SEO consultant to find a new hosting provider.  “We definitely looked at a couple other places.  And I probably have a company a week email us … we’re constantly being bombarded.”  After looking over numerous options, her developer mentioned eBoundHost, and her SEO consultant “Marty liked what he heard.”

Marty had been pushing for a new hosting environment for months, and finally had high hopes for speed improvements.  Nichole found that in contrast with her old hosting provider, “[for] every question I had, the ebound team delivered a well-thought response that was thorough and didn’t leave me wondering or asking for more details … It wasn’t something [the eBoundHost team] did lightly – it was something they did sort of the way we make cables.  We hand craft our cables individually and customize them for each customer with the finest materials we can find, at a specific price point – we cater to their specific needs.”  With her team on board for the change, they were ready to switch infrastructure providers.

Solution: Making the Switch to eBoundHost

Migrating to an eBoundHost JetRails® environment, “…was pretty seamless. We didn’t have any problems when we did it.”  eBoundHost’s thorough approach to UAT (User Acceptance Testing) served to reassure the team as the new environment went live. “The exercise of going through and checking that everything is still working is great.”

Resolution: Faster Speed, Faster Sales

The JetRails environment caused a sharp improvement.  Once the site and environment had gone through optimization, speed increased dramatically.  Load times dropped from nearly 8 seconds to below 1.2 – almost 7 times faster.  Time to First Byte and Speed Index, both key indicators for user experience, also decreased by similar factors.

 “My conversion has definitely improved.  I know it will continue to improve if I keep my load time below 2 seconds, which is the standard that Google has set.“   Moon Audio caters to audiophiles, sound quality fanatics who “…want everything two weeks before they place the order”.  Speed in all its activities is Moon Audio’s “biggest advantage”. 

The site also performs well under load – it maintains sub-2-second load times even with hundreds of users on the site simultaneously.

Graph showing load time vs. active users
The blue line shows active users increasing to 400 during the test. Green shows load time, which never reaches 2 seconds.

After going live with eBoundHost, the choice was clear in retrospect. “Speed is really important. And having a company that is an expert in Magento and speed is actually the way to go, instead of going with a smaller company that doesn’t have expertise in your particular back-end framework. It’s just like anything in life. If you can seek an expert, you’re going to get so much farther ahead of the game.”   

We couldn’t agree more.  

If you’re looking to improve your site performance or solve issues with your environment, we’re always here to answer questions about Magento hosting and optimization. Get in touch anytime.

Guest Post: Jeff Finkelstein of Customer Paradigm: Don’t lock your door and leave the window open

A guest post on security from Customer Paradigm

At eBoundHost, we work with a variety of developers, designers, and security consultants to help our customers make the most of their web presences beyond the server environment.  Jeff Finkelstein of Customer Paradigm is a top Magento and WordPress developer that has helped countless clients secure their sites.  He has some pointed about the importance of patching your e commerce software.


If you run a Magento site, you probably take credit cards for payment.  It’s no secret that hackers want to steal your customers’ credit card  information, so that they make fraudulent purchases or sell the credit card numbers online.

Most eCommerce platforms  like Magento don’t actually store and save credit card information. When the user is in the cart, entering their credit card information, the credit card data is not stored on the server.  Rather, it’s encrypted and securely sent to the credit card company.

If the credit card number, expiration date, security code, name on the card, billing address on file and a few other data points are accepted (i.e. the person is not over their spending limit for the amount you’re trying to charge), then the credit card company will send back an authorization code, letting you know the credit card was accepted for the purchase amount.

That’s how it’s supposed to work. But, if someone was able to get into the code of your site, then  they can inject a little bit of code that watches and records the credit card information, then sends it off to a nefarious person.

Usually the attack is not against the core code of the eCommerce site, but a security loophole somewhere else.

Sometimes attackers are able to gain entry to a site because there is a security vulnerability that should have been patched, but hasn’t;  an insecure plugin, an out-of-date extension, or a misconfigured setting that isn’t even connected to your eCommerce site.  The main components of your eCommerce site might be very secure.  But if another portion of your site is not, it’s like leaving the side window of your house wide open and leaving on vacation.  Sure, the front door is locked, but there’s another, very easy way into the house.

If your eCommerce software developer (Magento, WooCommerce, etc.) releases a patch, it’s extremely important to install it.  Because when a security patch is sent out, the first thing hackers do is reverse engineer it to see how a site could be vulnerable if that patch isn’t applied.

If you patch your site, you’ll be in better shape.  If you don’t, the security patch is now an evildoer’s how-to guide for attacking your site.  This means failing to patch your site in a timely fashion is doubly dangerous.  Once the patch is released, unpatched sites are at even higher risk of being compromised.

We recommend using a version control system such as  git or subversion on your server, so that you can easily see if any key files have been changed.  You can also use it to run an automated scan for new, changed or removed files – key warning signs that someone has been tampering with your site.  

For example, on a Magento site, I know that if the CC.php file in the core code has been changed, the site is likely to have been attacked – this is one of many points to check for possible problems.

Bottom line: keep up to date with patches, and use a version control system to let you know if anything new has been added to the site.

I hope this helps!  My team is here to secure your site ahead of the upcoming holiday – you can call me at 303.473.4400 or visit http://www.CustomerParadigm.com/Magento for more information.

WebForms extension exploit: are you protected?

Magento has released a new patch that covers critical vulnerabilities.
WebForms is a popular extension to add more robust forms functionality to Magento sites. Unfortunately, attackers are abusing an outdated version to upload and execute PHP scripts. This can result in stolen credit card details, customer and transaction lists, and even being locked out of your own store.
Anyone using WebForms Pro 2.7.6 or older should update the extension immediately, to version 2.7.9. 

WebForms sent out the following information about the update process and ways to protect your store:

WebForms Pro Security Update

If you have WebForms version installed older than 2.7.6 please take action!
It has been recently discovered that WebForms extension can cause vulnerability on certain system configurations with Magento 1 platform installed.

