Last week, Magento had quite a few new updates for Magento 1 and Magento 2. These new releases incorporate valuable updates for security and site functionality.

For Magento 1, security patch SUPEE-10975 was released alongside Magento Commerce version 1.14.4.0 and Open Source 1.9.4.0. All three contain multiple security enhancements that help mitigate remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities. For additional details, please feel free to check out the following resources:

• SUPEE-10975
• Magento Open Source 1.9.4.0 Release Notes
• Magento Commerce 1.14.4.0 Release Notes

The latest version of Magento 2 has been released as well, Magento 2.3.0. Their newest version comes with several new tools to improve the user experience for both merchants and developers. Below, is a list of some of the key new features:

• Multi-Source Inventory: allows you to manage inventory across several physical locations from within the Magento Admin
• Progressive Web Apps (PWA) Studio: gives you the tools to affordably build an exceptional mobile experience
• Page Builder: provides you drag and drop tools to allow non-technical users the ability to generate content easily

For more information regarding Magento 2.3.0, please feel free to check out Magento’s blog, Magento 2.3: New Tools to Fuel Growth in 2019, the Magento 2.3.0 Release Notes, and the JetRails Blog posts with information about recent Magento News, and information shared at Meet Magento NYC 2018.

If you have any questions, please let us know. Also, make sure to test thoroughly before updating your production sites as extensions or custom code might require additional modifications.

Magento released a PHP patch enabling Magento 1 users to utilize PHP 7.2. This patch was released as PHP 5.6 and 7.0 will be reaching their end of life this December. This means that they will no longer receive security updates. The PHP 7.2 patch allows Magento 1 users the ability to remain secure and compliant past the end of life of PHP 5.6 and 7.0 in December.

On September 18, Magento released important updates and a security patch for Magento 1. This previous release provided support and maintenance for Magento 1 websites that have not yet upgraded to Magento 2. Magento 1 will continue to receive software and security maintenance until June 2020 according to Magento’s technical information page.

If you have any questions, please let us know. Also, make sure to thoroughly test in development before updating your production sites as extensions or custom code might require additional modifications. This patch may also require previous security patches to be applied prior to the installation based on your current version of Magento:

________________________________

Magento Community

• 1.9.2.0 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1, SUPEE-7405, SUPEE-6788, SUPEE-6482
• 1.9.2.1 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1, SUPEE-7405, SUPEE-6788
• 1.9.2.2 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1, SUPEE-7405
• 1.9.2.3 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2, SUPEE-7405 v1.1
• 1.9.2.4 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 V2
• 1.9.3.0 – Patch requirements: SUPEE-9652, SUPEE-8167, SUPEE-9767v2, SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.9.3.1 – Patch requirements: SUPEE-9652, SUPEE-8167, SUPEE-9767v2, SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.9.3.2 – Patch requirements: SUPEE-8167, SUPEE-9767v2, SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.9.3.3. (Skipped because of deprecation)
• 1.9.3.4 – Patch requirements: SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.9.3.5 (Doesn’t exist)
• 1.9.3.6 – Patch requirements: SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.9.3.7 – Patch requirements: SUPEE-10570v2, SUPEE-10752
• 1.9.3.8 – Patch requirements: SUPEE-10570v2, SUPEE-10752
• 1.9.3.9 – – No patch requirements –

________________________________

Magento Commerce

• 1.14.2.0 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1, SUPEE-7405 v1, SUPEE-6788, SUPEE-6482, SUPEE-6285, SUPEE-5994
• 1.14.2.1 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1, SUPEE-7405 v1, SUPEE-6788
• 1.14.2.2 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1, SUPEE-7405 v1
• 1.14.2.3 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2, SUPEE-7405 v1.1
• 1.14.2.4 – Patch requirements: SUPEE-10752, SUPEE-10570, SUPEE-10415, SUPEE-10348, SUPEE-10266, SUPEE-9767 V2, SUPEE-9652, SUPEE-8788 v2
• 1.14.3.0 – Patch requirements: SUPEE-9652, SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.14.3.1 – Patch requirements: SUPEE-9652, SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.14.3.2 – Patch requirements: SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.14.3.3 – Patch requirements: SUPEE-9767v2, SUPEE-10266, SUPEE-10348, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.14.3.4 – Patch requirements: SUPEE-10266, SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.14.3.5 (Doesn’t exist)
• 1.14.3.6 – Patch requirements: SUPEE-10415, SUPEE-10570v2, SUPEE-10752
• 1.14.3.7 – Patch requirements: SUPEE-10570v2, SUPEE-10752
• 1.14.3.8 – Patch requirements: SUPEE-10570v2, SUPEE-10752
• 1.14.3.9 – No patch requirements –

Magento released new versions of Magento Commerce, Magento Open Source and a new security patch for Magento 1.x. These new releases will lock down cross-site scripting, cross-site request forgery, provide multiple performance enhancements, and address other security concerns.

