Our network was hit with a series of Volumetric DDoS attacks in the past two days.  The attacks lasted for a few minutes before they were mitigated. The exact times were:

• Sunday, December 27th, 2:54 pm to 2:59 pm
• Monday, December 28th, 2:22 pm to 2:26 pm

Each instance sent a large amount of inbound traffic aimed at a segment of our network. We have isolated the method of these attacks and are continuing to monitor the affected segment.

A new form of crypto-ransomware that targets Magento can encrypt contents and demands a ransom paid in Bitcoin.

This means all files in your web directory as well as databases including your customer information, orders, credit card numbers, etc. become unreadable until you have paid the ransom.

It is imperative that you update your Magento site immediately.  Failure to update the latest security patch could leave you devastated.    This is what the opening message looks like:

The malware specifically looks for Apache and Nginx installations as well as MySQL installs in the directory structure of the targeted systems.  It also seeks log directories and the location of webpage contents before ultimately going after a variety of file types—including Windows executables, program libraries and Active Server Pages (.asp) files, and SQL, Java, JavaScript, and document files.  If the victim makes a payment, the malware itself will then initiate decryption of the files.  The malware decrypts them in the same order that it encrypted them, deleting the encrypted versions of the files along with the ransom note text files.  More information can be found here:  http://magento.com/security-patch

Fact 1: November and December months, on average, produce 30% more e-commerce revenue than non-holiday months.*   Fact 2: In 29 days, Black Friday through Christmas generate 50-100% more daily revenue compared to shopping days throughout the rest of the year.*   Fact 3: E-commerce shopping patterns vary dramatically by industry.  Apparel / Accessories and Computer / Electronics, are highly holiday-sensitive.*

Historical sales records will be broken this year.

Are you ready for the holiday traffic?

Be Prepared For The Busy Season

One of the toughest hurdles for an e-commerce entrepreneur to overcome is proper platform capacity planning.  Imagine, it’s 6:59 AM (PST) on November 28th (The day after Black Friday). Your alarm rings, and you reach for your iPhone to log into Magento back end to check overnight sales figures.  But wait, all you see is this:

You go to the front page of the store and you see the same error!  You’ve built this beautiful website,  invested in additional inventory, poured a gazillion hard earned dollars into PPC ads AND……  your marketing effort drove too much traffic for the server to handle.  Cyber Monday is just 2 days away, what are you going to do?

The Answer: 

If you are looking for a solution that will handle the holiday traffic spikes consider JetRails™ with eBoundHost.  JetRails™ is a proven managed Magento service that optimizes web site performance.  Our solution:

• Increases the amount of visitors your store can handle
• Reduces page load times (keeps shoppers on your site longer)
• Increases page views & time spent on site
• Lowers bounce rate & decreases abandonment

JetRails™ requires no codes changes.  This fully managed platform is deployed and configured with no disruption to your Magento store.

Let’s see if your store is ready for the holiday rush:  TEST MY STORE NOW

JetRails™ Doubles Magento Performance

Side by side comparison of page speed with & without JetRails™.

*Source: RJ Metrics

***Please note that this patch may interfere with certain Magento extensions and should be applied by your developer.***

Announcement from Magento:

We are investigating reports of Magento sites being targeted by Guruincsite malware (Neutrino exploit kit). We have not identified a new attack vector at this time, but have found that nearly all impacted sites tested so far were vulnerable to a previously identified code execution issue for which we released a patch in early 2015; sites not vulnerable to that issue show other unpatched issues. The malware can also take advantage of situations where an administrative account has been compromised through weak passwords, phishing, or any other unpatched vulnerability that allows for administrative access, so it is important to check for fake user accounts and for leftover demo accounts.

With the exception of a few identified Magento Enterprise Edition merchants, we have not found any other Enterprise clients that have been affected. Magento Security & Support Teams are actively working with those merchants to address the issue. We have posted full instructions for our Magento Community sites to identify and fix the issue and will continue to drive awareness across the Magento ecosystem to the importance of taking all precautions and implementing rigorous security measures.

If you need any assistance with security patch updates, please send an email to:
support@eboundhost.com

Misconfigured Magento Sites Using Nginx

Some misconfigured Magento sites using Nginx web server software are vulnerable to attacks. The misconfiguration allows outside access to Magento cache files. The cache files have predictable names and can contain sensitive information, including Magento database passwords. This information can be used to obtain access to an installation and customer information.

