Dec
7
2016

An overview of Magento 1.x security patches

Magento is a great ecommerce platform, and like any open source platform, it requires a degree of maintenance to keep it running smoothly and securely.

Magento themselves publish a list of the patches on their website; this article explores what a Magento security patch is, and a brief overview of what issue each patch resolves.

What is a Magento security patch?

A Magento security patch addresses one or more known security issues with Magento. Sometimes, these are exploits which have made their way on the real-life, production Magento websites. Other patches are precautionary, fixing a potential loophole which could be exploited in the future, but which isn’t known to have been used on a production Magento store.

After their initial release, Magento security patches are packaged with the next update to Magento software.

A brief overview of all Magento 1.x security patches

Below is a list of all current Magento 1.x security patches (as of December 2016; in progress).

Patch name
(Date released)
Description Comments
SUPEE-8788 (October 2016) Addresses issues with Zend framework (which Magento is based on), payment vulnerabilities. 8788 also addresses a potential issue with user sessions, ensuring they are invalidated after a user logs out.

This patch is included in Magento Community Edition 1.9.3 Magento Enterprise 1.14.3.

SUPEE-7405 (February 2016) SUPEE-7405 addresses issues with XSS (cross-site scripting) vulnerabilities in customer registration, customer order comments, and removes the ability to upload executable code via the Magento administration panel media browser tool, as well as other security issues.

This patch is included in Magento Community Edition 1.9.2.4 Magento Enterprise 1.14.2.4.

The first version of the patch introduced issues with Magento’s SOAP API and was not backwards compatible with PHP 5.3 due to short array syntax use. Version 1.1 of the patch addresses these and other issues in SUPEE-7405 v1.0.
SUPEE-6788 (October 2015) The SUPEE-6788 Magento patch addresses issues with the routing of Magento modules in the administration panel, as well as SQL injection, and introducing a whitelist for CMS static blocks to prevent unauthorised access to private information. It also addresses a potential exploit with the “custom option” file type, and secures password resets (which may require you to update your theme’s forms for password reset and account registration). Finally, it addresses an XSS issue.

This patch is included in Magento Community Edition 1.9.2.2 Magento Enterprise 1.14.2.2.

SUPEE-6788 can break backwards compatibility with customisations to your Magento store; see Magento’s tech docs for more information.

Need help with Magento patches?

If you’re struggling with applying Magento security patches, our experienced Magento consultants can help you on an ad-hoc or retained monthly Magento support package

Sep
26
2016

Best practice tips for Magento theme development

seasoned Magento consultants, one of the things we see often is poorly implemented Magento themes.

After running a Magento training course for web developers recently, a discussion with them lead to creating a list of best practices for Magento 1.x theme development.

So, here are a list of tips for newcomers to Magento and Magento theming:

1. Keep your text translatable

One of the many features of Magento is support for multilingual store fronts to cater for different languages your customers may speak. Badly built Magento themes can break this functionality, but it’s easy to maintain it in your own themes.

To ensure text used within your Magento templates can be translated, simply wrap it within the translate function:

<button><?php echo __('Click me'); ?></button>

Product descriptions and page contents are still controlled via the Magento administration panel.

2. Let Magento help you!

Magento’s templates are pretty extensive, and it can be hard to know which template you need to edit to change a specific block within Magento. Luckily, Magento has tools available for this! Log in to your store’s administration panel and navigate to:

System > Configuration > Developer > Template Path Hints

You will then need to change your Configuration Scope from the default scope to see the options to enable this tool. Once enabled, you should see your Magento theme is highlighted by red borders and boxes telling you which directories each template is being pulled from – knowing this makes them much easier to overwrite!

You can restrict this via IP address, so that only you are able to see these (though you shouldn’t use them on a production Magento website!).

3. Use Magento’s local.xml

When overwriting layout XML from a parent theme in your child Magento theme (Magento 1.9+), don’t overwrite an entire file: make the changes in your Magento theme’s local.xml file – e.g. /app/design/­frontend/your-custom-theme/­default/layout/­local.xml.

