Category Archives: Blog

PHP 5 Deprecated This December!

PHP 5.x will be deprecated at the end of 2018!

One of the most popular platforms on the web — PHP 5 — will stop receiving security updates at the end of the year.

According to The PHP Group, security updates will only be issued for the popular PHP 5.6 branch through the end of this year.

This will have a huge impact on the web at-large and the e-commerce community more specifically. Many popular cart solutions rely upon PHP, including X-cart, Magento, and WooCommerce. Many stores also rely on PHP to run their blogging/news components in the form of CMS tools like WordPress.

“This is a huge problem for the PHP ecosystem,” Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, told ZDNet in an interview. “While many feel that they can ‘get away with’ running PHP 5 in 2019, the simplest way to describe this choice is: Negligent.”

from “Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks” (ZDNet, 14 Oct 2018)

What do I do?

If your site is currently operating on PHP 5, you should determine which of the 5.x branches you’re currently using. Updates have ceased for the 5.4 and 5.5 branches of PHP 5 since September 2015 and July 2016 respectively.

PHP Calendar from https://secure.php.net/supported-versions.php [Retrieved 15 Oct 2018]

How quickly you need to deploy a new version on your site depends upon just how out-of-date you are. Generally speaking, anyone using any branch of PHP 5 should update as soon as possible. If you’re on 5.4 or 5.5, you should contact your hosting provider ASAP.

However, our experience is the moving from PHP 5 to PHP 7 is a non-trivial process. A lot has changed. Some of those changes are very fundamental. Therefore it’s not at all uncommon for us to see sites break when site move from 5 to 7.

Don’t host your site with a provider that automatically
updates major versions of PHP without warning!

BCSE will be migrating our hosted clients to PHP 7 in the coming weeks. We encourage our customers to monitor their inboxes for notification of pending updates. And, as always, don’t hesitate to reach out to us with any questions along the way.

Preparing Your Store for the Holidays 2018

It’s beginning to look a lot like… October?

Now that it’s October, it’s time to start thinking about the upcoming holiday 2018 rush. Black Friday! Cyber Monday! Giving Tuesday! Now is the time to start getting ready, or else you may have to deal with ‘Weeping Wednesday’ when you take a look at your sales.

$335 is the average amount spent online per person in the US during the five day period between Thanksgiving and Cyber Monday last Holiday season.

Why prepare now?

Simply put, the holiday season is the biggest retail sales period of the year, and you don’t want to miss out. If you have an online presence, you should expect people to be shopping your store on Black Friday and Cyber Monday, and that there’s going to be a large, active shopping presence throughout the holiday season.

Take advantage of the months before November and December, when sales are steady and stable, to look over last year’s sales data.

  • What areas did you do well in?
  • Where do you need improvement?
  • Are there features you’ve been putting off implementing that you’d like to have for this year’s busy season?

Some typical issues that site owner see are site functionality that could be improved, your logistics and product delivery pipeline, and poor marketing positions. Is your store lacking in one (or all) of these areas?

43% of US internet users are shopped online on Cyber Monday 2017 via mobile.

Mobile Matters

Mobile sales are shattering records year-after-year. Does your mobile presence inspire trust in your brand among your customers? Is your mobile site easy to navigate? Are you accessibility friendly?

It can take two months or more to develop mobile enhancements to an existing e-Commerce site that doesn’t natively support mobile. Often, an entire site theme needs to be rebuilt and adapted to your store. The middle of November is not a good time to think about a major redesign. Start early, reap the rewards this holiday season.

58 million Americans are shopping online only this holiday season.

Smooth Stores Make More

How does your site perform? Have you tested it? There a tons of website performance calculators out there… is your site up to par? If your performance isn’t where you want it, your customers could be experiencing frustration while using your site, and that could turn them away from your shop when there are deals to be had literally everywhere.

Things you can do now:

  • Have a professional performance audit — Let one of our engineers evaluate your site’s configuration and actual performance in real world testing, to determine whether there are any changes that can optimize your content delivery.
  • Compression — Reduce the size of your content (especially images) by compressing it before delivery. This will make your site faster and, therefore, more friendly to customers. You can also minify CSS and JS, and deploy your site over a content delivery network to improve performance further.
  • Load Balancing — When your service capacity is too small for the amount of traffic your site generates, you start to see “connection refused” errors. Using multiple servers sitting a load-balancer to evenly distribute the traffic can keep your site snappy even under intense load.
  • Is your code efficient? — Are you using 50 plugins? Do you have a spaghetti mess of customizations that have been built over years and year of tweaks? Maybe you’re running an older platform that needs upgraded? All of these things can lead to inefficent, ugly, and insecure code. This one is best left to professionals to handle… contact us today!

