Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.5.

As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information how to secure your site.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost. Visit the official Magento site for more details:

The date is fast approaching for Google’s deadline to encrypt your site. This will include acquiring an SSL Certificate and moving to HTTPS. If these steps are not taken, it could impact your customers, your SEO rankings and ultimately, your reputation.

Maintaining the security and compliance of your site is a top priority for our team. If you require any assistance, our dedicated Magento engineers are available 24/7 to offer support and guidance. Please take a few minutes to learn more about these requirements below and feel free to reach out to us if you have any questions.  

Security Requirements

If your site is not fully compliant with these requirements, you have until July 2018 to make the necessary modifications. Not sure if your site will be impacted or how to become compliant?  Here is a step-by-step guide to verify and update your site’s security protocols.

SSL Certificates

If you do not currently have an SSL Certificate, you will need to purchase one as a first step in gaining security compliance. We provide free SSL Certificates and installation to all our Magento Clients.

If you do have an SSL Certificate but your site is using a SSL/TLS Certificate from Symantec that was issued before June 1, 2016, it will stop functioning as a secure site in Chrome 70 this coming July. This could already be impacting your customers.

Symantec SSLs that were issued before June 1, 2016, utilized an older Secure Hash Algorithm (SHA-128) which came equipped with a renewal date that extended past Google’s preferred expiration timeframe. To be compatible with the release of Google Chrome 70, requirements for SSL Certificates will need to be updated to the newest version (SHA-265). You will want to replace your certificate as soon as possible before the Chrome 70 release. If the certificates are not replaced, users will begin seeing certificate errors on your site. If you are unsure if you have the latest version of SSL certification, continue reading to learn how you can verify your compliance.   

Testing Your Site For Compliance

To gain HTTPS full encryption compliance, your first step is to ensure your SSL Certificate is up to date. You can test the security of your site and your SSL status by going to Qualys SSL Labs. The desired outcome is to receive an “A” in all 4 sections. The sections include Certificate, Protocol Support, Key Exchange, and Cipher Strength. Receiving a passing score in all four sections means that your SSL Certificate will function securely under the Chrome 70 release. This will also be important for gaining and maintaining PCI Compliance. Our servers are configured to be fully secured and HTTPS encrypted out of the box.

How to Gain SSL Certificates and HTTPS Compliance

As a fully managed service provider, eBoundHost – JetRails can assist you in purchasing and installing your SSL Certificate. We can also help you manage your encryption configurations through our technology stack. However, your development team will need to ensure all required coding is ready for HTTPS.

Additional Resources:

https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

At eBoundHost, we work with a variety of developers, designers, and security consultants to help our customers make the most of their web presences beyond the server environment.  Jeff Finkelstein of Customer Paradigm is a top Magento and WordPress developer that has helped countless clients secure their sites.  He has some pointed about the importance of patching your e commerce software.

If you run a Magento site, you probably take credit cards for payment.  It’s no secret that hackers want to steal your customers’ credit card  information, so that they make fraudulent purchases or sell the credit card numbers online.

Most eCommerce platforms  like Magento don’t actually store and save credit card information. When the user is in the cart, entering their credit card information, the credit card data is not stored on the server.  Rather, it’s encrypted and securely sent to the credit card company.

If the credit card number, expiration date, security code, name on the card, billing address on file and a few other data points are accepted (i.e. the person is not over their spending limit for the amount you’re trying to charge), then the credit card company will send back an authorization code, letting you know the credit card was accepted for the purchase amount.

That’s how it’s supposed to work. But, if someone was able to get into the code of your site, then  they can inject a little bit of code that watches and records the credit card information, then sends it off to a nefarious person.

Usually the attack is not against the core code of the eCommerce site, but a security loophole somewhere else.

Sometimes attackers are able to gain entry to a site because there is a security vulnerability that should have been patched, but hasn’t;  an insecure plugin, an out-of-date extension, or a misconfigured setting that isn’t even connected to your eCommerce site.  The main components of your eCommerce site might be very secure.  But if another portion of your site is not, it’s like leaving the side window of your house wide open and leaving on vacation.  Sure, the front door is locked, but there’s another, very easy way into the house.

If your eCommerce software developer (Magento, WooCommerce, etc.) releases a patch, it’s extremely important to install it.  Because when a security patch is sent out, the first thing hackers do is reverse engineer it to see how a site could be vulnerable if that patch isn’t applied.

If you patch your site, you’ll be in better shape.  If you don’t, the security patch is now an evildoer’s how-to guide for attacking your site.  This means failing to patch your site in a timely fashion is doubly dangerous.  Once the patch is released, unpatched sites are at even higher risk of being compromised.