If your server is running Apache 2.4, Nginx or PHP 7 you are strongly advised to download WebForms 2.7.7 update from your account area My Downloadable Products section.
The update contains new file upload scan to block possible script files from being uploaded to the server.

If you have a customized version of WebForms or performing the update is problematic, please remove the following directory:
/js/webforms/upload

It is a safe operation as it doesn’t affect any major functionality. This folder is present in current version of WebForms but will be removed in future updates.
If you have forms with file upload fields please limit allowed file extensions.”

We strongly recommend that all Magento site owners check for and patch this vulnerability right away. If you have any questions about whether your store is at risk or how to update the extension, we’re standing by to help.

Critical MySQL Vulnerability CVE-2016-6662 – Are You Protected?

header

On September 9, Dawid Golunski reported CVE-2016-6662, a major vulnerability in MySQL which also affects PerconaDB and MariaDB.  This is what’s known as a SQL injection attack, and attackers can use it to take over your server completely. It works by tricking MySQL into giving an attacker control over the system (“root privileges”) by loading malicious configuration files. Percona has a post describing the attack in more detail.

Am I at risk?

All JetRails customers at eBoundHost are already protected.  Others using older versions of MySQL, Maria or PerconaDB may be at risk.  Platforms that rely on these databases include Magento, WordPress, Drupal, OpenCart, Prestashop – any LAMP-based application may be vulnerable – if you aren’t sure, check in with your developer.

Fixes

MySQL has fixed this problem in versions 5.5.52, 5.6.33 and 5.7.15.  Percona and Maria have also released updates with fixes for the vulnerability.  Aside from upgrading, you can patch mysqld_safe, or change the permissions on configuration files to eliminate this vulnerability.

If you have any questions about your site’s safety or how to make your environment secure, get in touch.

3 Google Analytics Reports You Haven’t Used for Your Magento Store


Guest Post by Tom Bukevicius, Principal at SCUBE Marketing

Tom Bukevicius wrote this guest post for the eBoundHost blog

As the first in a series of guest posts, we’re proud to present this article by Tom Bukevicius, a Chicago-area PPC expert and taco aficionado. At SCUBE, he helps clients make the most of their traffic and PPC investment, and in this post, he shares 3 awesome ways you can make the most of your traffic by looking deeper with Google Analytics.


As a Principal at a digital marketing agency, I am exposed to analytics often. There are a lot of metrics to review, but the most important ones are what I call “money metrics.” These metrics cover store revenues, advertising costs, transaction volume, etc.

Google Analytics is an excellent tool to understand how much money your Magento store is generating. Every time I log into Google Analytics I say:

01 show me the money

Google Analytics is capable of showing the “money metrics”, but you need to know where to go. Today, I will share three reports that I bet you haven’t used. They will show you:

  1. Where the money is coming from.
  2. What path your buyers take to purchase.
  3. Where buyers get stuck during the checkout process.

Where The Money Is Coming From

Channels Report is a very popular report. It will show you the traffic, user behavior and E-Commerce revenue by traffic source. See the screenshot below.

Default channel grouping

Click for full size

Note that this report doesn’t come like this out of the box. You’ll want to make sure that you have Enhanced Ecommerce integrated with your Magento store. Without it, you will only see traffic and user behavior metrics – forcing you to make wild guesses and making it hard to improve performance.

Why I Love This Report?

I can see the performance of each channel. This allows me to evaluate and direct marketing investment into the channels that perform best. This becomes particularly useful when you start paying for traffic and need to measure the ROI.

How to Find Channels Report

Here is where you can find this report. Channels Reports sits in the Reporting section of Google Analytics. On the left menu, find the Acquisition tab, then navigate to All Traffic, then Channels. See the screenshot below.

Where to find the channels report in Google Analytics
Take Channels Report To The Next Level

If you’ve used the basic features of this report, good. However, there is one caveat, it uses Google’s Default Channel Groupings. If you have many traffic sources, you will lose the accuracy of each channel group.

You can take it to the next level by applying Custom Channel Definitions, which allow you to define your own channels. Here is what it looks like.

Click for full size

Click for full size

 

You will notice that the channel names are slightly different, and associated metrics are different as well. Every channel is customized and defined based on your needs. Imagine Custom Channel Definitions as a filter with the right information for your Channels Report.

You can create multiple filters if you have different definitions of traffic. To access your definitions use the dropdown menu under Default Channel Grouping and select your custom view.

The example below has two custom channel definitions for two different audiences:

1. Executive view (higher level)
2. Analyst view (more detailed level)

A screenshot of custom channel groupings in Google Analytics

Note that Custom Channel Definitions don’t come out of the box with your Google Analytics installation. To set these up, use this step by step guide.

Now that you know where the money comes from, it’s time to dig deeper.

What Path Your Buyers Take To Purchase

Your buyers are already distracted with an overwhelming amount of information on the internet. On top of that their attention is already divided among multiple devices and channels.

That’s one of the reasons why 95% of first-time visitors don’t convert. 46% of them need 3 or more visits to purchase.

For this reason, you need to accept the reality, track your buyer path to purchase and take steps steer them in the right direction.

Enter the Path Length Report

Path Length report shows you how many interactions your buyers need before they purchase. An example below show that 68% of buyers purchase within one interaction. However, 27% need between 2 and 4 interactions.

This example shows us that we may need to launch retargeting and email follow up sequences to get buyers back to the website.

Click for full size

Click for full size

How to Find Path Length Report

On the left menu, find Conversions tab, open Multi-Channel Funnels section, then navigate to Path Length. See the screenshot below.

Where to find the path length report in Google Analytics
Take Path Length Report To The Next Level

Once you know how to navigate the Path Length Report, you can go deeper to understand your buyers. You can apply conversion segments based on traffic source of the first or last touch point, time lag and path length.

In addition, you can customize a lookback window. Lookback window is important because it reflects your user buying cycle and sets the time period for attributing revenue to traffic sources. See the screenshot below for customizing your Path Length report.

Taking path length report to the next level

Click for full size

 

Now you know how to track your buyer path to purchase, it’s time to take a look at where they get stuck during purchase.