51% of US internet users would shop digitally at the Thanksgiving table to "get an amazing deal."

But Deals Matter Most

Fundamentally, shoppers on Black Friday and Cyber Monday are out for deals. Now is a good time to sit down, look at your product offerings and margins, and develop a sales strategy for the holiday season. Furthermore, figuring out what you really want to sell this holiday season can tell you how to sell it.

Starting now, you have a solid 6 week period for getting together new graphics, marketing materials, and planning a strategy for enticing customers into your store.

Ideally, you’ll have a solid strategy in place a few weeks before the holiday season starts. If you couple this with a site that’s been checked out by a professional, with any issues fixed or maybe even updated a bit, you’re sure to have a stellar holiday season.

Holiday Help

Let BCS Engineering ease some of the stress of operating an e-commerce store this holiday season. Our engineers have been designing, building, maintaining, and building custom enhancements for e-Commerce sites of all flavors since 2002! We’ve got what it takes to get your site in shape for the holidays, and we’re here to help. Contact us today!

Magento 1 to be Supported Through 2020

Magento 1 long-term support through June 2020

Magento announced today a long-term strategy for the Magento franchise.

According to the post:

For Magento Commerce 1, we are providing software support through June 2020. Depending on your version, software support may include both quality fixes and security patches. Please review our Magento Software Lifecycle Policy to see how your version of Magento Commerce 1 is supported.
(Source)

and regarding the open-source edition (formerly known as the Community Edition):

For Magento Open Source 1, we are providing software security patches through June 2020 to ensure those sites remain secure and compliant. Please visit our Legal Terms page and review our Magento Open Source Software Maintenance Policy to see which versions of Magento Open Source 1 continue to receive software security maintenance.
(Source)

Therefore, it is of vital importance that e-commerce stores who are currently using Magento 1 begin the process of transitioning. This could be either via an upgrade to Magento 2, or via migration to another cart provider.

Need to Upgrade from Magento 1 to Magento 2?

At BCS Engineering, our e-Commerce focus is customer-centric. Our aim is provide you with the simplest path from where you are to where you need to be. If you’re currently hosting a Magento 1 e-commerce website, our Magento experts can assist you in multiple ways:

  • We’ll move your store from Magento 1 to Magento 2 — or any other platform — for you; let us do it all!
  • Do you just need some custom functionality ported to your new store? Our certified developers are ready to help.
  • Or, are you so completely overwhelmed with the idea of moving your store that you don’t even know where to begin? Don’t worry, we’ve been doing this since 2002… this isn’t our first rodeo.

Contact BCS Engineering today! We can help you navigate the upgrade process and keep your store working smooth… until 2020 and beyond!

Magento 2.2.6 Released!

The latest release of Magento — version 2.2.6 — is out now and includes multiple bug fixes. New enhancements designed to increase the overall security of the platform include:

  • 25 critical security fixes (addressing cross-site scripting and other vulnerabilities)
  • 7 major performance improvements (including product indexing and improvements for multi-site)
  • Updated Amazon Pay, Google Tag Manager, and dotmailer integrations
  • Over 150 product quality enhancements

Further notable enhancements include:

  • improved reliability of the checkout process,
  • CAPTCHA improvements, and
  • sales/payments improvements (including Braintree and Paypal integrations).

There are multiple other enhancements to improvements in shipping, sitemap, themes, as well as minor code and interface corrections. You can find the complete list of changes in the release notes for 2.2.6 Open Source or 2.2.6 Commerce. From Magento:

Although this release includes these security enhancements, no confirmed attacks related to these issues have occurred to date.

A minor patch is also available for Magento 2.1 — version 2.1.15 — that addresses these security concerns. For a full discussion of the vulnerabilities that have been addressed, see this discussion at the Security Center.

Do You Need Help with Your Magento Upgrade?