We recommend using a version control system such as  git or subversion on your server, so that you can easily see if any key files have been changed.  You can also use it to run an automated scan for new, changed or removed files – key warning signs that someone has been tampering with your site.  

For example, on a Magento site, I know that if the CC.php file in the core code has been changed, the site is likely to have been attacked – this is one of many points to check for possible problems.

Bottom line: keep up to date with patches, and use a version control system to let you know if anything new has been added to the site.

I hope this helps!  My team is here to secure your site ahead of the upcoming holiday – you can call me at 303.473.4400 or visit http://www.CustomerParadigm.com/Magento for more information.

On September 9, Dawid Golunski reported CVE-2016-6662, a major vulnerability in MySQL which also affects PerconaDB and MariaDB.  This is what’s known as a SQL injection attack, and attackers can use it to take over your server completely. It works by tricking MySQL into giving an attacker control over the system (“root privileges”) by loading malicious configuration files. Percona has a post describing the attack in more detail.

Am I at risk?

All JetRails customers at eBoundHost are already protected.  Others using older versions of MySQL, Maria or PerconaDB may be at risk.  Platforms that rely on these databases include Magento, WordPress, Drupal, OpenCart, Prestashop – any LAMP-based application may be vulnerable – if you aren’t sure, check in with your developer.

Fixes

MySQL has fixed this problem in versions 5.5.52, 5.6.33 and 5.7.15.  Percona and Maria have also released updates with fixes for the vulnerability.  Aside from upgrading, you can patch mysqld_safe, or change the permissions on configuration files to eliminate this vulnerability.

If you have any questions about your site’s safety or how to make your environment secure, get in touch.

Guest Post by Tom Bukevicius, Principal at SCUBE Marketing: 

As the first in a series of guest posts, we’re proud to present this article by Tom Bukevicius, a Chicago-area PPC expert and taco aficionado. At SCUBE, he helps clients make the most of their traffic and PPC investment, and in this post, he shares 3 awesome ways you can make the most of your traffic by looking deeper with Google Analytics.

As a Principal at a digital marketing agency, I am exposed to analytics often. There are a lot of metrics to review, but the most important ones are what I call “money metrics.” These metrics cover store revenues, advertising costs, transaction volume, etc.

Google Analytics is an excellent tool to understand how much money your Magento store is generating. Every time I log into Google Analytics I say:

Google Analytics is capable of showing the “money metrics”, but you need to know where to go. Today, I will share three reports that I bet you haven’t used. They will show you:

1. Where the money is coming from.
2. What path your buyers take to purchase.
3. Where buyers get stuck during the checkout process.

Where The Money Is Coming From

Channels Report is a very popular report. It will show you the traffic, user behavior and E-Commerce revenue by traffic source. See the screenshot below.

Click for full size

Note that this report doesn’t come like this out of the box. You’ll want to make sure that you have Enhanced Ecommerce integrated with your Magento store. Without it, you will only see traffic and user behavior metrics – forcing you to make wild guesses and making it hard to improve performance.

Why I Love This Report?

I can see the performance of each channel. This allows me to evaluate and direct marketing investment into the channels that perform best. This becomes particularly useful when you start paying for traffic and need to measure the ROI.

How to Find Channels Report

Here is where you can find this report. Channels Reports sits in the Reporting section of Google Analytics. On the left menu, find the Acquisition tab, then navigate to All Traffic, then Channels. See the screenshot below.

If you’ve used the basic features of this report, good. However, there is one caveat, it uses Google’s Default Channel Groupings. If you have many traffic sources, you will lose the accuracy of each channel group.

You can take it to the next level by applying Custom Channel Definitions, which allow you to define your own channels. Here is what it looks like.

Click for full size

You will notice that the channel names are slightly different, and associated metrics are different as well. Every channel is customized and defined based on your needs. Imagine Custom Channel Definitions as a filter with the right information for your Channels Report.

You can create multiple filters if you have different definitions of traffic. To access your definitions use the dropdown menu under Default Channel Grouping and select your custom view.

The example below has two custom channel definitions for two different audiences:

1. Executive view (higher level)
2. Analyst view (more detailed level)

Now that you know where the money comes from, it’s time to dig deeper.

What Path Your Buyers Take To Purchase

Your buyers are already distracted with an overwhelming amount of information on the internet. On top of that their attention is already divided among multiple devices and channels.

That’s one of the reasons why 95% of first-time visitors don’t convert. 46% of them need 3 or more visits to purchase.

For this reason, you need to accept the reality, track your buyer path to purchase and take steps steer them in the right direction.

