Magento Security Team published a list of steps required to prevent brute-force attacks. How effective are they, and will the non-tech savvy users be able to implement them? In the past couple of weeks the Magento community noticed an increased attempts to break into Magento webshops by using so called brute force attacks - automatically trying out different combinations of passwords until the right one is guessed. Some of these attacks have resulted in unauthorized admin panel access and several...

"No business is safe from hackers, I’ve had the chance to see it for myself. That’s why I would like to share my experience with all online store owners. My friend, also an owner of a web shop, was recently hit by a hacker attack. His site seemed just fine, all he noticed was a significant drop in sales," states Brad S., owner of madamebridal.com. “After a couple of months of trying to figure out what is going on, he...

Simple Configurable Products (in further text - SCP) changes how pricing of configurable products works in Magento. Configurable product's own price is never used, instead the price used is that of the matching associated product. SCP gives site owners direct control to set the price of every configuration of a product, no need to use price modifiers based on attribute options. Beside price rules SCP changes product custom options rules, any custom options assigned to Configurable Product will be ignored....

Magento CE 1.9.3 was published on 11th October 2016, it delivers various code improvements, fixes few known issues and closes some very important security holes. Beside quality improvement of code, new version brings support for PHP 5.6 in addition to PHP 5.4 and 5.5. (PHP 7 is still not supported). Security enhancements addresses some general issues like (to mention few): remote Code Execution in checkout, SQL injection in Zend Framework, Stored XSS in invitations. Also there are several password enhancements...

  Recently, new security vulnerabilities have been discovered in number of 3rd party Magento extensions. The latest one is the security issue in Vladimir Popov Webforms extension that allows attacker to inject a script that enables uploading any file to server through URL and browser. Updating module to the latest version is advised, but it is not enough in case your website has already been hacked. To make sure you are safe from the latest vulnerabilities, we have added new malware...

As you probably noticed, during the installation Magento gives you different options where to store session data. The two options are File system and Database File system is selected by default and session files are stored in var/session folder. The other option, to store session in Database, is usually used when you are hosting Magento store on multiple web servers (cloud hosting). If, from some reason, you need to clear all the session data, you would usually just need to...

One of the leading information security companies, Trustwave, released the 2016 Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2015. Even though the report only confirmed what we have been suspecting over the last year, some of the data, especially those considering ecommerce, were somewhat shocking. We would like to share some interesting facts from the report, especially those considering compromised ecommerce websites and, as the Trustwave report shows, by "compromised ecommerce" we...

Loading time is an important part of your website’s user experience. If your site is slow, you are losing conversions, which can really take a toll on your profit. When it comes to site speed it is very important that your store runs smoothly, quickly and securely. Choosing the right hosting provider has a big impact on your website's performance. A while ago we wrote a blog post about choosing the best hosting for Magento. Today, we are focusing on...

How to display confirmation messages, error or warning to the user is something every theme and/or Magento 2 extension developer should know about. There are four types of notification messages you can use: Error (in red), Notice (yellow), Success (green) and Warning (in grey). Getting your module to display notifications in Magento 2 is different than in Magento 1, since there are no more session class specific notification messages. If you need your module to display messages via Magento notification system,...

While building your custom extension, you will usually need path to your extensions files. However sometimes you will need to get absolute path to Magento 2 root folder or maybe to media folder. To directly access those files through your extension you can use Magento\Framework\App\Filesystem\DirectoryList class. (more…)