BCS Engineering’s certified Magento developers are standing by and ready to assist your e-commerce store with upgrading to the latest version of Magento! Our team are experts at deploying new major and minor upgrades, as well as assisting with your store’s theme, adding custom features to your store, or addressing security and performance issues. Contact us to find out how we can help with your store today!

X-cart 5 Tips: Stuck Deploying Changes?

Adding or upgrading a module to your X-cart 5 store will deploy these changes to it’s code-base. During the “deploying changes”  process, X-cart performs several additional maintenance tasks that keep your site functioning.

For example, rather than serving up the files from the main “classes” and “skins” directory, a snapshot is created. This snapshot represents the actual code that’s served to users when they request pages within your store. While it does this, it runs a series of special calculations and optimizations on that code, so that your store is a fast as possible.

Sometimes, during this process, something goes awry. During the “deploying changes” process you’ll see a text scroll of what phase of the process you’re in. When that stream stops, hangs, or throws an error something has gone wrong.

Sometimes “deploying changes” goes REALLY wrong; your entire site is down, and visitors will be greeted with the spinning gear of death…

What the store looks like to customers when deploying changes goes wrong.

When this happens, what are you supposed to do? Here’s a few tips:

Try The Back Button

X-cart 5 can be finicky at times. It’s a complex piece of software. Sometimes, deploying changes will appear to stall for no obvious reasons. When this happens to me the first thing I always try is to just jump back to the previous admin page using the back button.

Many times this will re-start the “deploying changes” process and it’ll finish with no problems whatsoever!

Delete Your Site’s Cache

If something really went wrong, you can delete the site’s current snapshot and reload. There are two ways to do this:

If you have FTP/SSH Access

Log into your store via FTP/SSH, and delete the files in the <X-Cart Directory>/var/run folder, and the file  <X-Cart Directory>/var/.rebuildStarted. Here <X-cart Directory> is the location of admin.php for your store. Then go to the admin area of your store. X-cart will detect the absence of the cache and attempt to rebuild it.

If you do NOT have SSH Access

You can access your store’s “drop cache” function at:

https://<YOUR_XCART_URL>/admin.php?drop_cache&access_key=<YOUR_SAFEMODE_KEY>

 

where <YOUR_XCART_URL> is the main page for your store, such as “https://www.example.com/x-cart/” and <YOUR_SAFEMODE_KEY> is a special key that allows this functionality to be invoked. You can find the value of the key in the file var/data/.safeModeAccessKey in your X-Cart installation folder.

Last Resort: Safe Mode

Before you get into this situation, you should go to Admin > System Tools > Safe Mode to generate the various safe-mode links for your store. This will allow you one set of steps you can take when deploying changes goes wrong.

When deploying changes goes really wrong, safe mode can save you!

You can see that these links have the same structure as the “Drop Cache” link above… you can replace site URL with <YOUR_XCART_URL> and the example access key with <YOUR_SAFEMODE_KEY>as described above, and use the URLs from this image to access your store’s reset features.

It is best to try them in order, first attempting to restore the add-on’s current state. Then if that doesn’t work, try the soft reset. And, lastly, if that fails, the hard reset.

  • Restoring the Current State of All-Ons basically is a simple re-deploy. All code from the modules will be re-set, and the store will try to re-build the cache.
  • Soft Reset removes all modules except those developed by the X-cart directly. You can then go back and re-enable any custom modules using normal means.
  • Hard Reset removes all modules, except for those developed by X-cart (including custom code that X-cart has developed for you), and including those provided by the X-cart Marketplace. Your site will need some serious work re-enabling your modules one-by-one if your undertake this reset… so it’s not to be done lightly.

When All Else Has Failed…

Sometimes, you’re just in such a pickle that you’re not going to be able to get out of it yourself. When that happens, trust the experience X-cart developers at BCS Engineering to get your store back together for you quickly and easily.

Contact BCS Engineering today to find out about our many support options, including emergency support for when your store is stuck deploying changes. We’re here to help!

Securing Magento 101: The Basics

Securing Magento

“It takes 20 years to build a reputation and five minutes to ruin it.”

— Warren Buffett

In the age of e-commerce that five minutes could be considerably shorter. Your e-Commerce business hinges upon your customer’s trusting your site completely.