Enter the Path Length Report

Path Length report shows you how many interactions your buyers need before they purchase. An example below show that 68% of buyers purchase within one interaction. However, 27% need between 2 and 4 interactions.

This example shows us that we may need to launch retargeting and email follow up sequences to get buyers back to the website.

Click for full size

How to Find Path Length Report

On the left menu, find Conversions tab, open Multi-Channel Funnels section, then navigate to Path Length. See the screenshot below.

Once you know how to navigate the Path Length Report, you can go deeper to understand your buyers. You can apply conversion segments based on traffic source of the first or last touch point, time lag and path length.

In addition, you can customize a lookback window. Lookback window is important because it reflects your user buying cycle and sets the time period for attributing revenue to traffic sources. See the screenshot below for customizing your Path Length report.

Click for full size

Now you know how to track your buyer path to purchase, it’s time to take a look at where they get stuck during purchase.

Where Buyers Get Stuck During the Checkout Process

Your checkout process may have barriers to purchase. Buyers can get stuck like this puppy, and you may not even know about it.

This report gives you a snapshot of the steps in your checkout process. The neat thing about it is you see a clear progression with specific areas where buyers drop off. See example below.

This report helps you to problem solve the barriers your checkout process creates for the users.

In the example above, you can see that 47% of the buyers drop off after we ask them for their contact info. This begs a question if we ask for too much information, if the form has errors, if the call to action button isn’t clear, etc.

Another step from the example is the Payment step with a 52% drop off rate. Based on this data, we can start the analysis and forming hypotheses on potential problem areas of this step.

How to Find Checkout Behavior Analysis Report

On the left menu, find Conversions tab, open E-Commerce section, then Shopping Analysis, and finally Checkout Behavior.

Once you see the snapshot of your checkout funnel, it’s time to go granular to other dimensions, because some of the answers can exist there. By default, Checkout Behavior Analysis report breaks the traffic down into new and returning visitors. Which is great. However, you can drill down into other insightful dimensions such as:

• Geography
• Keyword
• Source or Medium
• Device

All of these dimensions and their subcategories enable you to identify opportunities for improvement. In addition, you can switch between completed and abandoned visits within each dimension.

Click for full size

Next steps

Hopefully, by this time, the “Show Me The Money” reports and their customizations will make your Google Analytics experience more insightful. Now you can log into Google Analytics and say show me:

• “Which traffic sources generate the most money for my Magento store?”
• “How long is the path my buyers take to generate the revenue for my Magento store?”
• “Where do my Magento store buyers get stuck preventing to complete the purchase?”

The insights you will generate will be useful.  But don’t stop there. Dig deeper into reports, take action based on the insights, and reap the rewards.

Almost 50% of the visitors to the top 10 retailers are now mobile-only.  There is no such thing as ‘desktop experience’ for these users, and site performance is critical for mobile shopping – 73% of mobile users say sites load too slowly.  This applies to everyone, not just the top 10: mobile accounts for 30% of all US e-commerce revenue.  Page load time is now a competitive metric – not just a technical one.

Yes, speed is a contest

We tested 50 of the top fashion e-commerce sites for performance in 2015, and we repeated the test this year. We checked time to first byte (TTFB), fully loaded time, and speed index for each site. A summary of the data set is below.

Some interesting findings from our analysis:

• Fully loaded time increased by 3.14 seconds and speed index increased by 1027 on average.
• 8% of the original 50 sites tested are offline today – presumably out of business.
• Only one site (2%) moved away from Magento for a new CMS.
• 18% added a CDN, but on average their load times went up by 2.19 seconds.
• Of the the top 10 fastest sites today, 40% of them were in the under-performing group last year, illustrating how competitive the space is.
• 70% of the fastest sites are not using Magento Enterprise – demonstrating that Community Edition sites can compete effectively with EE.

We hope you don’t mind if we point out that in both 2015 and 2016, the absolute fastest site tested also happens to be a Magento CE site we host on the JetRails platform.

Competition is heating up among the top 50. 20% went from being slower than the median Speed Index in 2015  to faster. Seven went from lagging to leading in TTFB.  The sites that moved up were 29% faster than average in speed index and 51% faster in TTFB. This paints a clear picture of  how performance is increasingly a way to compete.

How to use page speed to compete

A site that loads faster is nice, but does it impact the business?  Yes. Faster load times drive revenue, period. Industry statistics paint a very clear picture:

• Every 1 second delay in loading cuts conversion by 7 to 10 percent.
• Slow performance is the #1 reason for abandoning a shopping session
• 40% of shoppers will abandon a site after waiting 3 seconds for loading
• 64%  will shop somewhere else if the site experience is dissatisfying

The same factors that limit desktop performance are even more harmful on mobile, due to higher latency and connections with unreliable and fluctuating speed.  Google is also all-in on a mobile first world, so a focus on performance and mobile experience seems likely to pay SEO dividends for the foreseeable future.