The following was included in the release:

• Magento Open Source Commerce 2.2.6
• Magento Open Source and Commerce 2.1.15
• Magento Open Source 1.9.3.10
• Magento Commerce 1.14.3.10
• SUPEE-10888 to patch earlier Magento 1.x versions

As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information on how to secure your site. If you need any assistance with security patch updates, please send an email to magento@eboundhost.com or contact your Account Manager at eBoundHost.

For more information regarding the security changes, please check out the following resources from Magento:

• Magento 2.x Security Updates
• Magento 1.x and SUPEE-10888 Security Updates

For full details regarding the new Magento Commerce and Open Source, please check out their release notes:

• Magento Commerce 2.2.6
• Magento Commerce 2.1.15
• Magento Commerce 1.14.3.10
• Magento Open Source 2.2.6
• Magento Open Source 2.1.15
• Magento Open Source 1.9.3.10

Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.5.

As always, install the patch in a development environment and test before applying it to your live site. Please refer to Security Best Practices for additional information how to secure your site.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost. Visit the official Magento site for more details:

The date is fast approaching for Google’s deadline to encrypt your site. This will include acquiring an SSL Certificate and moving to HTTPS. If these steps are not taken, it could impact your customers, your SEO rankings and ultimately, your reputation.

Maintaining the security and compliance of your site is a top priority for our team. If you require any assistance, our dedicated Magento engineers are available 24/7 to offer support and guidance. Please take a few minutes to learn more about these requirements below and feel free to reach out to us if you have any questions.  

Security Requirements

If your site is not fully compliant with these requirements, you have until July 2018 to make the necessary modifications. Not sure if your site will be impacted or how to become compliant?  Here is a step-by-step guide to verify and update your site’s security protocols.

SSL Certificates

If you do not currently have an SSL Certificate, you will need to purchase one as a first step in gaining security compliance. We provide free SSL Certificates and installation to all our Magento Clients.

If you do have an SSL Certificate but your site is using a SSL/TLS Certificate from Symantec that was issued before June 1, 2016, it will stop functioning as a secure site in Chrome 70 this coming July. This could already be impacting your customers.

Symantec SSLs that were issued before June 1, 2016, utilized an older Secure Hash Algorithm (SHA-128) which came equipped with a renewal date that extended past Google’s preferred expiration timeframe. To be compatible with the release of Google Chrome 70, requirements for SSL Certificates will need to be updated to the newest version (SHA-265). You will want to replace your certificate as soon as possible before the Chrome 70 release. If the certificates are not replaced, users will begin seeing certificate errors on your site. If you are unsure if you have the latest version of SSL certification, continue reading to learn how you can verify your compliance.   

Testing Your Site For Compliance

To gain HTTPS full encryption compliance, your first step is to ensure your SSL Certificate is up to date. You can test the security of your site and your SSL status by going to Qualys SSL Labs. The desired outcome is to receive an “A” in all 4 sections. The sections include Certificate, Protocol Support, Key Exchange, and Cipher Strength. Receiving a passing score in all four sections means that your SSL Certificate will function securely under the Chrome 70 release. This will also be important for gaining and maintaining PCI Compliance. Our servers are configured to be fully secured and HTTPS encrypted out of the box.

How to Gain SSL Certificates and HTTPS Compliance

As a fully managed service provider, eBoundHost – JetRails can assist you in purchasing and installing your SSL Certificate. We can also help you manage your encryption configurations through our technology stack. However, your development team will need to ensure all required coding is ready for HTTPS.

Additional Resources:

https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Magento Commerce and Open Source 2.2.3, 2.1.12 and 2.0.18 contain multiple security enhancements that help close Cross-Site Scripting (XSS), authenticated Admin user remote code execution (RCE) and other vulnerabilities. The releases include additional functional fixes. To find out more about the functional fixes please check Release Notes for Magento Commerce 2.0.18, 2.1.12, 2.2.3 and Magento Open Source 2.0.18, 2.1.12, 2.2.3.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.3.