This means future updates to the parent theme are less likely to break your Magento theme, and that you’re only overwriting what you need to overwrite (see #5).

4. Never edit core Magento themes

If you want to make the use of a core Magento theme as your parent theme, that’s fine (many themes on Magento 1.9 are based on the rwd theme) – but never edit core Magento themes!

An update will likely overwrite core Magento themes in the future, and you’ll lose customisations you’ve made; make the changes in your custom child theme, and you will avoid this problem.

Plus, it upsets Ben Marks.

5. Only overwrite what you need

A very common mistake we see in Magento themes is that all of the base theme’s files are copied in to the child theme. This negates the benefits of using child themes, as when updates occur to the parent theme, unchanged templates are still being overwritten at the child theme level, potentially leaving a security hole behind or breaking functionality, and definitely creating more work for the Magento developer!

It’s best practice for your Magento theme to copy only the template and other files you specifically want to overwrite in to the child theme. For more information on parent/child themes in Magento 1, see this article by the brilliant Alan Storm.

Another great resource for other Magento tips is magentotherightway.com.

Sep
2
2016

Changing the default uploads directory in WordPress

By default, all media – images, files, etc – uploaded in to a WordPress website in the wp-content/uploads directory.

There are times that this isn’t particularly helpful – for example, if you want to maintain legacy URLs for images from an old website you have migrated to WordPress, you’ll need to change the value.  This is our brief guide for changing the default uploads directory in WordPress.

WordPress 3.4 and under allowed you to change the file uploads path in the WordPress administration screen under the Settings panel, but this feature was removed in WordPress 3.5 and above.

WordPress’ default media uploads directory

By default, files uploaded via WordPress’ “insert media” tool (see screenshot below, as it appears in WordPress 4.6.x onwards) are saved on the server in the wp-content/uploads directory, sorted in to sub-directories ordered by year and month.

For example, if you upload a file called image.jpg to WordPress in September 2016, by default this file would be written to the wp-content/uploads/2016/09 directory on the server.

As mentioned above, this may not be ideal for your WordPress website, and this default can be changed.

Changing WordPress default uploads directory

Thankfully, changing WordPress’ default file uploads directory is relatively simple, once you know how.

Open your WordPress installation’s wp-config.php file, found in the root directory of your website. Find the following declaration (if it exists in your wp-config.php file), or add this line to the bottom of your file if it doesn’t exist:

define('UPLOADS', 'wp-content/media');

The above change would save uploaded files in WordPress’ wp-content/media directory. If you want to move the file uploads to the root directory of the website (e.g., so your files are accessible via http://www.example.com/uploads/), use the following snippet in your wp-config.php file:

define('UPLOADS', 'uploads');

Note! You will need to ensure this directory has the correct permissions for WordPress to be able to use the new file uploads path you have just set. It’s also worth ensuring that final semi-colon – ; – is present at the end of the line, as missing this will likely cause you some issues!

Disabling WordPress from storing uploaded files by year and date

Of course, you can also disable WordPress’ default behaviour of organising file uploads in to year/month directories in the Settings > Media page.

We hope this post is helpful for WordPress users and developers alike! If you need further help with your website, please do consider our WordPress consultancy services.

Aug
18
2016

Great resources for Magento developers

There are many great resources for Magento developers online, as well as a lot of places to get “bad” information on Magento development. This is a list of everything we’ve found helpful in our many years as Magento developers.

Over the years, we’ve made use of many Magento resources for developers, and thought it’d be useful to share our favourites with other Magento developers! The list contains useful articles and resources for Magento frontend and backend developers, split in to Magento 1 and Magento 2.

Brilliant Magento developer resources

Great Magento 2 developer resources

So, that’s it – our work-in-progress list of Magento development resources which we’ve found useful over the previous years.