It’s high time to capitalize on the performance competition opportunity. There are two major ways to do this – tweak the site itself for speed, and put it into the right server environment.

The simple tweaks you can use to be faster right away:

• Improve image compression (how to)
• Add caching (how to)
• Minify code (how to)

These code and configuration changes can make a huge difference, but having the site on the right hardware is not optional.  JetRails combines an efficient configuration with serious hardware, which lets our customers run smoothly even at peak times.

We’re pleased to see so many sites making the effort and boosting performance from last year, but there’s still plenty of slack in this space.  20% of sites are pulling ahead, but average results in the top 50 for TTFB and Speed Index are considerably slower than industry benchmarks.  This is a wide-open door for retailers willing to prioritize performance in the next 12 months.  Call us if you’d like to discuss how your site can climb the ranks.

Everyone who runs a Magento store knows that following security best practices is important.  But too often, proper security is like flossing – everyone knows it’s a good idea, but some of us convince ourselves that an occasional Listerine rinse is good enough.  Even if it feels like a chore, failing to follow best practices can put you and your customers at severe risk.  We’ve collected 13 of the most important things you can do to keep your Magento site safe.

1. Implement 2-Factor Authentication (2FA)

Multi-Factor Authentication (often called 2FA or MFA)  refers to any log-in system that relies on two or more pieces of information to verify your identity.  Typically, the information is a password and a second code that is sent to your phone or provided in advance.  SecurID key fobs are another implementation of 2FA that you might have seen before.

2FA prevents attacks because it’s hard for a hacker to get access to your username, password, and a third thing like a randomized token. If your store is PCI compliant (and you want to keep it that way), you’ll need to implement multi-factor authentication and other PCI DSS 3.2 requirements by February 2018.

How to do it

2. Use Strong Passwords

Most people want a password that’s easy to type, easy to remember, and hard to guess. Sadly, most passwords created this way are shockingly easy to crack with modern technologies.  And if you reuse your password for other accounts, it means hackers can break into all those accounts for the price of one.

Password managers to the rescue!  Software like Keepass, Lastpass, and others provide an encrypted “locker” that stores a unique, extra-strong password for each account.  You only need to remember one password to unlock the database, and individual passwords will never be a weak point for security again.  Especially for a mission-critical account like your Magento admin, It’s essential to use a long, complex, and unique password.

How to do it

3. Use good Antivirus Software

The strongest password in the world is worthless if your PC itself is compromised.  A malware infection on your computer can hand hackers the keys to your Magento castle by spying on your connection or logging your keystrokes. To prevent intrusions, you’ll need a robust and up-to-date anti-virus solution on any computer you use to work on your Magento store.

How to do it

4. Run Quarterly PCI Compliance Scans

Whether or not you store PII or card information on your server, a PCI scan is a good way to proactively identify software and configuration vulnerabilities.  If your firewall, anti-virus, or password policies are misconfigured or out of date, the scan can help you find these vulnerabilities before hackers do.

How to do it

5. Change Magento Admin URL

By default, the log-in page for your Magento admin area is yourshop.com/store/admin. If you use the default address for the admin page, it’s easy for hackers to find that page. If they can’t find it, they can’t break in.  Changing the URL to something difficult to guess, like yourshop.com/store/Dk4u99x2i for example, will cut off that avenue of attack. This is only ‘security through obscurity’, but it still ramps up the difficulty for attackers.

How to do it

6. Keep all software patched and up-to-date

It’s critical to keep your server software, Magento, and all extensions up to date.  Magento has released 5 security updates so far in 2016.  Hackers are up to date on security holes, make sure you are too.

Beyond official Magento patches, plugins are frequent targets for hacking.  If you are using a plugin that seems buggy or hasn’t been updated in a long time, consider whether it is worth the risk to your site. Check for patches on plugins regularly.

Aside from Magento-related updates, it’s equally important to make sure your LAMP stack is up-to-date.

How to do it

7. Implement version control

Version control is the practice of centralizing, tracking and comparing all changes to files in a project over time.  It’s a fundamentally important tool for any software project, Magento stores included. We recommend using Github, one of the most popular systems.

Even though it doesn’t actively stop attacks, version control is critical for defending your store. It tracks all changes and who made them – making it much easier to find and fix any malicious changes to your code.