To address this issue when using Nginx or any other web server software other than Apache, you should make sure your client’s configuration file protects directories and files properly. Magento Security Best Practices includes information on configuring the server environment. 

Please work with your clients to update their server configuration files as soon as possible to address this vulnerability.

Unsecure Magmi Data Import Tool

It has also come to our attention that some sites use the Magmi data import tool without protection from outside access. This tool can be abused to gain full access to a Magento installation and it is critical that you act now and remove this tool from your clients’ production websites or limit access to it based on IP address or password.

 Source:  magento.com

About Bachrach

Bachrach is a century-old boutique men’s apparel brand with brick & mortar stores across the US.  Bachrach.com is the Magento-based e-commerce arm of the business and offers a range of fashionable formal and semi-formal looks.

The Problem

Bachrach has a full-featured and well-designed Magento store-front, but was struggling with page load times.  Their time to first byte (TTFB) was over 300% slower than Google’s recommendation and some product pages took over 7 seconds to fully load and render.

David Ko, the e-commerce director for Bachrach, was looking for a way to get web performance under control and put the site into a hosting platform that could handle Bachrach’s growth.  Until the site was ready to handle heavy traffic, increasing sales would be challenging to say the least.

The Solution

David approached eBoundhost for help, and we set about testing the site’s performance KPIs.  After recording the pre-migration metrics and collecting the specific requirements for Bachrach.com, eBoundHost architected a Jetrails® Pro Cluster Platform to properly fit the web site.  This cluster is right-sized for their normal daily traffic and can be scaled to handle extreme spikes during sales and the holiday season rush.

The Results

The process of moving Bachrach.com to the eBoundHost JetRails® Pro Cluster Platform was “the easiest transition I’ve been a part of.”  David also praised the “flawless” support team, saying it’s been “instantaneous – there are no automated prompts.  When you call, a real Magento specialist picks up the phone.”

After migration, the speed improved drastically.  TTFB came in below 300 milliseconds, down from over 1,000 ms.  Speed Index improved by 40%.  Performance under load skyrocketed – the site could now handle several thousand users without slowing down or needing to scale up with more hardware.  More importantly, David saw a 2.5% increase in conversion and an 8% decrease in shopping cart abandonment.

Takeaways

Putting Bachrach.com on an appropriate hosting environment delivers more than better numbers in a speed test.  By increasing performance, they also gained:

• More Revenue!
• Improved customer experience
• Higher customer conversions
• Natural SEO improvements due to better Speed Index

CASE STUDIES Expert advice, guidance and solutions from ideas to creation.  Real transformations. Read Case Studies	MANAGED SERVICES Changing platforms is only the beginning.  Value added services keep you competitive. Learn More	PERFORMANCE TEST Out-of-the box isn’t good enough for your investment. Discover your bottleneck. Test My Site

ExperienceHawaii.com is one of the leading agencies in the tourism industry of the Hawaiian Islands. They can help you find and book Hawaii’s finest tours and activities instantly. Every one of their 300+ activities is rated 4 stars or higher on TripAdvisor and Yelp. With agents available everyday 8:00 AM-7:00 PM (Hawaii Time) to take any reservations via email, phone, and IM, they’re here to help fellow travelers plan their ultimate vacation to the beautiful islands of Hawaii.

Chad Kahunahana (ExperienceHawaii.com General Manager) was faced with the need to boost conversions and sales through his e-commerce channel.  He partnered with eBoundHost to engineer a custom hosting environment (JetRails™) that changed the online visitor experience forever.

Challenges & Pain Points

It took 4.0276 seconds on average to reach the first byte of data and 14.7096 seconds to load a page with minimal web traffic. Category and product pages took over 40 seconds to load during peak hours, and web visitors were leaving the site because it was too slow.

Engineered Solution with JetRails™

1. Initial performance tests were conducted and benchmarked throughout the site
2. A tailored hosting environment was  engineered, deployed & optimized
3. Current web files and database were copied into the new platform
4. JetRails™ integration & tuning (stack & cache optimization)
5. UAT – functionality tested and verified
6. DNS change scheduled
7. Seamless transition (no loss of data)
8. Performance tested and benchmarked

Results After Migrating to JetRails™

Time to First Byte and Load Times were reduced to 0.2706 seconds and 7.2946 seconds respectively. Even with 200+ concurrent visitors, the site responds without hesitation.