With an install base of nearly 100,000 live websites, and a market share that’s surpassed 13%, Magento sites around the globe represent a huge target for malicious actors looking to compromise a sites for profit.

Just last week, a “massive website hacking campaign that has infected 7,339 Magento stores” was announced. Would you want to be one of those site owners? Would you want to explain to your customers that their credit card info was stolen.

Nope.

That’s why securing Magento is an absolutely critical step for your e-commerce business.

Typically the way that hackers compromise a Magento site is a cyclical process. It looks something like this:

The four stages of an eCommerce attack; you need to understand this process in order for effectively securing Magento.

  1. Identify a specific vulnerability in the e-commerce platform (Magento).
  2. Target an e-commerce store with this vulnerability.
  3. Attack the store with this vulnerability.
  4. Exploit the vulnerability until it’s found and patched; then repeat.

So our goal is simple… we prevent the cycle show above from ever starting. Here are some super-simple basic rules that every Magento site-operation should follow.


Ten Tips for Securing Magento

1. Regularly Apply Patches

Patches remove security holes regularly, and provide critical improvements to your Magento store that can prevent holes from being found by forcing a “moving target.”

2. Use Modules/Extensions from Authentic Sources

One of the reasons that your probably chose Magento was it’s sensibility and the large number of modules and extensions available for the platform. Make sure you only install modules and extensions from Magento Marketplace. You should also investigate the background of a module’s developer, and thoroughly read the module’s reviews, before you trust installing it to your store.

3. Change Passwords Before and After you Seek Any External Assistance

Any time you ask a developer to work on your store — even us — you’ll need to share credentials with them. You should always provide the minimal set of credentials needed for the work. This usually amounts to a Magento admin username and password. The proper way to do this is to make a new administrator account for the developer, with a random password, and once they have finished the work they set out to do you should disable that account and/or change that account’s password. In some circumstances, they’ll need SSH access, and the same principle holds there… disable that SSH user account and/or change the account’s password.

Bonus tip: restrict only certain IP addresses from connecting to your store via SSH, and use a non-standard TCP port number for added security. Your hosting provider can assist you with configuring this aspect.

4. Schedule a Recurring Security Review

We highly recommended not becoming complacent about securing Magento; that is, just because you’re safe today doesn’t mean you’re safe tomorrow. With that in mind you aren’t a security expert, either, so it makes sense to have an independent review of your store regularly to ensure that everything is working smoothly and, most important, securely.

Schedule a recurring security review of the Magento e-commerce store with a certified Magento developer to ensure that your store is always as safe as it can be.

5. Use SSL/HTTPS

SSL is to encrypts all data that passes between browsers and servers; this ensures that a third-party can’t view or manipulate the data as it passes from the user to the server. It’s absolutely essential to securing your store and is a strict requirement for PCI compliance.

6. Use SFTP

SFTP uses encryption to upload data to your Magento store. Like SSL/HTTPS, using SFTP prevents third parties from intercepting or manipulating data that you upload to your store.

7. Change the Administrative URL, Username and Password

One of the commonly exploited vulnerabilities across web is using default administrative URLs and credentials. You’re in a hurry to get your store up-and-running, you don’t have a good way to store a password, so you just leave things set to the default. Making just a few small changes — setting the admin URL to something that only you know, specifying a robust admin username, and using a secure password — can change your store from a soft target to a hard target instantly.

8. Consider Using a WAF for Added Security

A Web Application Firewall (WAF) works differently than a traditional firewall. A “regular” firewall typically only looks at network traffic at a very low-level; for example, to allow TCP port 80 (web traffic), or deny TCP port 22 (SSH traffic).

A WAF works at the layer closest to the user, looking at the actual HTTP requests, and can be used to block attempts at injecting SQL, preventing Cross-Site Scripting (XSS), and other complex attacks that no traditional firewall would ever detect.

Therefore WAFs assist in securing Magento by providing an added layer of protection to your threat reduction model and could very easily save your business someday.

10. Have a Disaster Recovery and Backup Plan in Place

An often unrecognized aspect of securing Magento is knowing what to do when something goes wrong. Think about how you would recover from a hack before it happens and have a plan in place. You’ll react quicker when you discover a problem, and won’t have to worry about what to do; just follow the plan and solve the problem. Having a good backup strategy, talking through with a developer what to do if you discover a problem, and staying calm because you have a plan can mean the difference between your site being down for a few hours and a few days.