How to do it

8. Keep & Review logs

Activity and error logs are like security camera footage for your website. They don’t prevent attacks on their own, but they make it much easier to stop them in the future. Review your server logs regularly for any suspicious activity. Keeping logs of Magento exceptions or errors can also expose problems with your store configuration or code, a key way to plug holes and prevent hacks.

How to do it – Logs for nginx – logs for Apache

9. Use a CDN like CloudFlare

We encourage our customers to use services like CloudFlare with their sites.  It’s a Content Delivery Network (CDN) service that can block a wide variety of attacks (everything from DDoS to e-mail scraping) by filtering all traffic to your site. It’s a simple way to make your website more resilient with an extra layer of security, and can help achieve PCI compliance. As an added bonus, running a site through a CDN can make your site significantly faster, especially when users are geographically distant from your server – even overseas.

How to do it

10. White-list IPs for Admin access

If you change the admin path, it makes it harder for attackers to find.  Lock it down further by keeping out everyone except pre-approved users, by creating what’s known as an IP Whitelist on the server. Any IP not on the list is sent packing – including hackers.

How to do it

11. Lock down file and folder permissions

Linux operating systems control who can read, write to, and execute files.  These permissions are set using a 0-7 numbering system, with each number corresponding to a set of access privileges.  It’s a lot more detailed than that, but the upshot is you need to lower many of the permission levels on your server after setting up Magento. Set correctly, file permissions are a serious roadblock for an attacker trying to compromise your store.

How to do it

12. Never use unsecured Protocols

Using an unencrypted FTP or HTTP connection to edit/upload files as opposed to SFTP or HTTPS can easily expose your information to attackers.  Make sure you are using SFTP or SSH for any changes to your Magento store.  Use a graphical FTP client, or do it from the command line, but make sure it’s SFTP.

How to do it

13. Create a backup and recovery plan

If your site is compromised, you’ll need to restore a previous version. Unless you want to re-build from scratch, a consistent backup policy is the best insurance you can have.  We handle backups for our customers, but we advise all store owners and administrators to maintain backups and actively test them, regardless of where they host.

How to do it

There are more tactics that can help keep your Magento site secure, and they are worth a look.  Good security is not something you get, it’s something you do – a set of habits.  Maintaining a fully secure Magento site might seem a bit involved –  because it is.  It’s a good idea to get help.  eBoundHost encourages and helps all of our Magento customers to follow these best practices.  Make sure that your developer, hosting provider, and all admins share a good security mindset, and your store will be a hard target.

Otto International

Otto International is a wholesale cap & apparel company – their site features hundreds of items and offers customizations including private label service. The website generates around 30% of their sales.  But after 33 years in business and 10 years using the same website, Otto was ready for something new.

The Situation

Ottocap.com’s speed and structural SEO capabilities were lagging contemporary standards. The team decided to move to Magento from the decade-old custom solution. Since stock Magento is designed for B2C e-commerce with simple shipping and pricing structures, the transition would be more than just a quick theming job.  Otto is primarily B2B, integrates with an enterprise-level ERP, and has complex pricing and shipping formulas.  

The Solution

Vice President Jennifer Lee knew “We needed the new site to launch right away” and the first step was to find partners that could make it happen. An Otto team member recommended eBoundHost for consideration based on past experience. After the IT department interviewed multiple hosts including eBoundHost, Otto selected us for the Magento server environment and optimization.

Otto had an existing relationship with the development agency FAYA Corporation. Because of the urgent need to upgrade, FAYA suggested a 2-week development timeline – fast by most standards – and the project got started.

Development speed and reliability were top priorities – Lee said “The Magento site itself needs to have a good developer that can handle our requests quickly, and also make sure the site is working properly.”

A proper server environment (with regard to both technical and business goals) is critical to every development process, doubly so when the site is meant to be done in 14 days. eBoundHost configured and deployed the staging, development and production servers in parallel, within a matter of minutes of receiving and confirming the specifications from the dev team.

As development proceeded, and after launch, eBoundHost actively managed the environment (including monitoring, backups, optimization, updates, patching, security, and version control) to forestall problems and keep the site running smoothly. By locking in requirements and staying on top of the environment, we gave FAYA the tools to do what they do best – write code quickly.

Otto itself added the final ingredient – close and attentive client involvement. Otto didn’t just ask for a quick turnaround, but committed to it internally as well; Lee said “there was a lot of testing on our end, they actually finished faster [than 2 weeks] because we were testing to make sure everything was OK.”

The site – including a complex shipping algorithm and customized pricing models was ready to go live in an eye-popping 14 days.