Where Buyers Get Stuck During the Checkout Process

Your checkout process may have barriers to purchase. Buyers can get stuck like this puppy, and you may not even know about it.

Do your customers struggle to check out like this pup?
Enter Checkout Behavior Analysis Report

This report gives you a snapshot of the steps in your checkout process. The neat thing about it is you see a clear progression with specific areas where buyers drop off. See example below.


The checkout behavior analysis report

 Click for full size

 

This report helps you to problem solve the barriers your checkout process creates for the users.

In the example above, you can see that 47% of the buyers drop off after we ask them for their contact info. This begs a question if we ask for too much information, if the form has errors, if the call to action button isn’t clear, etc.

Another step from the example is the Payment step with a 52% drop off rate. Based on this data, we can start the analysis and forming hypotheses on potential problem areas of this step.

How to Find Checkout Behavior Analysis Report

On the left menu, find Conversions tab, open E-Commerce section, then Shopping Analysis, and finally Checkout Behavior.

Where to find the checkout behavior report
Take Checkout Behavior Analysis Report To The Next Level

Once you see the snapshot of your checkout funnel, it’s time to go granular to other dimensions, because some of the answers can exist there. By default, Checkout Behavior Analysis report breaks the traffic down into new and returning visitors. Which is great. However, you can drill down into other insightful dimensions such as:

  • Geography
  • Keyword
  • Source or Medium
  • Device

All of these dimensions and their subcategories enable you to identify opportunities for improvement. In addition, you can switch between completed and abandoned visits within each dimension.

Get more detail from the checkout behavior analysis

Click for full size

 

Next steps

Hopefully, by this time, the “Show Me The Money” reports and their customizations will make your Google Analytics experience more insightful. Now you can log into Google Analytics and say show me:

  • “Which traffic sources generate the most money for my Magento store?”
  • “How long is the path my buyers take to generate the revenue for my Magento store?”
  • “Where do my Magento store buyers get stuck preventing to complete the purchase?”

The insights you will generate will be useful.  But don’t stop there. Dig deeper into reports, take action based on the insights, and reap the rewards.

Simple tweaks that 20% of the top retail sites are using to smoke the competition

Magento speed testing shows trends in top 50

Almost 50% of the visitors to the top 10 retailers are now mobile-only.  There is no such thing as ‘desktop experience’ for these users, and site performance is critical for mobile shopping – 73% of mobile users say sites load too slowly.  This applies to everyone, not just the top 10: mobile accounts for 30% of all US e-commerce revenue.  Page load time is now a competitive metric – not just a technical one.

Yes, speed is a contest

We tested 50 of the top fashion e-commerce sites for performance in 2015, and we repeated the test this year. We checked time to first byte (TTFB), fully loaded time, and speed index for each site. A summary of the data set is below.

A table showing the performance of some of the top 5 ecommerce sites in 2015 and 2016.
Click to view full table

Some interesting findings from our analysis:

  • Fully loaded time increased by 3.14 seconds and speed index increased by 1027 on average.
  • 8% of the original 50 sites tested are offline today – presumably out of business.
  • Only one site (2%) moved away from Magento for a new CMS.
  • 18% added a CDN, but on average their load times went up by 2.19 seconds.
  • Of the the top 10 fastest sites today, 40% of them were in the under-performing group last year, illustrating how competitive the space is.
  • 70% of the fastest sites are not using Magento Enterprise – demonstrating that Community Edition sites can compete effectively with EE.

We hope you don’t mind if we point out that in both 2015 and 2016, the absolute fastest site tested also happens to be a Magento CE site we host on the JetRails platform.

Competition is heating up among the top 50. 20% went from being slower than the median Speed Index in 2015  to faster. Seven went from lagging to leading in TTFB.  The sites that moved up were 29% faster than average in speed index and 51% faster in TTFB. This paints a clear picture of  how performance is increasingly a way to compete.

How to use page speed to compete

A site that loads faster is nice, but does it impact the business?  Yes. Faster load times drive revenue, period. Industry statistics paint a very clear picture:

The same factors that limit desktop performance are even more harmful on mobile, due to higher latency and connections with unreliable and fluctuating speed.  Google is also all-in on a mobile first world, so a focus on performance and mobile experience seems likely to pay SEO dividends for the foreseeable future.

It’s high time to capitalize on the performance competition opportunity. There are two major ways to do this – tweak the site itself for speed, and put it into the right server environment.

The simple tweaks you can use to be faster right away:

These code and configuration changes can make a huge difference, but having the site on the right hardware is not optional.  JetRails combines an efficient configuration with serious hardware, which lets our customers run smoothly even at peak times.

We’re pleased to see so many sites making the effort and boosting performance from last year, but there’s still plenty of slack in this space.  20% of sites are pulling ahead, but average results in the top 50 for TTFB and Speed Index are considerably slower than industry benchmarks.  This is a wide-open door for retailers willing to prioritize performance in the next 12 months.  Call us if you’d like to discuss how your site can climb the ranks.

13 life-or-death tactics for stopping Magento hacks

magento-security-banner

Everyone who runs a Magento store knows that following security best practices is important.  But too often, proper security is like flossing – everyone knows it’s a good idea, but some of us convince ourselves that an occasional Listerine rinse is good enough.  Even if it feels like a chore, failing to follow best practices can put you and your customers at severe risk.  We’ve collected 13 of the most important things you can do to keep your Magento site safe.

1. Implement 2-Factor Authentication (2FA)

Multi-Factor Authentication (often called 2FA or MFA)  refers to any log-in system that relies on two or more pieces of information to verify your identity.  Typically, the information is a password and a second code that is sent to your phone or provided in advance.  SecurID key fobs are another implementation of 2FA that you might have seen before.

2FA prevents attacks because it’s hard for a hacker to get access to your username, password, and a third thing like a randomized token. If your store is PCI compliant (and you want to keep it that way), you’ll need to implement multi-factor authentication and other PCI DSS 3.2 requirements by February 2018.

How to do it

2. Use Strong Passwords

Most people want a password that’s easy to type, easy to remember, and hard to guess. Sadly, most passwords created this way are shockingly easy to crack with modern technologies.  And if you reuse your password for other accounts, it means hackers can break into all those accounts for the price of one.

