Identifying and blocking “Bad” Magento traffic

There’s a number of common attacks on Magento stores; that can range from aggressive crawlers/bots, to XSS attacks, to severe SQL/compromise attacks. There are two approaches to dealing with attacks of this nature, Automated – Through the use of a WAF Manual – By traversing log files for patterns and blocking said patterns/sources as necessary Below is a list of common attacks and how to identify them by reviewing your log files. This list is by no means definitive, but a good starting point into investigating and understanding who is trying to access your Magento store. In almost all cases, a proper WAF (web application firewall) is a suitable first line of defense, whereas the suggestions made below are geared towards those without a WAF (or expertise to implement one). MageStack comes as standard with a 3-tier firewall, including a stateless edge firewall, a IPS/IDS L3 firewall and an intelligent … Continue reading

Correcting incorrect timestamp after server migration

An issue we (admittedly infrequently) come across when moving Magento stores from one server to another, is when the previous server’s time was incorrect – causing all historical order data to be incorrect on MySQL import. More often than not, we see stores migrated from US West (-7:00) show orders that are in the future after migration; because of discrepancies on the MySQL server locale, the Magento locale and the Web server locale. There are two opportunities to fix this, either prior to taking the DB dump (or prior to import) – or once the DB has been imported. After DB Import This can be relatively easily remedied by performing a post-side migration correction on the order tables, specifically `sales_flat_order` and `sales_flat_order_grid`. We only change these two tables because they are the most sensitive to date/time changes. UPDATE sales_flat_order SET created_at = ADDTIME(created_at , ‘-07:00:00′), updated_at = ADDTIME(updated_at , ‘-07:00:00′); … Continue reading

Fix for “No search results” after CLI reindex on Magento Enterprise (SOLR)

Edit shell/abstract.php and add Mage::app()->addEventArea(‘adminhtml’); public function __construct() { if ($this->_includeMage) { require_once $this->_getRootPath() . ‘app’ . DIRECTORY_SEPARATOR . ‘Mage.php'; Mage::app($this->_appCode, $this->_appType); + Mage::app()->addEventArea(‘adminhtml’); } $this->_applyPhpVariables(); $this->_parseArgs(); $this->_construct(); $this->_validate(); $this->_showHelp(); }

Finding all Magento secure URIs

We recently needed to try and identify all HTTPS URI’s in a customer’s store and had to quickly write a script to scan the `core`, `local` and `community` directories to find any pages that used HTTPS. This is by no means 100% accurate, but will be a good starter indication of finding URL’s that are defined as being secure. cd app/code/core/Mage ( ack-grep “getUrl\([‘\”]([^(\”|’)]+)[‘\”],([\s]+)?array\([‘\”]_secure[‘\”]([\s]+)?=>([\s]+)?true\)\)” * –output=’$1′ | while read LINE; do FILE=$(echo “$LINE” | cut -f1 -d”:”) URI=$(echo “$LINE” | cut -f3 -d”:”) echo “$URI” | grep -qF ‘*’ 2>/dev/null if [[ $? -eq 0 ]]; then MODULE=$(echo $FILE | ack-grep “^([^/]+)/” –output=’$1′) CONTROLLER=$(echo $FILE | ack-grep “([^/]+)” –output=’$1′ | tail -n2 | head -n1 | sed ‘s/Controller.php//g’ | tr ‘[A-Z]’ ‘[a-z]’) CONFIG_FILE=”$MODULE/etc/config.xml” if [ -f “$CONFIG_FILE” ]; then NAMESPACES=( $(cat $CONFIG_FILE | ack-grep “(.+)?” –output=’$1′) ) if [ ${#NAMESPACES[@]} -gt 0 ]; then for NAMESPACE in ${NAMESPACES[@]}; do echo … Continue reading

Simple Magento performance/load testing with Mage-Perftest

Mage-Perftest is a simple Linux command line tool to test the performance of your Magento store, it can perform a number of clever operations which makes it far more suitable than `siege` or `ab`. Its not a replacement for fully fledged simulation tools (like jMeter), but it is simple to set up and run. **You can use it for a number of different things,** PHP TTFB (time to first byte) performance testing Whole page (including static content & assets) performance testing Load/stress testing Concurrency testing Repeat testing Site cache priming/crawling **It also has the ability to,** Use sessions during crawling Supports keepalives Bypass Varnish cash (to test actual server performance) Read and parse Magento sitemaps (eg. `http://www.example.com` format) Use fixed and random seeds when parsing sitemaps 1. for either completely random tests, or fixed random tests Simulate traffic over a defined period of time (eg. 1000 unique visitors in a … Continue reading