The Results

Even though the development went at a blistering pace, haste didn’t make waste: “Once FAYA put up the website, and it was hosted on eBoundHost, everything went smoothly!” There have been “no hiccups” since launching, and Otto has “…seen some increases month-to-month in terms of search appearance, clicks, and account sign-ups.” The transition was “better than what we expected. Linking to our ERP system worked well, everything was good for us.”

Otto has a few pieces of advice for site owners who might want to emulate their 2-week revamp: “With a good hosting company, make sure [your] website will never go down. …Magento site itself needs to have a good developer that can handle [your] requests quickly and also make sure the site is working properly” And don’t neglect “Raw performance – speed is probably #1 for most of the online users nowadays.”

Conclusion

the eBoundHost team is proud to have been part of the this impressively fast and smooth transition. Where a typical Magento project can take hundreds of developer hours, Otto’s blazing-fast process holds some key lessons if you’re planning a new Magento site of your own:

• Start with clear, specific requirements and goals for the site
  • Otto sought to have a fast, SEO-friendly site that supported specific customizations and integrations that were already clearly defined.
• Find a highly capable developer
  • From past experience, Otto could be confident that FAYA was up to the task. If you choose an unknown developer based solely on lowball estimates, you might get even less than you pay for.  Ask your hosting company for a recommendation if need be.
• Find a reliable, fast host
  • Otto IT vetted several hosting companies to find one that could be relied upon to deliver speed and uptime.  In today’s hosting market, big names aren’t a magic bullet and it pays to do your homework.
• Have a knowledgeable resource own the project
  • Otto has technical team members to guide the project and provide feedback.  If you don’t have technical expertise in-house, find a developer that you can rely on, or a sysadmin that can bring these skills to the table.
• Stay engaged and test thoroughly
  • Otto worked tightly with FAYA to quickly test functionality and give feedback to the development team. The faster you respond to your developer and evaluate choices, the faster the project goes.

Otto continues to add features and develop the site, and with no major issues so far, their transition to a modern platform is a great example of how Magento development can be.

Electronic cigarettes and vaporizers are extremely popular at retail, with many online shops specializing in these products – including some of eBoundHost’s customers. However, the industry is being shaken up by new FDA regulations.

The FDA’s final Deeming Regulation on Electronic Nicotine Delivery Systems lays out new regulations on vapor manufacturers and retailers, and has been slammed by industry experts and consumers alike as overly burdensome.

One of these new rules requires shops to check photo ID for proof of age above 18.   This is already the law in 48 states, but it’s expected that the FDA will start to enforce photo-ID verification online as well as in person,  at the federal level.  Current solutions like an ” Are you 18+” pop-up, or verification via credit card may no longer be enough for online shops.

From FDA.gov:

Before today, there was no federal law prohibiting retailers from selling e-cigarettes, hookah tobacco or cigars to people under age 18. Today’s rule changes that with provisions aimed at restricting youth access, which go into effect in 90 days, including:

• Not allowing products to be sold to persons under the age of 18 years (both in person and online);
• Requiring age verification by photo ID;
• Not allowing the selling of covered tobacco products in vending machines (unless in an adult-only facility); and
• Not allowing the distribution of free samples.

Industry leaders are hoping for a reprieve from the FDA’s new plans via the Cole-Bishop amendment, but no changes have been made yet. Online vape shops should consider ID-based age verification plugins  or other solutions as they adapt to the new regulations, which take effect on August 8.

(Note: we don’t endorse any particular age verification system, link provided as an example)

Are you going to IRCE this year?  We’ll be there all week – let us know if you’ll be attending and we’ll find a time to meet up!

From the IRCE site:

Internet Retailer Conference & Exhibition (IRCE) provides you with a conference full of industry experts and unrivaled agenda content, an exhibit hall filled with the latest and greatest solution providers, and a community made for networking with thousands of like-minded industry peers. IRCE 2016 will take place in the world-class city of Chicago, June 7-10, at McCormick Place West.

ImageMagick is a one of the most popular image processing libraries for resizing, cropping and  editing uploaded images.   Websites with profile pictures and avatars commonly use ImageMagick to resize these uploads.

Researchers found a serious vulnerability documented in CVE-2016-3714, affectionately dubbed “ImageTragick” that can allow hackers to execute code on your site remotely.

In basic terms, hackers upload an image with malicious embedded code, which calls ImageMagick to begin processing an image.  This can cause the code to run on your server with elevated user permissions.  At that point, the hacker can take total control of the server, and what’s worse, this exploit is relatively easy to use.