Password managers to the rescue!  Software like Keepass, Lastpass, and others provide an encrypted “locker” that stores a unique, extra-strong password for each account.  You only need to remember one password to unlock the database, and individual passwords will never be a weak point for security again.  Especially for a mission-critical account like your Magento admin, It’s essential to use a long, complex, and unique password.

How to do it

3. Use good Antivirus Software

The strongest password in the world is worthless if your PC itself is compromised.  A malware infection on your computer can hand hackers the keys to your Magento castle by spying on your connection or logging your keystrokes. To prevent intrusions, you’ll need a robust and up-to-date anti-virus solution on any computer you use to work on your Magento store.

How to do it

4. Run Quarterly PCI Compliance Scans

Whether or not you store PII or card information on your server, a PCI scan is a good way to proactively identify software and configuration vulnerabilities.  If your firewall, anti-virus, or password policies are misconfigured or out of date, the scan can help you find these vulnerabilities before hackers do.

How to do it

5. Change Magento Admin URL

By default, the log-in page for your Magento admin area is yourshop.com/store/admin. If you use the default address for the admin page, it’s easy for hackers to find that page. If they can’t find it, they can’t break in.  Changing the URL to something difficult to guess, like yourshop.com/store/Dk4u99x2i for example, will cut off that avenue of attack. This is only ‘security through obscurity’, but it still ramps up the difficulty for attackers.

How to do it

6. Keep all software patched and up-to-date

It’s critical to keep your server software, Magento, and all extensions up to date.  Magento has released 5 security updates so far in 2016.  Hackers are up to date on security holes, make sure you are too.

Beyond official Magento patches, plugins are frequent targets for hacking.  If you are using a plugin that seems buggy or hasn’t been updated in a long time, consider whether it is worth the risk to your site. Check for patches on plugins regularly.

Aside from Magento-related updates, it’s equally important to make sure your LAMP stack is up-to-date.

How to do it

7. Implement version control

Version control is the practice of centralizing, tracking and comparing all changes to files in a project over time.  It’s a fundamentally important tool for any software project, Magento stores included. We recommend using Github, one of the most popular systems.

Even though it doesn’t actively stop attacks, version control is critical for defending your store. It tracks all changes and who made them – making it much easier to find and fix any malicious changes to your code.

How to do it

8. Keep & Review logs

Activity and error logs are like security camera footage for your website. They don’t prevent attacks on their own, but they make it much easier to stop them in the future. Review your server logs regularly for any suspicious activity. Keeping logs of Magento exceptions or errors can also expose problems with your store configuration or code, a key way to plug holes and prevent hacks.

How to do itLogs for nginxlogs for Apache

9. Use a CDN like CloudFlare

We encourage our customers to use services like CloudFlare with their sites.  It’s a Content Delivery Network (CDN) service that can block a wide variety of attacks (everything from DDoS to e-mail scraping) by filtering all traffic to your site. It’s a simple way to make your website more resilient with an extra layer of security, and can help achieve PCI compliance. As an added bonus, running a site through a CDN can make your site significantly faster, especially when users are geographically distant from your server – even overseas.

How to do it

10. White-list IPs for Admin access

If you change the admin path, it makes it harder for attackers to find.  Lock it down further by keeping out everyone except pre-approved users, by creating what’s known as an IP Whitelist on the server. Any IP not on the list is sent packing – including hackers.

How to do it

11. Lock down file and folder permissions

Linux operating systems control who can read, write to, and execute files.  These permissions are set using a 0-7 numbering system, with each number corresponding to a set of access privileges.  It’s a lot more detailed than that, but the upshot is you need to lower many of the permission levels on your server after setting up Magento. Set correctly, file permissions are a serious roadblock for an attacker trying to compromise your store.

How to do it

12. Never use unsecured Protocols

Using an unencrypted FTP or HTTP connection to edit/upload files as opposed to SFTP or HTTPS can easily expose your information to attackers.  Make sure you are using SFTP or SSH for any changes to your Magento store.  Use a graphical FTP client, or do it from the command line, but make sure it’s SFTP.

How to do it

13. Create a backup and recovery plan

If your site is compromised, you’ll need to restore a previous version. Unless you want to re-build from scratch, a consistent backup policy is the best insurance you can have.  We handle backups for our customers, but we advise all store owners and administrators to maintain backups and actively test them, regardless of where they host.

How to do it

There are more tactics that can help keep your Magento site secure, and they are worth a look.  Good security is not something you get, it’s something you do – a set of habits.  Maintaining a fully secure Magento site might seem a bit involved –  because it is.  It’s a good idea to get help.  eBoundHost encourages and helps all of our Magento customers to follow these best practices.  Make sure that your developer, hosting provider, and all admins share a good security mindset, and your store will be a hard target.

Case Study: How a 33-year old hat company built a fast, SEO-friendly Magento site in less than 2 weeks

How Otto built a new Magento site in just 14 days

Otto International

Otto International is a wholesale cap & apparel company – their site features hundreds of items and offers customizations including private label service. The website generates around 30% of their sales.  But after 33 years in business and 10 years using the same website, Otto was ready for something new.

The Situation

Ottocap.com’s speed and structural SEO capabilities were lagging contemporary standards. The team decided to move to Magento from the decade-old custom solution. Since stock Magento is designed for B2C e-commerce with simple shipping and pricing structures, the transition would be more than just a quick theming job.  Otto is primarily B2B, integrates with an enterprise-level ERP, and has complex pricing and shipping formulas.  

The Solution

Vice President Jennifer Lee knew “We needed the new site to launch right away” and the first step was to find partners that could make it happen. An Otto team member recommended eBoundHost for consideration based on past experience. After the IT department interviewed multiple hosts including eBoundHost, Otto selected us for the Magento server environment and optimization.

Otto had an existing relationship with the development agency FAYA Corporation. Because of the urgent need to upgrade, FAYA suggested a 2-week development timeline – fast by most standards – and the project got started.

