8 Ways To Keep Your Magento-Based Store More Secured

One of the undeniable advantages of Magento is it offers a rich set of Magento extensions. The merchants have the opportunity to use paid or free modules considerably extending the native Magento functionality and increasing chances to get bigger sales rates. All of them are available from Magento Connect.

magento security

And though it’s difficult to guarantee all they are highly secured, Magento tried to partially resolve this problem. So, Magento tests the extension code quality before it appears in the Magento marketplace. By the way, it’s always a good idea to take some additional actions when it comes to security. See what exactly you may do.

  1. The first rule to keep your website secure is a constant application of patches and all updates. Remind you that patches and upgrades are the only reason why big companies prefer license for any product.
  2. What about backup? In case your website was attacked, an offsite backup or downloadable backup is able to provide seamless business flow. An offsite backup may prevent you from loss of your data through maintaining it into the other place.
  3. Are you sure, that your Magento password is sufficient? Use lowercase and uppercase letters, numbers and special characters to compose your password. We strongly recommend you not to use the information like your pets’ names, dates of your birthday, and etc.  
  4. Two-factor authentication is one more effective step to reinsure your website. It requires users input not only login and password, but some kind of special information to make an access available.
  5. Each your password should be unique. Don’t use the same passwords for several accounts. You may think it’s convenient, but in case one of your accounts is broken, the rest ones will also be broken. And don’t remember to change it time to time and always say: ‘Never’ when your computer asks you whether it can save your password.
  6. Saving your information for access or remain it unchanged is the more convenient than to create new and input it again and again. And using default admin URL, login and password is also convenient, but it’s too risky. Kill the wish to use default data for access.
  7. Shared hosting is cheap, but money saving and convenience are the last things you should think about when it comes about your website security. Shared hosting is extremely sensitive to hacker attacks. The Virtual Private Server (VPS) hosting and dedicated hosting work better for an ecommerce store from the safety point of view. And finally, it’s wise to work with reliable hosting provider able to offer not only required infrastructure but a perfect overall support.
  8. Always use licensed extensions and Magento themes. Don’t try to save money downloading cracked software from third party websites.

8.The data sent via the uncodified connections are vulnerable to interception by the hackers.  So, applying the encrypted connection (SSL-HTTPS) is the right solution. The main goal of SSL is the coding of all the messages between browsers/servers providing data pass through the safe (HTTPS) connection. SSL certificate is available from any verified certification center and can be installed via SiteWorx.  


We may provide you, even more, tips but the most important for you as a business owner to remember that your business is always growing and changing. The Internet is also dynamic and constantly developing system and hazards are always being modified. Only regulate safety testing can help you to be aware of new threats and other safety-related events.

Magento Layered Navigation: Saving Store From Being Left

Even shopping not in a virtual reality, visiting not online but usual stores customers need to be navigated. And in general, the products may not be so various and original but if these products are placed to the right place and in the right order, they will catch a look of even the most demanded customer.  It was checked million times. And this note concerns online store even mostly. The complicated navigation is a thing that may boot any customer out.

Magento Layered Navigation by Aheadworks is developed and released to prevent a store from being left by the customers. Which ways does it use?


All of us want everything happens fast, without delay. And Aheadworks has developed the extension that keeps the time of the customers allowing them to choose multiple attributes simultaneously. The customers may choose different colors, sizes, capacities and etc. and not one by one but simultaneously. This functionality saves time considerably. And all of us know that time is the most valuable thing that we have.

There are some more features making shopping pleasant. Here you may find new categories like ‘New arrivals’, ‘Discounted products’ and etc. Moreover, long multi attribute filters list is wrapped and it shows just a limited number of attributes. After all necessary filters are applied, empty categories are hidden. And again it is made for the customers’ convenience. Thanks to less functionality that this extension uses there are additional customization opportunities and in general, the whole process is simplified.

The greatest thing here is the absence of page reloads necessity. This process is practically invisible for customers. By the way, the module is able to further reduce the number of AJAX reloads to only one single code execution.

What other attractive things can we find? While keeping in mind customers’ browsing habits and their constantly appearing wish to roll back the latest filters by one click, the developers have saved so-called ‘Back Button’. The people never know what they finally want so this opportunity could not have come at a better time. It’s never late to turn back.  

Layered Navigation for Magento 2 suggests trying by brand shopping. To make it possible the product pages contain a brand description and logo. Moreover, brands may be found as additional filtering options. It’s convenient and it is also implemented to save customers’ time.

All these enumerated features turn this extension into the thing you should pay attention and try to gain your own experience.

Magento Extensions by Aheadworks: Best Practices For Best

Since the first days of Magento 2 appearing it is a controversial thing for those who are involved in e-commerce. And there are a lot of pros for this CMS existence. And the most bombastic argument for Magento 2 is its extensions.