600% Online Revenue Increase

“A faster site has definitely increased our sales.  It was a no brainer because I didn’t have to do anything; they did all the work for us.  I have zero regrets & have been happy ever since we moved to eBoundHost. Our online revenue has gone up 600% since March 2015.  We couldn’t have achieved it without eBoundHost.”

Chad Kahunahana
(General Manager, ExperienceHawaii.com)

CASE STUDIES Expert advice, guidance and solutions from ideas to creation.  Real transformations. Read Case Studies	MANAGED SERVICES Changing platforms is only the beginning.  Value added services keep you competitive. Learn More	PERFORMANCE TEST Out-of-the box isn’t good enough for your investment. Discover your bottleneck. Test My Site

Magento released the following critical security update (SUPEE-6482):

If you haven’t already patched your site, please do so as soon as possible.  If you have any questions or need any assistance, please send an email to support@eboundhost.com.

Link for SUPEE-6482 Security Patch

Magento released the following critical security update (SUPEE-6285)

If you haven’t already patched your site, please do so as soon as possible.  If you have any questions or need any assistance, please let us know and we will give you a hand.

Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.

After coming back from the Magento Imagine Conference in Vegas, it was very clear that the fashion industry is exploding online.  The demand and growth of this segment is large enough for Magento to recognize and even demand its own presence.  This peaked the curiosity of many online retailers so we analyzed and tested 50 Magento fashion stores to see how they performed and uncovered some shocking data.

4 quick facts to know before we get into the data:

1.  Every third shopping search on Google is related to fashion!
2.  The fashion e-commerce segment may touch $35 billion by 2020.
3.  Fashion related queries are growing 66% year over year.
4.  Conversion ratios in women’s fashion are by far the lowest  (1.85%)

Overview:

With this segment growing so fast, its no wonder that conversion rates are low.  More competition, more traffic, and fewer hours in the day have caused some e-commerce stores to leave money on the table.  We will review the data gathered from 50 Magento fashion sites (25 Enterprise & 25 Community) and discover what can be done to generate more revenue and increase conversions using simple mathematics and two simple words that are under-used: SPEED INDEX.

Speed Index is the average time (in milliseconds) at which visible parts of the page are displayed.  This measures how quickly the page contents are visually populated (lower numbers are better).  It is useful for comparing experiences of pages against each other (before/after optimizing, my site vs competitor, etc) and should be used in combination with the other metrics (load time, time to first byte, etc…) to better understand a site’s performance.

Average time to first byte:  1.997 seconds
Average fully loaded time:  8.041 seconds
Average speed index:  4842

Out of 50 Magento fashion sites, the fastest performer was a Magento Community store on JetRails™.  The speed index clocked in at an amazing 1321 (3.6 times faster than the average), time to first byte is 0.259 seconds (7.7 seconds faster than the average) and the fully loaded page time is 2.908 seconds (2.7 times faster than the average).

What is JetRails™?
JetRails™, by eBoundHost, is a fully managed and highly optimized hosting platform built to accelerate website content delivery with sub-second response times, ensure platform uptime beyond industry standards and provide a fully hands-off managed experience.  JetRails™ customers spend more time growing their business and less time managing servers.

Improving Magento Speed Index:
Based on the data, let’s review some important observations.
1.  Magento Community and Enterprise Editions are prone to performance bottlenecks.
2.  For the most part, the lower the TTFB, the lower the speed index is.
3.  Apache, Nginx & Litespeed are prone to sub-par performance if not configured correctly.
4.  JetRails(TM) blows the competition away.
5.  Most web hosts can only do so much for speed, unless they can configure JetRails™.

Test your Magento speed index and performance metrics for benchmarking.

If your Magento store can use performance tuning for higher conversion rates, visit eBoundHost.com/magento for a fully managed and optimized platform or call us at 888-554-9990.

Magento released the following critical security update (SUPEE-5994):

If you haven’t already patched your site, please do so as soon as possible.  If you have any questions or need any assistance, please let us know and we will give you a hand.

Link for SUPEE-5994 Security Patch – Magento Community

Link for SUPEE-5994 Security Patch – Magento Enterprise

Tuesday May 12, 2015: 17:25 – 17:40 CST (GMT-6)

Another attack just took place on our network. This was resolved in 15 minutes.

Attack is similar to the ones that happened over the weekend but targeting a different client.