Development speed and reliability were top priorities – Lee said “The Magento site itself needs to have a good developer that can handle our requests quickly, and also make sure the site is working properly.”

A proper server environment (with regard to both technical and business goals) is critical to every development process, doubly so when the site is meant to be done in 14 days. eBoundHost configured and deployed the staging, development and production servers in parallel, within a matter of minutes of receiving and confirming the specifications from the dev team.

As development proceeded, and after launch, eBoundHost actively managed the environment (including monitoring, backups, optimization, updates, patching, security, and version control) to forestall problems and keep the site running smoothly. By locking in requirements and staying on top of the environment, we gave FAYA the tools to do what they do best – write code quickly.

Otto itself added the final ingredient – close and attentive client involvement. Otto didn’t just ask for a quick turnaround, but committed to it internally as well; Lee said “there was a lot of testing on our end, they actually finished faster [than 2 weeks] because we were testing to make sure everything was OK.”

The site – including a complex shipping algorithm and customized pricing models was ready to go live in an eye-popping 14 days.

The Results

Even though the development went at a blistering pace, haste didn’t make waste: “Once FAYA put up the website, and it was hosted on eBoundHost, everything went smoothly!” There have been “no hiccups” since launching, and Otto has “…seen some increases month-to-month in terms of search appearance, clicks, and account sign-ups.” The transition was “better than what we expected. Linking to our ERP system worked well, everything was good for us.”

Otto has a few pieces of advice for site owners who might want to emulate their 2-week revamp: “With a good hosting company, make sure [your] website will never go down. …Magento site itself needs to have a good developer that can handle [your] requests quickly and also make sure the site is working properly” And don’t neglect “Raw performance – speed is probably #1 for most of the online users nowadays.”

Conclusion

the eBoundHost team is proud to have been part of the this impressively fast and smooth transition. Where a typical Magento project can take hundreds of developer hours, Otto’s blazing-fast process holds some key lessons if you’re planning a new Magento site of your own:

  • Start with clear, specific requirements and goals for the site
    • Otto sought to have a fast, SEO-friendly site that supported specific customizations and integrations that were already clearly defined.
  • Find a highly capable developer
    • From past experience, Otto could be confident that FAYA was up to the task. If you choose an unknown developer based solely on lowball estimates, you might get even less than you pay for.  Ask your hosting company for a recommendation if need be.
  • Find a reliable, fast host
    • Otto IT vetted several hosting companies to find one that could be relied upon to deliver speed and uptime.  In today’s hosting market, big names aren’t a magic bullet and it pays to do your homework.
  • Have a knowledgeable resource own the project
    • Otto has technical team members to guide the project and provide feedback.  If you don’t have technical expertise in-house, find a developer that you can rely on, or a sysadmin that can bring these skills to the table.
  • Stay engaged and test thoroughly
    • Otto worked tightly with FAYA to quickly test functionality and give feedback to the development team. The faster you respond to your developer and evaluate choices, the faster the project goes.

Otto continues to add features and develop the site, and with no major issues so far, their transition to a modern platform is a great example of how Magento development can be.

A surprising FDA regulation that’s about to hit your online vape shop

vape-banner

Electronic cigarettes and vaporizers are extremely popular at retail, with many online shops specializing in these products – including some of eBoundHost’s customers. However, the industry is being shaken up by new FDA regulations.

The FDA’s final Deeming Regulation on Electronic Nicotine Delivery Systems lays out new regulations on vapor manufacturers and retailers, and has been slammed by industry experts and consumers alike as overly burdensome.

One of these new rules requires shops to check photo ID for proof of age above 18.   This is already the law in 48 states, but it’s expected that the FDA will start to enforce photo-ID verification online as well as in person,  at the federal level.  Current solutions like an ” Are you 18+” pop-up, or verification via credit card may no longer be enough for online shops.

From FDA.gov:

Before today, there was no federal law prohibiting retailers from selling e-cigarettes, hookah tobacco or cigars to people under age 18. Today’s rule changes that with provisions aimed at restricting youth access, which go into effect in 90 days, including:

  • Not allowing products to be sold to persons under the age of 18 years (both in person and online);
  • Requiring age verification by photo ID;
  • Not allowing the selling of covered tobacco products in vending machines (unless in an adult-only facility); and
  • Not allowing the distribution of free samples.

Industry leaders are hoping for a reprieve from the FDA’s new plans via the Cole-Bishop amendment, but no changes have been made yet. Online vape shops should consider ID-based age verification plugins  or other solutions as they adapt to the new regulations, which take effect on August 8.

(Note: we don’t endorse any particular age verification system, link provided as an example)

Let’s connect at IRCE 2016

We will be at IRCE this year!

 

Are you going to IRCE this year?  We’ll be there all week – let us know if you’ll be attending and we’ll find a time to meet up!

From the IRCE site:

Internet Retailer Conference & Exhibition (IRCE) provides you with a conference full of industry experts and unrivaled agenda content, an exhibit hall filled with the latest and greatest solution providers, and a community made for networking with thousands of like-minded industry peers. IRCE 2016 will take place in the world-class city of Chicago, June 7-10, at McCormick Place West.

How to fix the Imagemagick vulnerability and check if you’re at risk

 

ImageMagick is a one of the most popular image processing libraries for resizing, cropping and  editing uploaded images.   Websites with profile pictures and avatars commonly use ImageMagick to resize these uploads.

Researchers found a serious vulnerability documented in CVE-2016-3714, affectionately dubbed “ImageTragick” that can allow hackers to execute code on your site remotely.

In basic terms, hackers upload an image with malicious embedded code, which calls ImageMagick to begin processing an image.  This can cause the code to run on your server with elevated user permissions.  At that point, the hacker can take total control of the server, and what’s worse, this exploit is relatively easy to use.

Here’s how to protect yourself.  First, find out if you’re vulnerable, and then fix the ImageMagick exploit. If your website accepts user image uploads of any kind, this should be a high priority.

Check for the vulnerability

If your site processes images and uses PHP, Ruby, or Node.js, there’s a good chance you use ImageMagick or a plugin based on it.

