Jump to content

John W

  • Content count

  • Joined

  • Last visited

  • Days Won


Posts posted by John W

  1. Blocking by  countries can make for big lists/files which can bog things down.  CSF firewall and Apache both advise that it can slow things down.  Plus, not always accurate.

  2. While my code snippet was blocking all the attempts, I noticed there were increasing in the amount of attempts.  I started recording the ip addresses after noticing many started with 188.138.  However, after blocking in my firewall, there has only been one in a few days.  In checking an abused ip db, that block shows up a lot. 

  3. I've seen some Magento sites that are set up better and not so slow, but more ofthen than not, they are slow.  I try to make my site as fast as I can.  I also try to make my site secure.  Actually, your post got me going on running different security scans on my site and I impremented a few changes to improve security.  At the same time, I spent some time scanning cajungrocer.com and they are not very good for security.  Problem is I like many of the items they sell, but they have a lot of room to improve.

    Here's a couple of the additions I made to my .htaccess today.

    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options nosniff

    A while back I added this

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    I also set secure cookie and some other settings. 

  4. Hey PHil, thanks for this article!  I actually shop at one of the six they say is still infected although I haven't in a while.  cajungrocer.com sells as you would guess, Cajun food and ship nationwide.  Actually, they had an OSC based site at first then switched to a slow ass Magento several years ago.


  5. Did you solve your error?  Was it addon code or stock OSC code? 

    Ultimately, Cpanel is moving to Maria and they didn't have MySQL 5.7 as an option until they were pressured into doing it.  I'll probably stick with 5.7 for a while.

    I have Cpanel also, and the fact that downgrades are not supported has always worried me.   In my case, I tested MySQL 5.7 on my test server, but I didn't do it thoroughly enough. 

  6. I need to expand on that.  The default was only a problem when the field wasn't being used.  In my case, the field just needed to be deleted.  I'll run my test site some more looking for problems, but I have too many things going on right now and not enough sleep.  It's hard being me sometimes.

  7. I'm not positive on this, but it seems that it must have a default value and I think null is fine.  I only had an issue with a couple old fields and it's because of the stricter settings.  I upgrade Mysql so rarely that I don't remember all the issues.  But 5.7 has some default settings that can cause issues.  There's a warning on Cpanel WHm when upgrading to 5.7 it will likely cause problems.  Problem with Cpanel is you can't downgrade, or at least not easily.   This link is helpful https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_sql-mode

    This link is also helpful as there are some files like best sellers and order history that will error with this setting on.  https://dev.mysql.com/doc/refman/5.7/en/group-by-handling.html


  8. It has to do with some of the strict options in sql mode enabled by default.  Setting the server to sql-mode=""  solved it, but I'd rather fix the problem rather than work around.  In the two cases I ran into, it was an unused field anyway.  Both were part of old mods that I should have removed anyway.  I'm embarrassed because it errored on my live site.  I normally test things out pretty well.  

  9. A change from MySQL 5.6 to 5.7 is that fields must contain a default value at least if nothing is being inserted.  This happened to me when a table was modified for something added that later I removed and didn't remove the field.  I guess there's two lessons here.  Hope this helps someone ahead of time. 

  10. WHM/Cpanel just updated version 78 to the release channel.  One of the things the Security email suggests is upgrading MySQL to 5.7 even though 5.6 is an option.  So, I installed MySQL 5.7 on my local machine to test, however it didn't have "ONLY_FULL_GROUP_BY"  set in the sql mode.  In the interest of learning I enabled it to see what fails.  With a little reading in the " MySQL 5.7 Reference Manual "  I've been able to correct the queries that triggered an error.   I do find it really difficult when the queries run for thousands of characters off the page.  So, for me I format the query to see it better.  Like this one from bm_order_history where the error was o.date_purchased wasn't included in the group by.  Seems like it would be best to correct the queries rather than turning off ONLY_FULL_GROUP_BY.

            $orders_query = tep_db_query("
              SELECT DISTINCT 
                  orders o,
                  orders_products op,
                  products p
                  o.customers_id = '" . (int)$customer_id . "' AND o.orders_id = op.orders_id AND op.products_id = p.products_id AND p.products_status = '1'
              GROUP BY
              ORDER BY


  11. Actually, I get his point.  When I was figuring out what to use to deny these guys, I thought about the country.  I only have 3 countries in my list, and the last one is Jamaica, but I very rarely sell to there.  Every one of the fake accounts was using Jamaica.  They put Google for company and google for tax id, so I picked the tax Id. 

  12. This came up in the 1980's mainly with gas stations as I remember.  In the end, it was ruled they could discount cash sales, but not surcharge in any way someone using a credit card.  I beleive there is a law in the US about it.  Maybe the FTC did it.

  13. It's funny, because I went ot all the sites you've listed earlier this week.  Been thinking about switching but I thought it would be more complicated.  WHM makes it super easy.  I would imagine we'll see more hosts in time switching to it.

  14. Yes, Firefox developer tools will do it too.  I'm http2 all the way, but Chrome kept the cached images from before in http1.1.  Once I cleared it, then it's all http2. 

    I didn't remember http2 being discussed here.  Cpanel/Whm makes it really easy using EA4 (Easy Apache 4).

  15. I've been reading about http2 so I engaged it on my server this afternoon.  Pretty easy to do using WHM, but you have to be the server admin to do it.  The main reason I was interested is for speed improvements.  On my desktop browser, it's not as easy to tell, but on phones, it's much faster.  You have to be using a php version of 7.0 or higher and you have to have higher level ciphers like TLS 1.2.  However, it went better than I expected.  From what I've read http2 is the future, so it's all going there.  If you are using the Maxcdn or google apis for js or css, they are already serving it with http2.  All browsers support it except Opera mini. 

  16. Editpad Pro is a great editor that you can get a 30 day trial on and inexpensive to buy.  Intergrates with RegexBuddy, which is a great tool for learning and testing regex.  I use NetBeans for an IDE, which is free but has switched development from Oracle to Apache.  I'm still using NB 8.2 and it does quite a bit.  Intergrates well with Xdebug also.  Guess  a lot of it is getting used to something, then getting better.

    Guess I got a litle off track.

  17. Yes, that is possible. You probably want to look at using something like Mailchimp or the like.  Little searching here and on Google will yeild a lot of info.  Keep in mind that the average hosting account will limit how much email you can send and you don't want to get flagged by Yahoo, Gmail, etc... for sending spam.  Send the same email to several yahoo accounts and you'll get greylisted and maybe worse.  I think Burt has a Mailchimp addon that might be easy to use. 

  18. I see Jack's point and it's one of the reasons I use the $company_tax_id, which I already had as part of SPPC addon.  I haven't had any spammers use apple or At&T, but I do have legimate customers in my database using both of those.  Apple as part of part of a business name and not Apple the company.  However, none of them have that as their $company_tax_id, so I would feel safe using it there.  I don't know if it's worth adding that field to do this, but since it already exist, I'm using it.  Every spammer account that I know of is using Google for company and google for tax id.


  19. When I use the test server, I use it in live mode.  It acts like the normal secure2 server, but in the sandbox.  I get a confirmation email and daily report just like secure sever. 

    Someone said they had a problem with ssl also.  The secure sever is supposed be https://secure2.authorize.net/gateway/transact.dll  It has a 2 after secure and there are 3 instances.  A.net switched to the Akamai routing network a few years ago and the link was changed.  I don't know if they will keep the old active as they bounced back and forth on that.