Category Archives: Magento Security

Force HTTPS on Magento Shopping Cart Pages & Admin Backend

Posted on by
Reply

After you have installed SSL certificate for your eCommerce site and the HTTPS version of your domain is successfully accessible, Magento doesn’t automatically use HTTPS for some of the important pages across the site, such as /checkout/cart/, /customer/account/, etc.

Enable HTTPS for your Magento store

You have to explicitly enable HTTPS for your Magento store if you didn’t select HTTPS during installation.

In the Admin panel: System -> Configuration -> General -> Web -> Secure

  1. Base URL – https://www.yoursite.com
  2. Use Secure URLs in Frontend – Yes
  3. Use Secure URLs in Admin – Yes

Now Magento should be using HTTPS:// for all the important frontend pages (/customer/account/, /checkout/onepage/, etc.) and across the entire backend Admin pane.

Wait, /checkout/cart/ is still not HTTPS!

Yep. You have to do one more thing to make sure /checkout/cart/ is also automatically HTTPS.

Edit app/code/core/Mage/Checkout/etc/config.xml, find this:

<frontend>
<secure_url>

And add this line immediately below:

<checkout_cart>/checkout/cart</checkout_cart>

So that it looks like this:

<frontend>
<secure_url>
<checkout_cart>/checkout/cart</checkout_cart>
<checkout_onepage>/checkout/onepage</checkout_onepage>
<checkout_multishipping>/checkout/multishipping</checkout_multishipping>
</secure_url>

Refresh all the cache and Magento should be using HTTPS on /checkout/cart/ now.

Malicious / Spam Search Terms in Magento Popular Search Terms

Posted on by
Reply

If you’ve got a fairly popular Magento store, you’ve probably got the problem of spam or malicious search terms showing up on the Popular Search Terms page. It’s ugly and you want to get rid of them once and for all, but at the same time leaving legitimate search terms performed by good-will users intact.

Of course you do. Me too. Look at this:

Magento store spam searches

So how to delete spam search terms from Popular Search Terms page?

What I’ve done is to edit the /app/design/frontend/default/your_theme/template/catalogsearch/term.phtml until it looks something like this:

		<?php
		$princessly_search_term = $this->htmlEscape($_term->getName());
		if (strpos($princessly_search_term, '%') !== false
			|| strpos($princessly_search_term, "'") !== false
			|| strpos($princessly_search_term, '`') !== false
			|| strpos($princessly_search_term, '=') !== false) {
			continue;
		}
		?>
            <li><a href="<?php echo $this->getSearchUrl($_term) ?>" style="font-size:<?php echo $_term->getRatio()*70+75 ?>%;"><?php echo $princessly_search_term ?></a></li>

The PHP function strpos() checks if a specific character is existent in the string $princessly_search_term which contains the originally raw search phrase. If it does, it’s not displayed (continue to the next phrase and check it to see if it does).

Most malicious / spam search attempts contain ‘%’, “‘”, or ‘=’ which normal users wouldn’t use in a legitimate search for your products. Now the Popular Search Terms page is a lot more clean and user friendly.

Custom Magento Theme for Error – “There has been an error processing your request”

Posted on by
1

If you ever run into the ”There has been an error processing your request” error of Magento, it’s just a plain default page of the very default theme of Magento when you first installed it.

default magento error exception theme

It simply sucks in user experience and page design. You want to:

  1. Use your own theme for this error page
  2. Use your own logo rather than Magento’s
  3. Add a back to the previous page sort of button / link
  4. Change Magento copyright notice to your own

How to do accomplish all these?

For 1, I thought it’s in the design.xml but turned out it’s not. And thus far I have no idea how to switch the error page to your own theme design once and for all.

For 2, just change /errors/default/images/logo.gif with your own.

For 3, just edit the /errors/default/report.html.

For 4, just edit the /errors/default/page.html.

 

Magento Error – “There has been an error processing your request”

Posted on by
1

By default Magento has disabled output of the exception / error details which makes it impossible to debug for developers.

There has been an error processing your request

Exception printing is disabled by default for security reasons.

And that’s it. Not nearly enough information to make it right. We need the error details.

To make it display error details and problem traces, FTP to your Magento installation and go to /errors/, and rename local.xml.sample to local.xml. (without the last dot, it’s the period punctuation)

Now the error should be much more useful by showing a lot more details: descriptive error message, traces, and line of code that is at fault.

magento error

"There has been an error processing your request"

Make sure you change local.xml back to local.xml.sample to disable detailed error output for production site for the sake of security.

Same SSL Certificate, Different Prices! How to Find Cheapest SSL?

Posted on by
1

I don’t quite like Go Daddy. So I didn’t went for their very cheap SSL for $12 / year. They are good, just not for me. I’m serious about my online store so I opted for GeoTrust (other top CAs are VeriSign, GlobalSign, etc.) which is a much more wide-spread trust brand. You should too if you have the financial option. Doesn’t make much difference to spend $40 more per year.

QuickSSL Basic was their entry level SSL certificate but seemed to be unavailable for purchase at the time of writing. At one of their resellers Rapid SSL Online, the pricing was very tempting at around $50 / year for GeoTrust QuickSSL Premium. The exact price depends on the subscription term – the longer the cheaper. Considering it’s $149 / year on the official GeoTrust website, I had no reason to not get this one.

SSL Discriminate Pricing – How to get the cheapest price?

Make sure you visit the Rapid SSL Online page of GeoTrust QuickSSL Premium from a US IP address because when I didn’t, the price strangely rised by about $15 – $20 per year from when I did. Luckily, I used my own VPN from a server in the US to access that sales page in the first place, or I would in no way know it’s much cheaper for US buyers than for international buyers (I’m based off China).

See for yourself by accessing this page from different IPs: https://www.rapidsslonline.com/quickssl-premium.aspx

For US buyers:
rapid ssl online us ip pricing for geotrust

For China buyers:
rapid ssl online china ip pricing for geotrust

Never heard about discriminate pricing in the SSL industry before but it might very probably be a secretly common practice. Other vendors and providers might as well do this. International SSL buyers should keep this in mind. Get a US VPN. You are targeting the English market anyway.

Learn how to create your own VPN from your web hosting account.

Go Daddy Discrimination Pricing – How to get the cheapest SSL from Go Daddy?

Go Daddy is more aggressive in discriminating customer crowds by offering very different prices to them. Searching in Google “godaddy ssl” and clicking the first organic listing would get you here:

http://www.godaddy.com/ssl/ssl-certificates.aspx - $69.99 / year for Standard SSL
GODADDY SSL NORMAL PRICING

However, when you search “buy ssl” and click the Go Daddy ad in Google, you would arrive here:

http://www.godaddy.com/Compare/gdcompare_ssl.aspx$12.99 / year for Standard SSL
GODADDY SSL VERY CHEAP PRICING

What can you say.

SSL Resellers Sell Certificates More Cheaply

Another tip for buying a cheap SSL is, don’t you ever buy SSL certificates directly from a CA (GeoTrust is a CA, Rapid SSL Online is a reseller). It’s always much more expensive than when you buy from a reseller, by a very large extent.

Never bought one directly from the CA so I’m not sure if there’s any substantial differences of what you receive. Probably in terms of support service?

Support is provided by the reseller if you buy from them. That seems to be the only difference to me.