Here’s how to test if your site is at risk:

Create a new text file and save it with the name test.mvg.  Add the following lines of text into it:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg" | ls "-la)'
pop graphic-context

Upload it to the server and from the command line (ssh),  run

convert test.mvg out.png

If this shows the content of your directory as though you just ran ls -la, you’re affected.  For more information on testing, see the RedHat page on CVE-2016-3714, and the ImageTragick Team has additional tests.

Fix the vulnerability

Red Hat Enterprise Linux and CentOS 6 and 7 already have patches available to fix this issue.  Update your system with yum update imagemagick to fix this vulnerability.  There are more details on the RHEL site.

For RHEL and CentOS 5, you will need to make some changes to mitigate the problem:

In the following folders:
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit)
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package)3:15]
Rename the following files, mvg.so, msl.so, label.so. Example:[3:15]
$ mv mvg.so mvg.so.bak
$ mv msl.so msl.so.bak
$ mv label.so label.so.bak

So far, the number of attacks using this vulnerability are limited, but if left unmitigated, it represents a serious risk to websites using the ImageMagick package.  We advise all site owners and developers to take care and ensure that they’ve taken steps to cut off this avenue of attack.

 

4 reasons why updating your Linux kernel is a great idea

 

There are many reasons to update the Linux kernel.

One of the advantages of the Linux operating system (which most servers, including eBoundHosts’s, run on) is that it’s highly modular.  This means that unlike Windows or OSX, Linux can be customized more easily.   You can remove features you don’t need, add those you do, and replace modules with your own versions.  This is one of the reasons why there are so many different versions of Linux out there – CentOS, Ubuntu, Fedora, Mint, and so on.

What is the kernel, anyway?  In simplified terms, it’s the part of the OS that let applications talk to the hardware and vice-versa.  For example, a spreadsheet app can’t talk to your CPU on its own.  To do that, it goes through the OS and kernel.

In Linux, since it’s possible to change the kernel along with other parts of the OS more easily, kernel updates are common.   Usually, this won’t create new, flashy features you can see or use directly. So, why should you update the Linux kernel?  There are 4 major reasons why we occasionally update the kernel on our servers:

1. Security Updates

Security patches are a good reason to update the kernel.

One of the main reasons to update the Kernel is for improving security.  Hackers (on both sides of the law) are constantly looking for holes in Linux security.  A security flaw in the Kernel is a serious issue since it lies at the core of the OS.  If an attacker gets into the kernel of your OS, they can do a lot of damage.  When one of these flaws is discovered, it’s patched as soon as possible.  Updating your kernel is an important way to stay ahead of the bad guys.

2. Stability

Stability can improve with kernel updates, which is key for web servers.

Since just about every part of your computer interacts with the kernel, from RAM to your alarm clock app, it’s important to make sure it runs smoothly.  Kernel updates often improve stability, meaning fewer crashes and errors.  Once a new Kernel has been ‘road-tested’, it’s usually a good idea to update as a way to decrease the odds of having problems.  This is especially important for web servers, where minutes of downtime can be a major setback.

2.  Speed

Some kernel updates boast major speed increases.

A constant focus of Linux kernel development is speed and efficiency.  Major kernel updates often boast major speed boosts.  We all know that every millisecond counts when it comes to serving websites, so kernel updates on web servers can often pay big performance dividends.

4. New Features

Eventually app compatibility may force kernel updates.

A kernel update won’t usually add a feature that you can see directly, but they often add new functionality that apps can take advantage of.  So, in order to stay up to date with applications, it will sometimes be necessary to update the kernel as well.  Just like the latest version of Excel won’t run on Windows 95, a system with an out-of-date kernel may not play nicely with new Linux apps.

At eBoundHost we are extremely careful about kernel updates, and never apply updates without a very good reason.  When we are confident that there is negligible risk to stability, with a real benefit to security and/or performance, we apply kernel updates so that we can improve the quality of our hosting.  Get in touch with us if you’re interested in more reasons why you update the Linux kernel.

New Ransomware Kimcilware threatens Magento sites

A new infection has struck a handful of Magento stores, encrypting all Magento files, shutting down the store, and replacing the homepage with a ransom note demanding $140-400 in Bitcoin:

The ransom note from the Magento Kimcilware ransom note

The method of infection is unknown as of yet, but the  Helios Vimeo Video Gallery extension has been implicated, and taken down by Magento as a precuationary measure.

Fortiguard Lion Team claim to have uncovered the Indonesian group responsible for the attack and possible methods of decryption.  This solution appears to be only theoretical for now, as the post doesn’t include results.  Fortiguard suggests a means of finding the encryption key, without which the Rijndael encryption used is thought to be effectively impossible to break.

Store owners are advised to be cautious. Use good password policies, and keep all installations and extensions up to date.

h/t Softpedia

Screenshot of notepad in Windows 10 editing Hosts file

Modify Hosts File – Mac OS X & Windows

When you move a website to a new server, the final switch-over happens after you change DNS (Domain Name System) records to point to the new server.  The DNS server tells the world that (for example) www.yoursite.com is now at the IP address 11.12.13.14 (your new JetRails® server) instead of 10.11.12.13, the old server.

Of course, before making the switch public, you’ll want to test the new server yourself.  You do this by editing your Hosts File, which makes the same switch, but only for your computer.  Your web browser will go to the new server when you type in www.yoursite.com until you change it back.

The instructions below walk you through making this change.  After you’re done testing your new server, you’ll want to reverse the changes to the host file. Follow the same steps, but remove the entries you previously created.