 

May
27
2016

Showing Magento’s search engine below Google’s sitelinks

This is a guide to implementing the necessary markup to tell Google about your own Magento store’s search engine, which can then be used in some listings when users are searching for terms related to your website.

Keep reading to learn how to show your Magento website’s search engine in the Google Search Engine Results Page (SERP). For more information about Google Sitelinks, see this documentation.

When search appears in Google sitelinks

Even when implemented correctly, the Google sitelinks search box will not appear for all search terms. Typically, the sitelinks and search form will only appear when a user searches Google for a term related to your business or organisation.

For example, if your company is called Widgets Ltd, and a user searches for “Widgets Ltd”, the sitelinks search form may appear. If a user searches for the more generic term “widgets”, it’s unlikely to appear.

See the example below – Mothercare.ie, a Magento Enterprise store, shows sitelinks for key product categories below the store’s main listing. You can also see that Google adds another search field below the primary listing, labelled “results from mothercare.ie”:

The code snippet is fairly simple:

<script type="application/ld+json">
{
"@context": "http://schema.org",
"@type": "WebSite",
"url": "https://www.example.com/",
"potentialAction": {
"@type": "SearchAction",
"target": "https://www.example.com/catalogsearch/result/?q={search_term_string}",
"query-input": "required name=search_term_string"
}
}
</script>

This tells Google that your website, www.example.com, allows searches to be performed by passing a key word or key phrase to https://www.example.com/catalogsearch/result/?q=.

How to get Google to show your Magento store’s search field in results pages

Showing Magento’s search engine below Google’s sitelinks involves adding a small snippet to the <head> element of your Magento store. This only needs to be on the homepage, so whilst you could amend your theme’s layout files to add the snippet, this guide will add it using Magento’s CMS tools.

  1. Log in to your Magento administration panel
  2. Navigate to CMS > Pages
  3. Edit your store’s homepage
  4. Open the Design tab in the left-hand column
  5. In the Layout Update XML field, enter the code snippet below
  6. Click the Save Page button
  7. (You may need to clear your store’s caches via System > Cache Management).
<![CDATA[
<script type="application/ld+json">
{
"@context": "http://schema.org",
"@type": "WebSite",
"url": "https://www.example.com/",
"potentialAction": {
"@type": "SearchAction",
"target": "https://www.example.com/catalogsearch/result/?q={search_term_string}",
"query-input": "required name=search_term_string"
}
}
</script>
]]>

Don’t forget to swap out www.example.com for your own website’s domain name!

Mar
31
2016

How to remove .html from your Magento store’s category URLs

Magento is a great ecommerce platform for search engines out of the box, but there are a few changes we make for most clients launching their stores on Magento Community or Magento Enterprise Editions for search engines.

One of these is quite a small change, but helps your store URLs look a lot neater (as well as being a little shorter for use on social media sites such as Twitter and Facebook!): this is removing the default .html suffix Magento adds to all product and category URLs.

Magento default category and product URL suffixes

Magento’s default setting is to add a .html suffix to the end of your product and category URLs. So, for example, your “Blue T-shirt” product page may look like:

www.example.com/blue-tshirt.html

whilst your “T-shirt” category page URL in your Magento store may be something like:

www.example.com/tshirts.html

Removing the automatically-applied .html suffix from your store’s URLs would mean:

  • Product URLs look more like www.example.com/blue-tshirt
  • Category URLs look more like www.example.com/tshirts

Removing .html from your Magento store’s product and category URLs

To remove the .html suffix Magento adds to your Magento store’s product and category URLs, log in to your Magento administration panel.

Navigate to the System > Configuration screen. From there, locate the Catalog (Or Catalogue) section in the left-hand menu:

Under the Search Engine Optimizations (or Search Engine Optimisations) panel here, remove the .html values for the following fields you can see in the screenshot below:

  • Category URL Suffix
  • Product URL Suffix

Once you have done this, click the Save Config button. You may now need to reindex your store to see the new URL structure.

Beware removing the suffix on live Magento stores!