Here’s how to protect yourself.  First, find out if you’re vulnerable, and then fix the ImageMagick exploit. If your website accepts user image uploads of any kind, this should be a high priority.

Check for the vulnerability

If your site processes images and uses PHP, Ruby, or Node.js, there’s a good chance you use ImageMagick or a plugin based on it.

Here’s how to test if your site is at risk:

Create a new text file and save it with the name test.mvg.  Add the following lines of text into it:

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg" | ls "-la)'
pop graphic-context

Upload it to the server and from the command line (ssh),  run

convert test.mvg out.png

If this shows the content of your directory as though you just ran ls -la, you’re affected.  For more information on testing, see the RedHat page on CVE-2016-3714, and the ImageTragick Team has additional tests.

Fix the vulnerability

Red Hat Enterprise Linux and CentOS 6 and 7 already have patches available to fix this issue.  Update your system with yum update imagemagick to fix this vulnerability.  There are more details on the RHEL site.

For RHEL and CentOS 5, you will need to make some changes to mitigate the problem:

In the following folders:

/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit)
or
/usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package)3:15]

Rename the following files, mvg.so, msl.so, label.so. Example:[3:15]

$ mv mvg.so mvg.so.bak
$ mv msl.so msl.so.bak
$ mv label.so label.so.bak

So far, the number of attacks using this vulnerability are limited, but if left unmitigated, it represents a serious risk to websites using the ImageMagick package.  We advise all site owners and developers to take care and ensure that they’ve taken steps to cut off this avenue of attack.

One of the advantages of the Linux operating system (which most servers, including eBoundHosts’s, run on) is that it’s highly modular.  This means that unlike Windows or OSX, Linux can be customized more easily.   You can remove features you don’t need, add those you do, and replace modules with your own versions.  This is one of the reasons why there are so many different versions of Linux out there – CentOS, Ubuntu, Fedora, Mint, and so on.

What is the kernel, anyway?  In simplified terms, it’s the part of the OS that let applications talk to the hardware and vice-versa.  For example, a spreadsheet app can’t talk to your CPU on its own.  To do that, it goes through the OS and kernel.

In Linux, since it’s possible to change the kernel along with other parts of the OS more easily, kernel updates are common.   Usually, this won’t create new, flashy features you can see or use directly. So, why should you update the Linux kernel?  There are 4 major reasons why we occasionally update the kernel on our servers:

1. Security Updates

One of the main reasons to update the Kernel is for improving security.  Hackers (on both sides of the law) are constantly looking for holes in Linux security.  A security flaw in the Kernel is a serious issue since it lies at the core of the OS.  If an attacker gets into the kernel of your OS, they can do a lot of damage.  When one of these flaws is discovered, it’s patched as soon as possible.  Updating your kernel is an important way to stay ahead of the bad guys.

2. Stability

Since just about every part of your computer interacts with the kernel, from RAM to your alarm clock app, it’s important to make sure it runs smoothly.  Kernel updates often improve stability, meaning fewer crashes and errors.  Once a new Kernel has been ‘road-tested’, it’s usually a good idea to update as a way to decrease the odds of having problems.  This is especially important for web servers, where minutes of downtime can be a major setback.

2.  Speed

A constant focus of Linux kernel development is speed and efficiency.  Major kernel updates often boast major speed boosts.  We all know that every millisecond counts when it comes to serving websites, so kernel updates on web servers can often pay big performance dividends.

4. New Features

A kernel update won’t usually add a feature that you can see directly, but they often add new functionality that apps can take advantage of.  So, in order to stay up to date with applications, it will sometimes be necessary to update the kernel as well.  Just like the latest version of Excel won’t run on Windows 95, a system with an out-of-date kernel may not play nicely with new Linux apps.

At eBoundHost we are extremely careful about kernel updates, and never apply updates without a very good reason.  When we are confident that there is negligible risk to stability, with a real benefit to security and/or performance, we apply kernel updates so that we can improve the quality of our hosting.  Get in touch with us if you’re interested in more reasons why you update the Linux kernel.

A new infection has struck a handful of Magento stores, encrypting all Magento files, shutting down the store, and replacing the homepage with a ransom note demanding $140-400 in Bitcoin:

The method of infection is unknown as of yet, but the  Helios Vimeo Video Gallery extension has been implicated, and taken down by Magento as a precuationary measure.

Fortiguard Lion Team claim to have uncovered the Indonesian group responsible for the attack and possible methods of decryption.  This solution appears to be only theoretical for now, as the post doesn’t include results.  Fortiguard suggests a means of finding the encryption key, without which the Rijndael encryption used is thought to be effectively impossible to break.