Please refer to Security Best Practices for additional information how to secure your site.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:
https://magento.com/security/patches/magento-223-2112-and-2018-security-update

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), and other issues. These releases also include small functional fixes listed in the release notes.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10570

SUPEE-10415, Magento Commerce 1.14.3.7 and Open Source 1.9.3.7 contain multiple security enhancements that help close cross-site request forgery (CSRF), Denial-of-Service (DoS) and authenticated Admin user remote code execution (RCE) vulnerabilities. These releases also include a fix for prior customers that had experienced issues patching caused by SOAP v1 interactions in WSDL.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/supee-10415

11 Updates:

APPSEC-1330: Unsanitized input leading to denial of service
APPSEC-1885: Stored XSS in Product Descriptions
APPSEC-1892: Stored XSS in Visual Merchandiser
APPSEC-1894: Remote Code Execution by leveraging unsafe unserialization
APPSEC-1897: Fix WSDL based patching to work with SOAP V1
APPSEC-1913: Remote Code Execution through Config Manipulation
APPSEC-1914: Stored XSS in CMS Page Area
APPSEC-1915: Remote Code Execution in CMS Page Area
APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution

Magento Commerce and Open Source 2.2.1, 2.1.10 and 2.0.17 contain multiple security enhancements that help close Cross-Site Scripting (XSS), Local File Inclusion (LFI), authenticated Admin user remote code execution (RCE) and Arbitrary File Delete vulnerabilities.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum down below.  Visit the official Magento site for more details:

https://magento.com/security/patches/magento-221-2110-and-2017-security-update

10 Updates:

APPSEC-1325: Stored XSS in Billing Agreements
APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
APPSEC-1910: Local File Inclusion (LFI) in Import History
APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion

At 12:04 pm CST (GMT -6), one of the major ISPs in the USA, Comcast, experienced “an external network issue” that caused a portion of the Internet to become inaccessible to users.  Comcast has such a wide reach that both individuals and businesses were impacted.  To those affected, it seemed that some websites went off-the-air and simply did not respond.

Comcast announced that issues were resolved at 4:34 pm CST.

Check http://downdetector.com/status/comcast-xfinity/map/ for comments from those impacted.

Shop.org is the annual e-commerce conference for digital retail thinkers and doers!  In an era where constant evolution is required to stay ahead of consumers, this event is bringing some of the most fascinating people, brands and thought-leaders to share stories of reinvention, transformation and steal-worthy ideas for making an impact in the e-commerce world today.

View the agenda:  https://shop.org/agenda

If you are going to be there or if you would like us to research any Magento related topics, let us know by filling out our contact form:

https://eboundhost.com/magento/contact-us.php

Our primary objectives at Shop.org are getting new insights on:

• Better search engine ranking due to faster infrastructure and rapid content delivery
• Higher conversion rates due to reduced friction and faster response times
• Reduction of operational burdens
• E-commerce focused best practices for operations
• Best-of-breed technological integration

Additional topics that will be covered for our customers:

• Omnichannel profitability
• Personalizing Amazon
• The best alternative to Amazon
• “I have to double my business this year, how do I do it?”
• Sourcing new customers with artificial intelligence
• Real-time analytics for Magento
• Improving Magento speed
• Online journey hijacking: The problem, the scale, and the solution

Let us know what your challenges are.  We’re here to help.

13 Updates:

APPSEC-1838: RSS session admin cookie can be used to gain Magento administrator privileges.
APPSEC-1800: Remote Code Execution vulnerability in CMS and layouts
APPSEC-1835: Exposure of Magento secret key from app/etc/local.xml
APPSEC-1757: Directory traversal in template configuration
APPSEC-1852: CSRF + Stored Cross Site Scripting (customer group)
APPSEC-1494: AdminNotification Stored XSS
APPSEC-1793: Potential file uploads solely protected by .htaccess
APPSEC-1853: CSRF + Stored Cross Site Scripting in newsletter template
APPSEC-1729: XSS in admin order view using order status label in Magento
APPSEC-1579: Customer Segment Delete Action uses GET instead of POST request
APPSEC-1588: Order Item Custom Option Disclosure
APPSEC-1599: Admin login does not handle autocomplete feature correctly
APPSEC-1688: Secure cookie check to prevent MITM not expiring user sessions

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

On Thursday, September 7th a group of scammers sent emails phishing for CloudFlare credentials. The email appears to come from “Cloudflare Abuse Department”, but you will see that the email did not actually come from Cloudflare.  It came from a freshdesk email account which is not associated with Cloudflare.