A little warning: if you’re removing the suffix for your products and categories on a live Magento store, you will need to ensure that the old URLs (containing the .html at the end) are redirected properly (ideally using a HTTP 301 permanent redirect) to their new addresses, to prevent any loss in search engine rankings or traffic to your website!

There’s no real benefit for search engines to removing the .html suffix, but it certainly looks neater, and is a lot more “future proof” for your URLs – “Cool URIs don’t change” is good background reading on this!

Feb
20
2016

Disabling checkout with multiple addresses in Magento

As you will no doubt know, Magento is a well built and feature-rich ecommerce platform, but there are some default settings in Magento which we frequently seem to need to alter for our ecommerce clients. One of these is disabling checkout with multiple addresses

By default, Magento Community and Magento Enterprise versions allow customers to checkout from your store with multiple delivery addresses – a useful feature, but one that most store owners do not want enabled!

Disabling checkout with multiple addresses in Magento

To disable multiple address checkout in your Magento store, follow these steps:

Log in to your Magento administration panel and navigate to the System > Configuration option. In the left-hand menu, find the Sales option, and click the Shipping Settings (or Delivery Settings, if you have the British English language pack installed):

Expand the Options panel you can now see, and set the Allow Shipping To Multiple Addresses dropdown to No.

Click the Save Config button to save this change (you may potentially need to refresh your caches in System > Cache Management to see the change appear on your store’s frontend).

 

And, of course, if you need any further help with your Magento store, our Magento consultants are available to help!

Jan
19
2016

What’s new in Magento 2

December 2015 saw the release of Magento 2 for store owners and merchants. As experienced Magento consultants, Richard Carter Consultancy share our insight and thoughts on what’s new in Magento 2.

Magento was started in 2007, and has become one of the leading ecommerce platforms in the world. Whilst it may have a steep learning curve (which is where our Magento training courses are useful!), Magento has proven itself a great, feature-rich, stable ecommerce platform for many leading names around the world.

What to expect in Magento 2

At a glance, here is what you can expect from Magento 2:

  • New administration interface design which is mobile and touch friendly
  • Drag and drop, customisable product grids: add new columns, and reorder them easily: something that was achievable in Magento 1, but not easily done by an administrator
  • New reporting tools for sales and orders
  • A focus on performance, with the Full Page Cache (previously only in Magento Enterprise) now
  • A new responsive base Magento theme, Luma (see screenshot above)
  • A rolling roadmap of new features every quarter
  • Improved checkout: Magento 2’s checkout process has seen some small improvements which should have a large impact on conversion rates, including guest checkout being the default, and automatic customer account detection by email address
  • An improved Magento Connect marketplace for extensions, with heavier vetting by the Magento team to prevent poor quality and scammy extensions being available

And whilst the administrative panel has changed in the new Magento version, there’s nothing particularly new feature-wise in the new Magento version (yet – don’t forget those quarterly features), this is a great new platform for ecommerce businesses.

Updating to Magento 2

If you’re a store owner or merchant already on Magento and are considering whether or not you should upgrade to Magento 2 yet, our advice is: not yet (January 2016)! Whilst Magento 2’s core functionality for Magento Enterprise and Magento Community is now ready and in use on a very small number of live stores, additional features such as shipping and payment integrations may not yet be ready for your store.

There is a migration path for your customer, order and product catalogue data from Magento 1 to Magento 2 (we’re currently experimenting to see how reliable this tool is!), but themes and modules will not be portable to the new version of Magento.

So, there you have it: a guide to what’s new in Magento 2. If you’d like to work with us on your next Magento 2 project, please do get in touch.

Oct
15
2015

Adding Apple (iPhone/iPad) touch icons to Magento 1.9 using local.xml layout XML

We’ve seen a lot of hacky-feeling ways to adding Apple touch icon paths to theof your Magento store, so here is a cleaner way to add Apple Touch icons to your Magento theme’selement.