We are continuing to monitor the situation.

Here are the facts, our network was hit with a series of massive DDoS attacks this weekend.  More accurately it was one continuing attack that caused customer impact four times:

• Friday, May 8th, 12:55 am to 1:30 am
• Friday, May 8th, 2:50 pm to 3:15 pm
• Saturday, May 9th, 11:20 pm to 11:40 pm
• Sunday, May 10th, 1:45 pm to 2:45 pm

Each instance of the attack was caused by inbound flood of traffic aimed at one of our customers.  This resulted in dropped packets and lack of service to several network segments.

The customer that was attacked already knows that they were the target.  If you did not hear from us over the weekend, you were not the intended victim, just an innocent bystander.

Each attack was slightly different and our network team worked quickly as possible to bring the flood under control.  At one point over 10,000 network hosts were involved, so it took some doing to gain the upper hand.

DDoS is inescapable, it will continue to happen as long as there are bad people out there looking to take out a rival, whether another business or someone broadcasting a point of view they disagree with.  Searching for Denial of Service you will find thousands of recent examples of companies small and big reporting that they were targeted by such an attack. All major name brand companies, banks, telecoms and service providers have been impacted.  This is not avoidable because someone somewhere has the will and the means to break through any countermeasure.  Recently, even a DDoS remediation service was overwhelmed by an attack which was hundreds of gigabits in size.

However, every problem is also an opportunity.  Our current DDoS remediation is being adapted to meet the challenges of the evolving threat.  We already began the process of expanding our network and putting more automated countermeasures to ensure that the DDoS ends before a single person is notified.  We’re going to fight computers with computers.

Lastly, we are going to improve our communication during such events.  There was a lag between the service impacting event and the notification to our end users.  Without proper communication the end users only see a network slowdown or outage without the awareness that we are working nonstop to fix it.  So the perception of what we are doing does not match the urgency and seriousness of how we are treating the situation and this can add frustration to an already emotionally charged situation.  Any future service disruptions will be immediately reported to our social media feeds and timely updates will be pushed out.

These new procedures and hardware will take some time to integrate into our systems and workflow, but the processes have already begun and will result in better quality of service almost immediately.  We thank you for being an eBoundHost customer and look forward to hearing your feedback.

Earlier this month, Magento released the following critical security update:

If you haven’t already patched your site, please do so as soon as possible.  If you have any questions or need any assistance, please let us know and we will give you a hand.

https://www.magentocommerce.com/products/downloads/magento/

eBoundHost is all set to attend the Imagine Magento Conference in Las Vegas (April 20th – 22nd).  Now in its 5th year, this event brings together 2,400+ merchants, partners, developers and commerce experts from 40+ countries to network, exchange ideas and build relationships.  Imagine Commerce 2015 offers an opportunity for senior executives, marketers, developers, merchandisers and eCommerce visionaries from leading merchants, web design agencies, system integrators and technology innovators to collaborate and share the latest inspirations, technologies, techniques, and strategies transforming commerce.

If you are going to the conference, let us know.  We’ll meet you there.

This price change will not affect existing customers.  These changes are for all orders placed after 4/1/2015.

On April 1st, 2015 our Magento Cloud, Community, and Enterprise platforms will be upgraded and the following price change will come into effect.  To view the current pricing visit:  http://eboundhost.com/magento/

Community 16: $300/mo.

Community 32: $400/mo.

Setup fee for all Community (16/32/64) packages is set to $350 (one time)

Community Cloud setup fee is set to $250 (one time)

Enterprise Platform setup fee is set to $1,500 (one time)

Upgrades:  Daily, weekly and monthly backups, secure managed firewall update,  advanced monitoring, apache/nginx/varnish stack, FPC for Cloud.

If you have any questions, do not hesitate to contact our Magento Team at 888-554-9990.

You’ve probably read the last case study about Magento Fails, so we had to follow it up with something even more eye-opening that dives even deeper into live e-Commerce performance data.  We tested 52 stores that are in the same industry to see how competitive their speeds are.

OVERVIEW

52 random e-Commerce site were tested ***(not just the home page, but the product pages that are actually accessing the database).***  The actual sites and hosts have been blurred out because this case study is not about acknowledgement or pointing fingers, it’s about measuring metrics that have an impact on the bottom line.  You will notice that Magento sites are either top performers or are sitting at the bottom of the barrel when it comes to speed / profitability.  That is because Magento performance optimization is an art.  If you are new to Magento, please be aware that you will not be able to achieve amazing results by simply adding a few plug-ins into your store while hosting on a shared platform.  Optimizing Magento requires the creativity of a developer’s brain to be lined up in perfect harmony with the brilliant process-driven expertise of a Linux Administrator.  It takes 2 to tango.