The email also contains a link to lead the recipient to review the complaint and takes them to https://cloudflarecompliancedept.site/support/.

The site looks like the Official Cloudflare login page and even has an SSL certificate that appears to be valid.  Upon investigation, the SSL certificate is a free certificate that can be obtained easily.

You can even find the fake freshdesk login page by visiting https://cloudflareabuse.freshdesk.com/support/home

This phishing attempt was very well thought out, all the way down to the smallest detail.  To the average person opening their emails, it would be very difficult to identify this as  malicious.

What you can do

While the malicious email looked completely legit, there was one key giveaway: The mail was sent from a domain that is not associated with Cloudflare.

If you received an email from support@cloudflareabuse.freshdesk.com, report it as phishing by notifying your email provider. Then delete it.

If you do click on the malicious link, do not attempt to log into the account.

If, unfortunately, you fell for the scam and granted permission to the hackers,  get in touch with CloudFlare directly.  While you’re at it, it’s a good idea to change your passwords.

Here is the official Cloudflare link to visit if you encounter the scam:
https://support.cloudflare.com/hc/en-us/articles/200167736-How-do-I-file-a-phishing-complaint-

Rest assured that the eBoundHost JetRails eCommerce Team is actively working with Cloudflare on this discovery.  As of 12:54 PM CST, it appears that the malicious domain was taken down.  That does not mean the original attacker is not still active.  Please take caution with any emails and access points and reach out to the JetRails team with any questions or concerns:  888-554-9990 or support@eboundhost.com

Attackers are disabling a configuration protection after gaining admin access and are uploading malicious code.  Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience, we have quoted some of the announcement from Magento’s Forum below.  Read the rest on the Magento site.

Today, Magento is releasing new updates to increase product security and functionality. The releases contain over 15 security enhancements and Magento 2.x updates that also address image resizing and MasterCard BIN number expansion. We strongly recommend that all merchants upgrade to these versions as soon as is reasonably possible.

These releases include:

• Multiple critical security enhancements. These updates help close access control bypass, CSRF, and authenticated Admin user remote code execution vulnerabilities. See Magento 2.0.14 and 2.1.7 Security Patches and SUPEE-9767 Security Patches for more information.

• Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN). While certain Magento versions already support the new BINs, merchants using the following versions must upgrade or apply a patch by June 30, 2017 or face potential fines from MasterCard and lost sales:
  • Enterprise and Community Edition 2.1.2 or earlier
  • All Enterprise and Community Edition 2.0.x releases
  • Enterprise Edition 1.14.2.x or earlier releases
  • Community Edition 1.9.2.x or earlier releases

More information is available at MasterCard BIN Range Update.

• Reversion of the changes to image resizing that we introduced in Magento 2.1.6. Certain image resizing changes introduced unanticipated problems. We have reverted these changes in this release, and will provide improvements to image resizing in a future product update. See the Magento 2.1.7 Enterprise Edition Release Notes for additional information you may need to take when upgrading from Magento 2.1.6 or 2.1.5 to this release.

Download and install the Enterprise Edition updates by logging into My Account and navigating to the version you want to download. Community Edition software is available in the Release Archive of the Community Edition download page.

(See How to get the Magento software for a discussion of Magento 2.x installation procedures, and How to Apply and Revert Magento Patches for Magento 1.x instructions.)

Please refer to SECURITY BEST PRACTICES for additional information on how to secure your site.

The eBoundHost Magento Team is very excited to attend the Imagine Magento Conference in Las Vegas (April 3rd – 5th).  Now in its 7th year, this event brings together 2,500+ merchants, partners, developers and commerce experts from 45+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2017 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there!

What is Cloudbleed?

Cloudbleed (also known as CloudLeak and CloudFlare Bug) is a security bug discovered on February 17, 2017 affecting Cloudflare’s reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

As a result, data from one Cloudflare customer were leaked out and went to any other CloudFlare customers that happened to be in the server’s memory on that particular moment. Some of this data was cached by search engines.