Windows 8/10:

(Instructions for Windows 7 and OSX)

 1. Note  your JetRails server’s IP address, provided by your eBoundHost account manager.

 

make a note

 

2.  Open Notepad as administrator.  

  1. Hit the Windows key
  2. Type “Notepad” in the search field
  3. Right click Notepad and select Run as administrator
  4. If prompted, click ‘Yes’ on the UAC dialog

step 1 win10

 

3. Open the Hosts file.

  1. Go to file > open
  2. Navigate to c:\windows\system32\drivers\etc
  3. If it is not visible, select “all files” instead of “text documents” in the file type drop-down menu
  4. Select and open Hosts


Editing your host file with notepad

 

4. Add the new entries

  1.  At the bottom of the document, add two new lines, following this format:
    11.12.13.14 www.yoursite.com
    11.12.13.14 yoursite.com
    Your new JetRails IP address goes first, then your domain with a leading www.
    The second line is your domain name without the www.
  2. Use a [TAB] between the IP and domain


Screenshot of notepad in Windows 10 editing Hosts file

5. Save changes

  1. Go to file > save

 

Windows 7:

 

 1. Note  your JetRails server’s IP address, provided by your eBoundHost account manager.

2. Open Notepad as administrator.  

  1. Go to Start > All Programs > Accessories
  2. Right click Notepad and select Run as administrator
  3. If prompted, click ‘Yes’ on the UAC dialog

Notepad

3. Open the Hosts file.

  1. Go to file > open
  2. Navigate to c:\windows\system32\drivers\etc
  3. If it is not visible, select “all files” instead of “text documents” in the file type drop-down menu
  4. Select and open Hosts

Screen Shot 2016-02-25 at 10.32.12 AM

4. Add the new entries

  1.  At the bottom of the document, add two new lines, following this format:
    11.12.13.14 www.yoursite.com
    11.12.13.14 yoursite.com
    Your new JetRails IP address goes first, then the domain with a leading www.
    The second line is the domain name without the www.
  2. Use a [TAB] between the IP and domain

Screen Shot 2016-02-25 at 10.32.38 AM

5. Save changes

  1. Go to file > save

 

Mac OSX 10.6+:

 

1. Open Terminal

  1. Go to Applications > Utilities > Terminal

Screen Shot 2016-02-24 at 5.13.11 PM

2. Open the Hosts file

  1. Type sudo nano /private/etc/hosts
  2. Enter your username and password when prompted

3. Edit the Hosts file

  1. At the bottom of the document, add two new lines, following this format:
    11.12.13.14 yoursite.com   www.yoursite.com
  2. Save the file by hitting Control + X and answering Y.

4. Flush DNS cache to put the changes into effect

  1. In the terminal, type dscacheutil -flushcache

That’s it!  You’re ready to start testing your new server.

3 Common Mistakes Hurting Your Magento Store Revenue

3 Common Mistakes with Magento

  • Mistake #1: No Abandoned Cart Process

According to Baymard Institute, the average cart abandonment rate is 68.55%; that’s almost 3 in every 4 willing shoppers who abandon their cart without completing the checkout process. If you are currently earning $1.2 million in sales per year, your potential earnings would have been $3.81 million.

So, why do people abandon their carts? A survey conducted by VWO eCommerce determined that the number one reason is Unexpected Shipping Costs. However, if you have a follow up process in place that re-targets your customers with a slight discount,  54% of shoppers are willing to complete their transaction.

Top Reasons Shoppers Abandon Cart

  • Mistake #2: Not Collecting Enough E-Mails

Generating enough leads is one of the most crucial aspects of running any successful business. According to eMarketer’s study, 60% of businesses have difficulty generating leads. Capturing just 100 extra email addresses each month, assuming you have a 3% conversion rate with an average sale price of $100, you are missing out on an estimated $3,600 of additional revenue per year.

There are many creative ways to generate more leads from contests, digital eBooks, to prize drawings. Dean Zelinsky for example, the owner of Dean Zelinsky Guitars, generated over 14,000 e-mail opt ins through Fishbowlprizes.com in just a few months. Not only is it a fantastic and innovative solution to lead generation, but it also gives back to the community through charitable actions.




  • Mistake # 3: Web Site Is Too Slow

Consumers expect very fast service such as Amazon Prime NOW, Netflix Streaming, even websites have to be fast.  A full 47% of consumers expected a web page to load in 2 seconds.  For every 1 second delay in page response you could potentially result 7% loss in conversions according to Akamai and Gomez.com. If your Magento store earns $1,000 a day, just an extra second could potentially cost you $25,500 per year!

So how do you improve your Magento store’s performance? Take a look at what Marketfleet did to make their site faster:

Marketfleet is an e-commerce based business in Chico, California that supplies and enriches its customers with luxurious but yet affordable products. As a growing business with multiple store-fronts which markets to the young and impatient, a solution was required to lower page load times for a better customer shopping experience.

With a motto of “Building Brands”, founders Chris Friedland and Dave Bonillas needed a Managed Magento Optimized Hosting Solution to focus specifically on their business, and took on the challenge to increase website performance. Marketfleet partnered with eBoundHost to engineer a custom Magento hosting environment based on the JetRails™ platform, to help to reduce page load times by almost 50% and improve time to first byte by nearly 10X.

Marketfleet Challenges & Pain Points

Marketfleet’s main challenge was to find a Managed Magento Hosting solution that offered the optimal speed performance . Prior to migration, based on a single user simulation, it took 3.374 seconds on average to reach the first byte of data and 7.404 seconds to load a page.

Marketfleet Post Migration.

Engineered Solution with JetRails™

  1. Initial performance tests were conducted and benchmarked throughout the site
  2. A tailored hosting environment was  engineered, deployed & optimized
  3. Current web files and database were copied into the new platform
  4. JetRails™ integration & tuning (stack & cache optimization)
  5. UAT – functionality tested and verified
  6. DNS change
  7. Seamless transition (no loss of data)
  8. Performance tested and benchmarked

Results After Migrating to JetRails™

Marketfleet Pre Migration.

After being put in the Magento optimized environment, First Byte Time and Load Times were reduced to 0.341 seconds and 4.187 seconds respectively.

                          Screen Shot 2016-01-07 at 2.09.43 PM

“Mostly server management, price, and speed were a few of the issues we previously had. They were the culmination of things that made us decide to change hosting, but everything has been great since moving to eBoundHost!”