1. Open your Magento theme’s local.xml

Open your theme’s local.xml layout file, located in the app/design/frontend/[package]/[theme]/layout, where [package] and [theme] are relevant to your store.

For example, the local.xml file might be in this directory of your Magento store if you have enabled a custom package called rcc:

app/design/frontend/rcc/default]/layout/local.xml

2. Add the layout XML to add touch icons

Once you have found the local.xml file in your Magento theme (or created it in your theme, if it doesn’t already exist), find the <reference=”head”> block in the file, and add the following layout XML:

<block type="core/text" name="head.touch.icons">
<action method="setText">
<text><![CDATA[<link rel="apple-touch-icon" href="/apple-touch-icon.png" /><link rel="apple-touch-icon" sizes="57x57" href="/apple-touch-icon-57x57.png" /><link rel="apple-touch-icon" sizes="72x72" href="/apple-touch-icon-72x72.png" /><link rel="apple-touch-icon" sizes="76x76" href="/apple-touch-icon-76x76.png" /><link rel="apple-touch-icon" sizes="114x114" href="/apple-touch-icon-114x114.png" /><link rel="apple-touch-icon" sizes="120x120" href="/apple-touch-icon-120x120.png" /><link rel="apple-touch-icon" sizes="144x144" href="/apple-touch-icon-144x144.png" /><link rel="apple-touch-icon" sizes="152x152" href="/apple-touch-icon-152x152.png" /><link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon-180x180.png" />]]></text>
</action>
</block>

This adds <link> elements in to the <head> element of your Magento theme which reference the required Touch icons such as apple-touch-icon.png and apple-touch-icon-180×180.png used by different Apple device types (such as iPad, iPhone).

3. Upload your Apple Touch icons to Magento

You can then upload your desired Apple Touch icons to your Magento root directory, so that they appear at:

example.com/apple-touch-icon.png

etc. This means that they can be found by devices which don’t make use of the <link> elements in your theme’s <head> element.

You can use a free tool such as Iconifier to create the various sizes required for this, including your store’s default favicon.ico.

4. Make the local.xml file live

Once you’ve made the changes to your Magento theme, upload your new local.xml to your site.

Don’t forget to clear your Magento store’s caches in the System > Cache Management screen of your Magento administration panel once you’ve done this to see the changes!

That’s it, you should now see Apple Touch icons on your Magento store!

 

Sep
2
2015

Removing the Raleway Google Font from your Magento 1.9 rwd child theme

Magento Community 1.9 introduced a new theming system aimed at creating a better base theme for responsive websites.

At a basic level, the Magento rwd theme provides a great base layer to start customising to your brand’s colours and imagery. A very common query we receive from other web designers and developers working with Magento is how to remove the default Raleway font from the base rwd theme.

Removing a Google web font from Magento rwd theme

Removing this default font from a Magento theme in Community 1.9 is actually relatively easy using Magento’s local.xml file.

  1. Firstly, locate your theme’s local.xml file; this is typically in your /app/design/frontend/[package-name]/[theme-name]/layout/ directory
  2. Add the following snippet to your local.xml file:


link_rel
//fonts.googleapis.com/css?family=Raleway:300,400,500,700,600


This removes the Google web font from your theme’s <head> element. If you don’t see the change, don’t forget to clear your caches (in the System > Cache Management menu in the Magento administration panel).

Adding a Google web font to a Magento theme

If you want to add a new Google web font in to your Magento rwd theme, you can add the following to your theme’s local.xml file:

<action method="addLinkRel">
<rel>stylesheet</rel>
<href>//fonts.googleapis.com/css?family=Open+Sans</href>
</action>

Changing the value of Open+Sans (noting that spaces in the font name should be replaced with a “+” character) will change the relevant font in your Magento theme.

You can also then change the references to typefaces in your Magento theme in the relevant Sass/SCSS files in the /skin/frontend/[package-name]/[theme-name]/scss/mixin directory in the _typography.scss partial file.

And, of course, if you’re looking for a Magento web designer and Magento consultant for your next project, we’re available!