How to prevent brute force attacks on your WordPress wp-login.php and wp-comment.php

Last several months I was facing to many brute force attacks to significant amounts of Worpdress sites I am hosting on my servers. These attacks were targeting mostly to wp-login.php (very bad – trying to brute force your password) and wp-comments.php (trying to post spam to the comments).

When the attack started I was always notified by my monitoring service (Nagios) since the attackers didn’t care about the server health and were trying to post as much requests as possible.

This little piece of code in my .httaccess solved my problem easily (change example.com to your site domain):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

When someone (attacker) is trying to POST request to the wp-login.php (wp-comment.php) without first filling in the login (or comment) form the standard way, he will be redirected to the form without proceeding the POST request. Simple but effective. It will not harm standard users but it will not allow automatic scripts to proceed their malicious requests. This should be packed with the WordPress installation.

Magento: Special prices not refreshed and still showing

It happened to me and my clients several times. We configured special price for particular products and filled in date of start and expiration when this special price should apply. But then we often found the special prices to be visible even after the expiration date has passed.

First I thought it would be connected with a misconfigured Magento cronjob. But everything was clear in this area. At the end the problem was always solved by reindexing Product prices index. This seems to be bug in Magento itself (I run 1.8.x and 1.9.x and both are experiencing the same problem).

Fortunately the fix is pretty simple.

Read more

My lifehacking: Learn something new every week

Dear reader, let me shortly introduce myself. My name is Matthew (that time 29yo) and so far I live in Prague, Czech Republic. My job position is called Head of IT or “CTO” in international B2B/B2C logistics company. 

In my so far 13 years long career I worked as a Software Development Engineer, Team Leader, Project Manager, Solution Architect, IT Consultant but also as a Co-Funder of two startups and enjoyed the role of CEO or Business Development Manager as well. All of these positions shaped me in various ways. I like that.

Despite all the mentioned positions I am still very technical thinking guy. There is almost not a day I don’t write at least several lines of source code. Including weekends and sometime also holidays. Even I am trying to be in touch with all the new technologies, languages and features I feel I am still missing a lot. The technology is developing so fast!

Read more

The Expert

When I saw this brilliat video first time, I was not laughing like everyone else around me. I was staring on it with opened mouth and had a gooseflesh. I just simply found how true this video is. And also I found this idea today again after I finished call with one of my clients.

How to use Conversion Optimization to Battle Shopping Cart Abandonment

Increasing conversion rate is a daily issue for every e-commerce owner. Shopping cart abandonment, as a metric, is one of the painful metrics. You, as a e-commerce owner, spent tons of time to convince visitors to put something into shopping cart. The success is but later demolished when potential customer left your shop with some notpurchased stuff in the cart.
But the Shopping cart abandonment metric can be lowered, if you more deeply understand what is going on in your potential customer’s head. Lets take a look on following infographic.

Conversion Voodoo – Shopping Cart Abandonment
Infographic by Conversion Voodoo – Performance based landing page optimization.

Choosing payment options

Once you will setup brand new e-shop, you will face one (of many) questions. What payment methods need to be implemented? There are so many of them. We can start with the most known like Credit Card, Debit Card, PayPal, Google Checkout, Wire Transfer, Cash on Delivery, Mobile Payments (via App or via SMS) and others. Previous are global, we can continue with some significant local payment options like iDEAL in Netherlands, Giropay in Germany, etc. There are also special payment options like Afterpay (pay backwards, when you receive the goods).

Fortunately, the time time when these methods had to be implemented separately by deeply skilled programmer is past. Today exists payment gateways which provides most of mentioned methods integrated in just one solution with prefabricated connections to common e-commerce platforms. I can mention Icepay, Skrill (Moneybookers) or Wirecard. Its obvious there are also local solutions in different countries.

Well, thats a lot of options I can pick from. But the main question still remains: which option to choose? Unfortunately its uneasy to answer.