Are eBoundHost customers affected by Cloudbleed?

We have confirmed that none of our clients are affected by CloudBleed.  You can read Cloudflare’s official description of Cloudbleed here.

Magento has released a new patch, SUPEE-9652, which includes fixes for critical vulnerabilities.  Stores left un-patched are placed at significant risk, and we recommend that all Magento store owners apply the patch as soon as possible.

As always, install the patch in a development environment and test before applying it to your live site.

If you need any assistance with security patch updates, please send an email to: magento@eboundhost.com or contact your Account Manager at eBoundHost.

For your convenience we have quoted some of the announcement from Magento below.  Read the rest on the Magento site.

In 2017, it’s expected that online shopping revenue will surpass $1.5 trillion in worldwide sales, making the eCommerce industry one of the most valuable and profitable industries. Significant advancements in mobile and social shopping have altered the way we shop, and now it’s possible for consumers to shop instantaneously from their favorite designers from virtually anywhere all thanks to a few quick taps on their smartphones.

However, despite this projected growth, many retailers still fail at providing their customers with an exceptional online shopping experience, which can result in significantly low conversion rates.

To ensure all retailers are making the most of their on-site search and providing their customers with an exceptional shopping experience, we’ve put together five powerful tips that are proven to increase conversion rates and turn more browsers into buyers.

Have all Eyes on Your Search Box

The search box is an often overlooked yet powerful feature of an eCommerce store. The site search box is the pathway to improved sales, better user experience, and most importantly, higher conversion rates. If a shopper struggles to locate the search box, chances are they’ll abandon ship and head to a competitor’s site to complete their purchase, so having an easy to locate search box is key.

Here are two ways to improve conversions with your search box:

1. Bold Placement

The first step to having a high-performing search box is to place it in a noticeable and convenient location where site visitors can locate it as soon as they arrive at your site.  The best spot is typically in the header of a web page, where it can be free from clutter and any distractions.

1. Clean Design
   A search box with a clean design and clear instructions will entice users to perform a search. Take the time to ensure that all search fields (input field and ‘submit’ button) are clearly differentiated and easy to locate. Retailers should also include a recognizable search icon (a magnifying glass tends to work best) to help entice visitors to follow through with their search.

Include Autocomplete
Site search enhancement tools like autocomplete are a great addition to an eCommerce site because it helps direct customer to their desired product quickly and seamlessly. Autocomplete shows fast, accurate, and intelligent search results as soon as the customer begins typing – even if a spelling mistake has been made – and is proven to increase conversions and sales for online retailers.

Optimize the ‘No Results Found’ Page

When a customer searches for an item that either isn’t in stock or that you don’t carry, rather than directing them to the dreaded ‘no results found’ page send them to an optimized landing page that will prevent them from abandoning the site and potentially lead to a sale.

You can prevent this from happening by providing similar product recommendations that they might find interesting and relevant or links back to the homepage, category pages, or the contact us page. This will help prevent visitors from leaving to go search on a competitor’s site and in turn, potentially lead to an increase in conversions.

Feature Product Images in Search Bar Results
To further improve your online site search, it’s important to include product images in the search results so site visitors can see products that are available without having to search through the product pages. Make sure that your product photos are clear in thumbnail form, and are flattering to your product. The chances of a customer buying increases when images are displayed along with a product description. Showing product images along with suggested search terms in your autocomplete will further help turn browsers into buyers.

Get to Know Your Customers

As a retailer, your goal should always be to exceed the wants and needs of your customers and when you only provide your customers with basic site search this goal cannot be achieved.

The best way to truly get to know your customers is to learn what they are searching for and this can be done through your site search reports and analytics. These reports list all search terms entered on your site, and the number of times words and phrases have been searched. You can also review real-time reports on the most and least popular searched terms. These reports can be reviewed daily, weekly or monthly and they provide insight into how your eCommerce site can improve its on-site search experience, by understanding what your customers are searching for.

By reviewing your sites reports, you can see what terms are in top demand and what products are performing well. By having access to this information, you can optimize your site and showcase your top performing items.

By providing your customers with a more intuitive search and navigation, you’ll not only encounter higher conversion rates, but you’ll also develop a stronger relationship with your customers which will encourage them to come back and shop with you in the future.

This article was written by Ainsley Smith, a marketing coordinator at Nextopia. Nextopia provides site search, navigation and merchandising solutions for internet retailers.