They are effective and easy to configure and apply. Aheadworks has made a step forward and released a set of highly favorable plugins. They are a successful combination of the most precious features.


Ahead-of-the-curve functionality

The development is the main engine of progress. Remembering this factor and tending to forebode customers wishes Aheadworks has created the pack of extensions with ahead-of-the curve functionality.

Products to run a business, not just a store
Aheadworks has created the products that are intended to boost not just a store but business itself. In particular, applying for these extensions merchants spend less time to configure and manage them due to the simplicity of backend process and have more time for some other business success-caught solutions to make.

Easily customizable projects

Each business has its own peculiarities. It is more than clear. Considering this fact the Aheadworks  Magento  extensions are highly customizable. It allows applying these plugins almost for all type of commerce.

These main points allow considering Magento 2 extensions by Aheadworks as effective and profitable tools. So, use Follow Up Email extension to come customers back to the store. Here we mean this familiar and destructive phenomenon like an abandoned cart.

Or apply Popup Pro to prevent customers from leaving your store without shopping. Adjust popups to make them appear when a customer moves his cursor outside the website window.

Make administration process amazing! Thanks to Advanced Reports it’s possible to scoop full and perfectly complete information. It’s extremely necessary to be clearly aware of a state of play for keeping your business fit.

The Blog extension is the category of the products which is not obligatory but effective. The communication between merchants and customers is the main key for successful trade. And this plugin is a tool to achieve such friendly relationships which are valuable and precious.
This drop information is just one puzzle in the whole picture of Magento 2 Extensions by Aheadworks.

Social Engineering: How They Do it?

First off, I do not encourage the tactics I talk about to be used for malicious acts. A common way they convince someone to divulge information is by acting as a friend or pretending they don’t want the information you have.

Now just because someone says this doesn’t always mean they are engineering you, but it is a common way of engineering. Also, just because someone is your friend on the internet doesn’t mean they are “out to get you,” so basically, don’t be paranoid just be careful. Another technique is to befriend them and convince them you mean no harm, and eventually they will most likely tell you depending on what you are trying to receive.

Why Would Someone Do This?

There are many reasons as to why someone would want to engineer you, whether for monetary gains or for some other reason. If you are the owner of a website, server, business etc. always be careful when handing permissions or anything else someone might want to take and use to make your business their own. Many examples come from Minecraft Servers where an “Admin” or “Co-Owner” receives the FTP panel and removes the owner taking over the server. So always be weary and make sure you can trust the people you give permissions too as they may not be who you think they are, no matter how long you’ve known them.

Common Places For Social Engineering

A LOT of engineering happens over Skype, as it’s what many people use to talk over the internet and it’s actually quite easy to engineer people over this application instead of just plain chatting, but if you are engineering I wouldn’t recommend sharing personal details or using video chat. Also keep most talking out of chat and in Voice Calls, as not many people have the means to record audio but everyone can take screenshots of chat logs.

How To Stop WordPress Comment Spam

Comment spam is truly a very big problem for bloggers. We all like to write on our blog and would like to see genuine comments for the articles that we write because that is the only way of getting a good feedback of what you actually do. If you are new here and not very familiar with the term Comment Spam, here is a small introduction to what it actually is. We usually install a plug-in to get comments from viewers that can be an add-one, something that we missed out or maybe a simple appreciation for that article. Since they are putting in their comments, we also allow them to share a link to their website or blog. The problem arises when people start using your comment column to promote their links or give irrelevant comments so that they can just have more clicks on their links. This is called as Comment Spam.

Say No To Auto Publish

wordpress stop spamThe main reason spammers try to get through with your comment page is because they assume that you have set the publishing to auto-publish mode or systematic publish mode, either way the comments get published automatically before checking for spam. Auto publish or systematic publish is a big NO if you are looking to have a clean site without any spam. It is better to check the comments before they are being published. In that way, you can be sure that only genuine comments are visible in your site. General comments like, ‘I like this article’ and ‘this information is very useful’ could easily be spam. To check the genuineness of the comments, look out for comments that are linked to the content that is being commented upon.

Check The Email IDs

The email ids that are given in the comments column can give you an indication that is could be spam. Check for email addresses that have the same website but a different affiliate name. These could be spam and it is better to avoid posting the comments given from such IDs.

Use Plug-ins

There are a lot of plugins’ that are available in the market that will help you in making sure that your site is not used by spammers. WordPress Captcha is one such which is used by many to make sure that there is no comment spam. This can be of great help in reducing the automated content spam. Simple trackback validation is also a plugin that can help in tracking back and validating the real ones from fake ones. Bad behavior is also a good choice to make sure that spammers do not misuse your site. This can also be used in liaison with other spam blocking plug-ins to give an effective remedy to comment spam.