There are few commond options we can reflect from:

  • Credit Card – almost every customer going to purchase goods online hold one or more credit/debit cards. This option is must for almost every ordinary e-shop.
  • PayPal – The benefit of PayPal is 110 milion active accounts worldwide. The benefit for customers is simplicity of this payment – only email and secure password is enough for successful payment.

And we are done with the most common options.

Are you global player? You can be ok with just above two options.

Are you a local player? You need to do a local research over most used payment options in the specific country. Its interesting, but even people are ok with Credit Card payment on international site, they are often very picky when doing the same on local site.

In generally: give customers the power of decision, dont force them. The alchemy is in evaluating what number of payment options is still acceptable and what is over. Dont look only on the fees, try to be pro-customer.

 

MagentoLive Germany 2013

Magento

Last three days I spent in Munich on Magento Live Germany event. This event is a series of MagentoLive actions organized by Magento team all over the world for merchants, solution providers and/or other business partners.

The main focuses of these events are to spread new trends, case studies, tips and tricks how to drive more from (not even) Magento based e-commerce solutions.

This event was organized in Westin Grand Munich (nice hotel to stay btw). The audience was about 200 people, more then 50% Germans. The event was well organized and I felt the interest in every single attendant on each step. Thanks for that!

And the most important thing, what I learnt there?

Mobile, mobile and mobile. Its quite common fact these days. The entire event was held in the spirit of the fact that customers are more and more using their mobile devices (smartphones, tablets) for e-commerce activities. The responsive design was a topic, but the magic is not hidden in just making the layout fits the actual resolution.

Users (or potential customers) are using various devices for different purposes. This should be mostly visible on difference between tablet and smartphone. While tablet is mostly used in peace and calm; lets say on sofa at home, in bed before falling asleep, etc. Smartphone is then used mostly in limited time, when users needs to find some information quickly without obstacles.

What does it mean for merchants? On tablet customers are likely to search for inspiration, something they will like, they will decide then based on emotions. Keep focus on this. But on smartphone they will mostly looking for important information. Like contacts, opening hours of your store, return policy, etc.

The "mobile" evolution.
The “mobile” evolution.

One of the sessions I enjoyed most was  @InbarNoam from www.zooz.com company. She spoke about Conversion Marketing. She defined all things customers are afraid on shopping online and mentioned ways how to make them feel calm and secure. In short: make the checkout process as short as possible. Every single step makes the customers think about whether it is good idea or not.

Magento is leading e-commerce platform, these numbers are proving this.
Magento is leading e-commerce platform, these numbers are proving this.
Magento is part of a huge Ebay Inc family.
Magento is part of a huge Ebay Inc family.

From the other topics I heard about SEO for Magento, Hybrid Hosting, Increasing CTR or Case Studies of interesting successful companies.

In the future I would like to devote wider attention to selected topics.

It was announced that the next big event will be held in Las Vegas. Gonna meet there?

Unsubscribe from newsletter – make it easy

This is a common problem. Sooner or later, almost every e-commerce site will start collecting emails form accident visitors and building email database of potential customers. Of course, also emails from acquisited customers will serve for the same purpose.

For now, let aside what and how often send newsletters to subscribers.

When somebody decided to give you his email, its a good will. Dont make him feel bad about that. Also time to time happens, that user changes his mind and want to unsubscribe.

There are several bad practices, how to do not solve this issue. I think, you are familiar with them:

  • To unsubscribe reply to this email with “XYZ” in subject.
  • To unsubscribe login to xyz.com and disable newsletter in settings page.
  • To unsubscribe you need to click on each newsletter type you want to disable.

Well, the good way is described like this:

Make unsubscription from newsletter as easy as click on SPAM button.

Why? Users are bored with uninteresting emails filling their mailboxes. When subscriber decide to not receiving your emails anymore, he want to do this quickly, without any complication. Every extra step means user will rather click on Spam button – because its easy one click&second action. And you really dont want this.

Every click on Spam button may lead to a lot of another (potential) customers will not receive your newsletter. It means potential lost profit.

So, before you will think up strategy, how to make the unsubscribe process as complicated as possible – to dont let the user go – think twice, if it will not lead to lost more potential customers.