Site: US UK AU |
Nexcess Blog

Magento Security Advisory and Patch (SUPEE-6482)

August 10, 2015 0 Comments

Magento has just released patch SUPEE-6482, which addresses four different vulnerabilities affecting Magento Community and Enterprise editions. We strongly advise all Magento store administrators to update to the latest version to address these vulnerabilities ( for Community or for Enterprise). Those that do not want to update to the most current version of Magento must manually apply the SUPEE-6482 patch to fix these same vulnerabilities.

The first two vulnerabilities involve issues with input validation in the Magento API. In one of these, an attacker could remotely include arbitrary PHP code in an API request. This type of attack only works when used against specific server and PHP configurations and while logged in with valid API credentials. However, this still presents a risk in cases where a compromised API account has only limited access because attackers may exploit it to escalate their privileges. The other API vulnerability allows an attacker to probe internal network resources using a malformed API password.

The next two vulnerabilities addressed by SUPEE-6482 affect only Magento Enterprise users, but are much more severe. The worst of these involves cache poisoning, where attackers use unvalidated host headers to modify pages in a Magento store, though this will only work on specific server configurations. Finally, the patch addresses a cross-site-scripting vulnerability in the Magento’s gift registry search. This vulnerability allows attackers to steal cookies or impersonate Magento users, presumably by tricking those users into following a malicious link.

For more information about how to apply the patches to your Magento store, refer to the instructions on the Magento website.

For additional details about the SUPEE-6482 patch, refer to the Magento release notes.

Posted in: Nexcess

Six Must-Have Performance Optimizations For New WordPress Sites

August 6, 2015 0 Comments

WordPress Performance OptimizationsThe developers of WordPress have to strike a careful balance between performance and feature-set or complexity. WordPress is so easy to use because it’s a dynamic site generator: it builds pages on the fly from PHP scripts and MySQL database entries. That’s not an inherently slow process, but it’s slower than serving static HTML, CSS, and JavaScript. If we couple the performance hit introduced by WordPress with the trend towards image-heavy web design, the combination is likely to produce slower sites than we’d ideally like.

Slow sites are bad for any number of reasons, but the most important is that slow sites make for bad user experiences. No one likes to wait. That goes double for users on mobile with low-bandwidth connections and strict data caps.

Fortunately, there’s quite a lot we can do with a basic WordPress installation to improve its performance. In this article, I’m going to take a look at six techniques WordPress users can implement to improve their site’s performance.

Read more

Posted in: Nexcess

Magento Introduces Security Alert Registry

August 4, 2015 1 Comment

Security Alert RegistryIn the wake of a number of serious vulnerabilities — including the critical ShopLift vulnerability — Magento announced in May that it would be introducing the Magento Alert Registry to keep eCommerce retailers up-to-date about potential security problems. You can now sign up here.

“We are committed to platform security and are taking proactive steps intended to ensure this. In the coming weeks, we will be establishing the Magento Alert Registry to serve as a direct line of communications in future urgent situations, separate from any marketing communications. By being able to connect with both our Community and Enterprise Edition merchants directly via your preferred method – email, text or social – we will be able to more quickly inform you of steps to resolution.”

Read more

Posted in: Nexcess

Why Don’t More eCommerce Retailers Use Video?

July 30, 2015 0 Comments

eCommerce RetailersVideo is huge, yet the number of eCommerce retailers that take full advantage of video is vanishingly small. Even Amazon is tapping only a fraction of the potential of video for increased sales, conversions, and promotion.

Video is seen as being difficult and expensive, which partially explains the timidity of eCommerce retailers. In some cases that’s true, but it needn’t be, and the potential upside of a successful video strategy is more than worth the investment.

A recent article from EConsultancy gathered together case studies from six retailers who used video and found that conversion rates increased between 30 and 160%.

Read more

Posted in: Nexcess

Assess Your WordPress Theme’s Accessibility with Tota11y

July 28, 2015 0 Comments

Color CombinationsAccessibility is not often at the front of our minds when we are choosing or designing a WordPress theme. We’re more concerned with aesthetics, functionality, and conversion potential. But ignoring accessibility excludes a huge proportion of our potential users.

Worldwide there are 285 million people with visual impairments, 39 million of whom are legally blind. There are almost as many people with hearing impairments, and a huge number with movement problems that make navigating the web difficult. That’s a lot of people who won’t be able to enjoy your site unless you invest a little time and effort to make it compatible with tools like screen readers.

Read more

Posted in: Nexcess

Choosing Color Combinations For Your Site

July 23, 2015 0 Comments

Color CombinationsIf you aren’t a trained designer, choosing color combinations for your site can be a minefield. With layouts and typography, there are some relatively simple rules that will produce at least passably good results. But there are tens of millions of potential color choices and trillions of possible combinations. Hitting on colors that look good, look good together, and reflect the character and branding of your site is a hair-curling task for someone without training.

It’s also incredibly important to get color choices right. Some people go too far when they talk about the impact of color psychology, but there are measurable effects — both psychological and aesthetic — associated with particular colors.

Read more

Posted in: Nexcess

Install WordPress and PHP 7 on CentOS

July 21, 2015 0 Comments

With PHP 7 around the corner, we wanted to create a dev environment to test some apps and prepare for its arrival.

PHP 7 installation for CentOS is not difficult and can be found here. With the precompiled builds, we created a VM with the appropriate software to start testing WordPress: Apache2, MariaDB and PHP 7. For this VM, we used Vagrant and VirtualBox.

VM setup involves two files: Vagrantfile, with as a provisioner.

Read more

Posted in: Nexcess

WordPress’ New Security Czar Is Good News For The WordPress Community

July 16, 2015 0 Comments

Security CzarWordPress is a complex software ecosystem. Its huge userbase and an active developer community numbering in the tens of thousands make for a potential security nightmare, but, in fact, it functions surprisingly smoothly.

For users who hear only about the most recent security vulnerability, it might not appear so, but the widespread publicity of security vulnerabilities — almost always accompanied by a patch — is evidence that WordPress’ immune system is functioning properly.

Read more

Posted in: Nexcess

New Magento Community Edition Security Patch Released — Immediate Patching Is Advised

July 14, 2015 3 Comments

Magento has made available a new patch bundle that addresses several serious security vulnerabilities. Magento CE & EE users should update immediately to ensure that their eCommerce store and its users are not put at risk.

Among the vulnerabilities addressed are the potential leaking of customer information and cross-site scripting vulnerabilities.

The patch bundle — which is part of the recently released Magento Community Edition 1.9.2 — has been given the code SUPEE-6285, and is available from Magento’s site. Before applying the SUPEE-6285 patch bundle, you must also have applied SUPEE-5994, which is available at the above link.

Read more

Posted in: Nexcess

June 2015’s Best ExpressionEngine, WordPress, and Magento Content

July 6, 2015 0 Comments

HTTP2It’s been a spring of attending conferences for the Nexcess team and the month of June was no different. First, we were at IRCE in Chicago discussing Magento and PHP. Then last week we were in London for Magento Live UK 2015. One of the big themes of the latter event was Magento 2, and you’ll notice that we include a couple of articles that look at where the world’s most popular eCommerce platform is headed. Social and mobile are also becoming major influencing factors in eCommerce, an idea that is explored in posts below. So before we spoil all the articles we included, here’s the best WordPress, Magento, and ExpressionEngine articles from June 2015. If you’re looking for the same great content on a day-to-day basis, follow us on Twitter, Facebook, and Google+. Enjoy and let us know if we missed anything important in the comment section. Read more

Posted in: Monthly Roundups