BOTTOM OF THE BARREL DATA

TEST SITE # 34 – Magento Community Store, Highlighted In Yellow:

The time to first byte (responsiveness of the server) clocked in at over 7.11 seconds.
Google likes to see sub 0.300 second results in this department for consideration in organic rankings.  The load time of site # 34 clocked in at 12.196 seconds.  How many web-visitors will stick around to buy a product there?  According to Kissmetrics, 40% of people surveyed abandon a website that takes longer that 3 seconds to load.  For test site #34, that means about 21,000 of their unique visitors in the month of January abandoned the site because it was too slow.  I wonder how much money they spent to get all that traffic there?  In case you were wondering, they are running Nginx and are doing some caching.

TEST SITE # 49 – Volusion Store (IIS 8 – expensive licensing), Highlighted In Yellow:

The time to first byte (responsiveness of the server) clocked in at over 0.583 seconds.  Not too bad, but not amazing.  The load time of site # 49 clocked in at over 33.639 seconds.  Would you wait over 30 seconds for a site to load ?(Keep in mind that there are so many other competitive sites that you can visit by clicking the back button and going back to your Google search).  My thoughts are the same, I probably wouldn’t wait unless it was a unique specialty site of some sort.

A typical business hears from 4% of its dissatisfied customers.  96% of unhappy customers don’t bother to voice their complaint and 91% will never come back.  3 seconds of waiting reduces customer satisfaction by 16%, so if a web page takes longer than 18.75 seconds to load, then the shoppers satisfaction is reduced by 100%.  TEST SITE # 49 took over 33 seconds to load, so is it possible that their visitors were 176% dissatisfied? (Thats a joke.)

How much money is being left on the table / snatched away by competition?  I don’t have that data, but I’m sure it’s not a laughing matter….

CREAM OF THE CROP DATA

TEST SITE # 14 – Volusion Store (IIS 6 – very pricey), Highlighted In Green:

Kudos to the people that made it happen, but at what expense?  A time to first byte of 0.552 seconds; not too shabby.  2.383 second page load time?…. very nice.  Don’t let this data completely win you over.  Their pages are only about 600 KB in size with images that are hard to look at and average at best.  Just about any decent platform can deliver a 600 KB page in no time flat.  The speed index (average time at which visible parts of the page are displayed) clocked in at 2661ms (about 2x faster than the competition).  This is particularly useful for comparing experiences of pages against each other (before/after optimizing, my site vs competitor, etc) and should be used in combination with the other metrics (load time, start render, etc) to better understand a site’s performance.  I’ll get into this more in my next case study.

Bottom line:  Yes, fast page load times can be achieved by average sites, but again; it takes 2 to tango so the site design should be appealing enough to convert shoppers while serving pages up as fast visitors expect them to.

TEST SITE # 37 – Magento Enterprise, Highlighted In Green:

The numbers speak for themselves.

0.177 time to first byte
2.334 second load time
Fully loaded in 3.876 seconds
Speed index value: 1415 ms & 779 ms on repeat view
Page size: 1,367 KB

While other Magento stores are either running Apache, or Nginx, or LiteSpeed; this Magento Enterprise store is on another level and in a class of its own.  It is running JetRails(TM) with eBoundHost; which is a unique way of stacking Apache, Nginx and Varnish together.  Looking at this data, it seems impossible to make a Magento store run well without caching (Varnish/Redis) and just on Apache or Nginx (or IIS for that matter).

THE POWER OF ONE SECOND

So whats the big deal here?  Why all this talk about site speed and performance?  It seems to be a very common pain point with developers and store owners because every second counts.  Just 1 second could mean the difference between a shopper choosing one brand over the other.  What is one second worth to you?

CASE STUDIES Expert advice, guidance and solutions from ideas to creation.  Real transformations. Read Case Studies	MANAGED SERVICES Changing platforms is only the beginning.  Value added services keep you competitive. Learn More	PERFORMANCE TEST Out-of-the box isn’t good enough for your investment. Discover your bottleneck. Test My Site