Store owners are advised to be cautious. Use good password policies, and keep all installations and extensions up to date.

h/t Softpedia

About Bachrach

Bachrach is a century-old boutique men’s apparel brand with brick & mortar stores across the US.  Bachrach.com is the Magento-based e-commerce arm of the business and offers a range of fashionable formal and semi-formal looks.

The Problem

Bachrach has a full-featured and well-designed Magento store-front, but was struggling with page load times.  Their time to first byte (TTFB) was over 300% slower than Google’s recommendation and some product pages took over 7 seconds to fully load and render.

David Ko, the e-commerce director for Bachrach, was looking for a way to get web performance under control and put the site into a hosting platform that could handle Bachrach’s growth.  Until the site was ready to handle heavy traffic, increasing sales would be challenging to say the least.

The Solution

David approached eBoundhost for help, and we set about testing the site’s performance KPIs.  After recording the pre-migration metrics and collecting the specific requirements for Bachrach.com, eBoundHost architected a Jetrails® Pro Cluster Platform to properly fit the web site.  This cluster is right-sized for their normal daily traffic and can be scaled to handle extreme spikes during sales and the holiday season rush.

The Results

The process of moving Bachrach.com to the eBoundHost JetRails® Pro Cluster Platform was “the easiest transition I’ve been a part of.”  David also praised the “flawless” support team, saying it’s been “instantaneous – there are no automated prompts.  When you call, a real Magento specialist picks up the phone.”

After migration, the speed improved drastically.  TTFB came in below 300 milliseconds, down from over 1,000 ms.  Speed Index improved by 40%.  Performance under load skyrocketed – the site could now handle several thousand users without slowing down or needing to scale up with more hardware.  More importantly, David saw a 2.5% increase in conversion and an 8% decrease in shopping cart abandonment.

Takeaways

Putting Bachrach.com on an appropriate hosting environment delivers more than better numbers in a speed test.  By increasing performance, they also gained:

• More Revenue!
• Improved customer experience
• Higher customer conversions
• Natural SEO improvements due to better Speed Index

CASE STUDIES Expert advice, guidance and solutions from ideas to creation.  Real transformations. Read Case Studies	MANAGED SERVICES Changing platforms is only the beginning.  Value added services keep you competitive. Learn More	PERFORMANCE TEST Out-of-the box isn’t good enough for your investment. Discover your bottleneck. Test My Site

ExperienceHawaii.com is one of the leading agencies in the tourism industry of the Hawaiian Islands. They can help you find and book Hawaii’s finest tours and activities instantly. Every one of their 300+ activities is rated 4 stars or higher on TripAdvisor and Yelp. With agents available everyday 8:00 AM-7:00 PM (Hawaii Time) to take any reservations via email, phone, and IM, they’re here to help fellow travelers plan their ultimate vacation to the beautiful islands of Hawaii.

Chad Kahunahana (ExperienceHawaii.com General Manager) was faced with the need to boost conversions and sales through his e-commerce channel.  He partnered with eBoundHost to engineer a custom hosting environment (JetRails™) that changed the online visitor experience forever.

Challenges & Pain Points

It took 4.0276 seconds on average to reach the first byte of data and 14.7096 seconds to load a page with minimal web traffic. Category and product pages took over 40 seconds to load during peak hours, and web visitors were leaving the site because it was too slow.

Engineered Solution with JetRails™

1. Initial performance tests were conducted and benchmarked throughout the site
2. A tailored hosting environment was  engineered, deployed & optimized
3. Current web files and database were copied into the new platform
4. JetRails™ integration & tuning (stack & cache optimization)
5. UAT – functionality tested and verified
6. DNS change scheduled
7. Seamless transition (no loss of data)
8. Performance tested and benchmarked

Results After Migrating to JetRails™

Time to First Byte and Load Times were reduced to 0.2706 seconds and 7.2946 seconds respectively. Even with 200+ concurrent visitors, the site responds without hesitation.

600% Online Revenue Increase

“A faster site has definitely increased our sales.  It was a no brainer because I didn’t have to do anything; they did all the work for us.  I have zero regrets & have been happy ever since we moved to eBoundHost. Our online revenue has gone up 600% since March 2015.  We couldn’t have achieved it without eBoundHost.”

Chad Kahunahana
(General Manager, ExperienceHawaii.com)

CASE STUDIES Expert advice, guidance and solutions from ideas to creation.  Real transformations. Read Case Studies	MANAGED SERVICES Changing platforms is only the beginning.  Value added services keep you competitive. Learn More	PERFORMANCE TEST Out-of-the box isn’t good enough for your investment. Discover your bottleneck. Test My Site