Dave Bonillas – CoFounder
www.Marketfleet.com

CASE STUDIES
Expert advice, guidance and solutions from ideas to creation.  Real transformations.
Read Case Studies
MANAGED SERVICES
Changing platforms is only the beginning.  Value added services keep you competitive.
Learn More
PERFORMANCE TEST
Out-of-the box isn’t good enough for your investment. Discover your bottleneck.
Test My Site

More Conversions & Reduced Abandonment – Bachrach.com & JetRails® Case Study

About Bachrach

Bachrach is a century-old boutique men’s apparel brand with brick & mortar stores across the US.  Bachrach.com is the Magento-based e-commerce arm of the business and offers a range of fashionable formal and semi-formal looks.

The Problem

Bachrach has a full-featured and well-designed Magento store-front, but was struggling with page load times.  Their time to first byte (TTFB) was over 300% slower than Google’s recommendation and some product pages took over 7 seconds to fully load and render.

David Ko, the e-commerce director for Bachrach, was looking for a way to get web performance under control and put the site into a hosting platform that could handle Bachrach’s growth.  Until the site was ready to handle heavy traffic, increasing sales would be challenging to say the least.

Screen Shot 2015-10-06 at 11.57.49 AM
With load times approaching 7 seconds and a TTFB at 1 second, there was ample room for improvement.

The Solution

David approached eBoundhost for help, and we set about testing the site’s performance KPIs.  After recording the pre-migration metrics and collecting the specific requirements for Bachrach.com, eBoundHost architected a Jetrails® Pro Cluster Platform to properly fit the web site.  This cluster is right-sized for their normal daily traffic and can be scaled to handle extreme spikes during sales and the holiday season rush.

The Results

The process of moving Bachrach.com to the eBoundHost JetRails® Pro Cluster Platform was “the easiest transition I’ve been a part of.”  David also praised the “flawless” support team, saying it’s been “instantaneous – there are no automated prompts.  When you call, a real Magento specialist picks up the phone.”

After migration, the speed improved drastically.  TTFB came in below 300 milliseconds, down from over 1,000 ms.  Speed Index improved by 40%.  Performance under load skyrocketed – the site could now handle several thousand users without slowing down or needing to scale up with more hardware.  More importantly, David saw a 2.5% increase in conversion and an 8% decrease in shopping cart abandonment.

 chart 2Screen Shot 2015-10-06 at 11.55.39 AM

Takeaways

Putting Bachrach.com on an appropriate hosting environment delivers more than better numbers in a speed test.  By increasing performance, they also gained:

  • More Revenue!
  • Improved customer experience
  • Higher customer conversions
  • Natural SEO improvements due to better Speed Index

 

CASE STUDIES
Expert advice, guidance and solutions from ideas to creation.  Real transformations.
Read Case Studies
MANAGED SERVICES
Changing platforms is only the beginning.  Value added services keep you competitive.
Learn More
PERFORMANCE TEST
Out-of-the box isn’t good enough for your investment. Discover your bottleneck.
Test My Site

 

600 % Revenue Increase on JetRails™ Case Study – ExperienceHawaii.com

ExperienceHawaii

ExperienceHawaii.com is one of the leading agencies in the tourism industry of the Hawaiian Islands. They can help you find and book Hawaii’s finest tours and activities instantly. Every one of their 300+ activities is rated 4 stars or higher on TripAdvisor and Yelp. With agents available everyday 8:00 AM-7:00 PM (Hawaii Time) to take any reservations via email, phone, and IM, they’re here to help fellow travelers plan their ultimate vacation to the beautiful islands of Hawaii.

Chad Kahunahana (ExperienceHawaii.com General Manager) was faced with the need to boost conversions and sales through his e-commerce channel.  He partnered with eBoundHost to engineer a custom hosting environment (JetRails™) that changed the online visitor experience forever.

Challenges & Pain Points

It took 4.0276 seconds on average to reach the first byte of data and 14.7096 seconds to load a page with minimal web traffic. Category and product pages took over 40 seconds to load during peak hours, and web visitors were leaving the site because it was too slow.

Screen Shot 2015-08-28 at 12.29.44 PM

Engineered Solution with JetRails™

  1. Initial performance tests were conducted and benchmarked throughout the site
  2. A tailored hosting environment was  engineered, deployed & optimized
  3. Current web files and database were copied into the new platform
  4. JetRails™ integration & tuning (stack & cache optimization)
  5. UAT – functionality tested and verified
  6. DNS change scheduled
  7. Seamless transition (no loss of data)
  8. Performance tested and benchmarked

Results After Migrating to JetRails™

Screen Shot 2015-08-28 at 12.28.59 PM

Time to First Byte and Load Times were reduced to 0.2706 seconds and 7.2946 seconds respectively. Even with 200+ concurrent visitors, the site responds without hesitation.

Load Time

HawaiiWeb eBoundHost performance

600% Online Revenue Increase

“A faster site has definitely increased our sales.  It was a no brainer because I didn’t have to do anything; they did all the work for us.  I have zero regrets & have been happy ever since we moved to eBoundHost. Our online revenue has gone up 600% since March 2015.  We couldn’t have achieved it without eBoundHost.”


Chad Kahunahana
(General Manager, ExperienceHawaii.com)

 

CASE STUDIES
Expert advice, guidance and solutions from ideas to creation.  Real transformations.
Read Case Studies
MANAGED SERVICES
Changing platforms is only the beginning.  Value added services keep you competitive.
Learn More
PERFORMANCE TEST
Out-of-the box isn’t good enough for your investment. Discover your bottleneck.
Test My Site

 

RESOLVED – Network outage: 1-5 minutes – 9/3/2015

20150903-xo.outage.map

Thursday September 3, 2015: 14:30 – 14:35 CST (GMT -6)

A Tier 1 backbone provider, XO, experienced trouble in the Midwest region of the USA, impacting BGP peers in Chicago area.  As a regional hub, traffic disruptions could be seen in a wider area.

Parts of the eBoundHost network experienced an outage of up to five (5) minutes while our traffic reconverged onto other providers.

We are working with XO to ensure service is fully restored before establishing peering.

current status: https://downdetector.com/status/xo-communications/map/

 




Just a moment...
Just a moment...