Time spent preparing now will work out in the long run to be much less expensive than the lost revenue of an extending downtime event.


Conclusion

Because Magento is a robust platform, it has many safeguards to keep your e-Commerce store safe, but no piece of software is ever 100% invulnerable. The best thing that you can do is to implement a security-first mindset, follow expert advice on securing Magento, and never hesitate to ask questions about what’s best for your e-Commerce environment.

If you’d like to discuss your Magento store’s security, contact BCS Engineering: our professional, Magento-certified staff can assist you with improving your site’s speed and security today!

Authorize.Net Implementing Changes

Authorize.net Implementing Changes

Authorize.net is implementing changes:
Any customers having the Authorize.net DPM prior to November 10, 2016 for versions 4.4.x through 4.7.x will need to get an updated module before July 19, 2019. More information can be found at https://developer.authorize.net/api/upgrade_guide/

Anyone running the Authorize.net DPM module on 4.0.x through 4.3.x will need to contact us for customization so your module will continue to work past July 2019.

Please contact us to receive a quote for the update or customization!

Using an SSH Tunnel to Connect to MySQL with PuTTY

For our hosting clients, we do not generally open the default TCP Port for MySQL (port 3306) for security reasons. A consequence of this is that users cannot connect directly to MySQL databases for their sites. However, by using an SSH tunnel, one can forward the traffic securely over the SSH connection and connect.

The following instructions describe how to establish an SSH tunnel for port 3306 to your server. Before you can proceed, you’ll need the following:

  • working SSH login credentials for your server,
  • PuTTY – a free terminal emulator.

Instructions

  1. Step #1: Launch PuTTY.
  2.  
  3. Step #2: Enter your server’s hostname or IP address in the “Host Name” field.

  1. Step #3: Navigate to Connection → SSH → Tunnels
  2.  
  3. Step #4: Fill in 3306 as the “Source port”, and fill in 127.0.0.1:3306 as the “Destination”. This tunnels all traffic to the local host (IP address 127.0.0.1) over port 3306, to port 3306 on the SSH connection. Make sure you click “Add” and that the entry appears in the list of Forwarded ports as in the screenshot below:

  1. Step #5: Connect to the server by selecting “Open”. You will need to provide credentials and may need to accept the host’s SSH key if this is your first time connecting.
  2.  
  3. Step #6: You can now connect to your database using a client of your choice, such as MySQL Workbench (free). You must direct your client to connect to the host 127.0.0.1 and port 3306.

How To: Modify Your Hosts File

Sometimes, when in the process of working on a site with us, we’ll ask you to evaluate a development copy of your site. These are potentially hosted on servers that have a different IP address than your “live” site. When this happens, the simplest way to view the site is to override the DNS entries using a hosts file.

Modifying your hosts file causes your local machine to route requests for a particular domain, such as example.com to a particular IP address. The hosts file looks like a collection of records that map domains to IP addresses, for example:

70.60.131.251 example.bcsengineering.com

In this article, we provide instructions for modifying your hosts file for the following operating sytems:

  • Windows 10, Windows 8, Windows 7, and Windows Vista
  • Linux
  • Mac OS X 10.6 through 10.12

After you add the domain information and save the file, your system begins resolving to the specified IP address. After testing is finished, remove these entries.


Windows

Windows 10, Windows 8, Windows 7, and Windows Vista use User Account Control (UAC), so Notepad must be run as Administrator.

Instructions:

  1. 1. Press the Windows key.
  2. 2. Type “notepad” in the search field.
  3. 3. In the search results, right-click the Notepad icon and select Run as administrator.
  4. 4. Click Continue on the window that opens requesting permission to run as an administrator.
  5. 5. From Notepad, open the following file: c:\Windows\System32\Drivers\etc\hosts
  6. 6. Make any changes that you’d like to make. Entries should include both an IP address and a domain name or collection of domain names.7. Click File > Save to save your changes.

Linux

Much like Windows, most Linux operating systems will require administrative privileges in order to edit the hosts file. This is achieved from the terminal by escalating your user’s privileges using sudo. If you do not have sudo access for your computer, contact your local administrator.

Instructions:

  1. 1. Open a terminal window.
  2. 2. Open the hosts file in a text editor (you can use any text editor) by typing the following line:
    sudo vim /etc/hosts
    
  3. 3. Enter your password.
  4. 4. Press i to enter “insert mode”, and navigate using the arrow keys to the location in the file where you want to make changes.
  5. 5. Make any changes that you’d like to make. Entries should include both an IP address and a domain name or collection of domain names.
  6. 6. Press ESC, then wq. This exits “insert mode”, writes the file, and quits.

Mac OS X

Much like Windows and Linux, Mac systems will require administrative privileges in order to edit the hosts file. This is achieved from the terminal by escalating your user’s privileges using sudo. If you do not have sudo access for your computer, contact your local administrator.

Instructions:

The following instructions are valid for Mac OS X 10.4 through 10.12:

  1. 1. Open Applications > Utilities > Terminal.
  2. 2. Open the hosts file by typing the following line in the terminal window:
    sudo vim /etc/hosts
    
  3. 3. Enter your password.
  4. 4. Press i to enter “insert mode”, and navigate using the arrow keys to the location in the file where you want to make changes.
  5. 5. Make any changes that you’d like to make. Entries should include both an IP address and a domain name or collection of domain names.
  6. 6. Press ESC, then wq. This exits “insert mode”, writes the file, and quits.
  7. 7. Make your changes take effect by flushing the DNS cache with the following command:
    dscacheutil -flushcache

The new mappings should now take effect.


If you are a BCSE customer in need of help adjusting your hosts file, please open a ticket with us at support.bcsengineering.com

Social Media Data Collection & You!

Social Media Data Collection & What You Need to Know

Consumers are becoming increasingly aware of the cost in personal information that occurs by participating in online social media.    It’s a “free” relationship that we initiate and companies are now starting to understand the complexity of managing social media data that is collected.  We should all take some time to understand the following 3 lessons learned from companies that have not done a great job in protecting this data in the past.

1. Awareness is the Beginning.

It’s increasingly important for companies to fully understand how social media interactions with mass consumer bases actually work and to question how they can be more responsible stewards of their customers’ data. Much of society views all 3rd parties that receive personal information as malicious.  However, there are brands that depend on direct social media contact with consumers.  Understanding why that information is needed and how it protect it is key.  For some businesses, their direct marketing strategy is based on the data that is gathered and customers do benefit greatly from this approach.

2. Fair Exchange Increases Consumer Willingness.

For the companies that rely on direct marketing strategies, eliminating this type of data collection is not realistic and would be a detriment to their business model.  Loyalty programs are based around this type of data and as time passes,  consumers are more comfortable sharing this information.   One recent survey indicated that 87 percent of online shoppers are willing to trade personal information for better shopping experiences. The shift in customers allowing this data exchange and enjoying the benefits has allowed marketers and consumers to develop more personalized relationships.  All of this is based on in-depth access to consumer data.

However, the recent events at Facebook have thrown a wrench in the works. A subset of bad third-party actors, such as Cambridge Analytica, has created an issue that affects ANY company working with social media.   As a result, Facebook has stopped development work of thousands of third-party apps that access its users and their data. This means that hundreds of well-known brands, including the trusted vendors that help those brands manage their customer interactions, have also had to stop or slow up the improvement, support and maintenance of their social media accounts.

While this is problematic, it’s not unwarranted as we would all agree that more transparency is needed when it comes to how our personal data is used.

3. Adaptability is key.

Many companies that work with social media are well versed in the best way to handle this data and can adapt quickly to new regulations and changes.  Most major companies employ 3rd party platforms to handle their numerous social media interactions.  For these companies, changes in regulation and and protocol are much more easily managed.

However, there are major differences in legitimate 3rd party third-party vendors and the illegitimate data harvesters.  Understanding these differences and how companies manage their data will be the driving force behind how a company proceeds.  Do they choose a customized program that meets their needs specifically or a standardized platform that can be more easily adapted to changes in regulations?

In general, companies will have to provide transparency into their data collection and be prepared to have a platform in place that can quickly and easily adapt to new changes in policy & regulations.

Contact us for more information regarding compliance and what you can do to make sure you are protected.  For more information regarding this topic, you can view the source for this blog post and dive deeper into the subject matter.