There is a catch in using plug-ins for your website. Free WordPress sites cannot have the comment spam plugins. Only a self hosted WordPress site can have these plug-ins’ that are very effective and can ensure that there is nil comment spam.

Why Would Someone Want to Hack My Blog?

We hear this all the time from clients with travel, real estate, food, etc… blogs. “Why would anyone want to hack my blog? It’s just about recipes!” We understand it might not make much sense at first, but most hackers hack a website in order to essentially steal their traffic and make some money off it. In the internet world, traffic is money, and if a hacker can hack 10 blogs each with an average of just a couple thousand hits a month, they can redirect that traffic to their site and end up with a lot of visitors. Let me explain in more detail.

Links back to their site

website hackedGoogle is the main search engine for most of the developed world, and Google ranks websites using a complex algorithm I won’t even try to figure out. But, one of the most important parts of that algorithm is the number and quality of sites that link back to a particular page. So if a hacker has a site that they sell products or advertisement on, it would behoove them to have other quality sites linking back to their site. This would move their site higher and higher in search results, and thus allow them to sell more products or charge more for their advertisements.

Hijacking your traffic

This is in some ways related to the reason listed above, but instead of just placing hidden links on your blog, some hackers will redirect all your traffic to their page or an affiliate page thereby stealing your traffic. Many people who get hacked notice it when they type in their URL on morning and end up being redirected to a page selling porn or performance enhancing drugs. This usually indicates that the hacker is getting a commission for the sales that occur, and by hijacking your traffic instead of working hard to get their own, hackers can turn a quick buck.

Get access to your paid content

If you sell a product on your website with a shopping cart and a product list and you are using software like Magento, WordPress, Joomla… it is likely that your products and prices are stored in your database. If a hacker can gain access to your database through SQL injection attacks they can change the price of your products and place orders for those products at a lower cost, sometimes as low as one cent. If your system is automated, you might not catch the change before product gets shipped out, and you must eat the difference.

Another common occurrence is hackers gaining access to a password protected area of your site and getting to consume paid content for free. Sometimes the hackers will steal this data and make a similar site to yours– even selling the same content you worked hard to produce. You might not even know this has occurred, which is why it is important to take measures to prevent attacks as soon as possible.

Our next post will review the value of newsletters and mailing lists and why hackers would want to steal this information. Even if you have a small hobby blog, your traffic and resources may be worth more than you think. Now you know the answer to your question, “Why would someone want to hack my blog?” — Usually it all comes down to money.

How to prevent attacks from happening…

We can help you prevent attacks so you don’t have to worry about what vulnerabilities might be lurking in your system, and we do it at a very reasonable price. Take a look at our Website Protection plans where we review your website for vulnerabilities and address them before they can be exploited.

Best Data Storage Options for Your Business

By the time you are setting up your business, storage of data is probably the furthest thing from your mind. However, as your business grows, you will come to the realization that you need more than your hard disk and email to manage your data.

Businesses today deal with a lot of data ranging from emails to customer information and accounts. It is important to ensure that this data is stored and managed properly for the smooth running of your business. At WebsiteHostingParadise can provide you with a wide variety of options to keep your website security.

Best options for small businesses

secured storageThe data management needs of a small business will differ from those of much larger businesses. Large businesses have larger volumes of data to deal with. They also have the resources to invest in more complex and larger systems to handle large volumes of data. Small businesses have to learn to work within their means.

The following are various options that small business owners can consider for the storage and management of their business data:

Secured Servers

Servers are a great option for already established businesses and can afford to have their own servers. Servers offer a centralized location in which information can be stored. You can set up your server to ensure backing up of information from multiple hard drives on a regular basis.

Servers allow you to have full access to your data anytime you need it. You will however require an expert business IT support company to look after your server and ensure that it is working at optimum. Hiring a company to carry out regular checks on your server will ensure that it is in good working order and detect any problems early.

Cloud storage

Cloud is becoming increasingly popular especially amongst small businesses. Instead of having a computer to act as your server, you can store your data online. There are various popular Clouds available for businesses including Dropbox and Google Drive.

The best thing about Cloud storage is that information can be uploaded and accessed from anywhere in the world as long as you have internet access.

It is important to ensure the security of your data. You should therefore limit access to your information and discuss various security measures with your IT support firm.

Customer Relationship Management

Customer Relationship Management (CRM) systems are useful for businesses that have to handle a lot of data related to their customers. The CRM system will enable you to store information about your customers. You can store any details you need including their orders or reason why they have contacted you.

CRM systems come either as on-site or cloud-based systems. The cloud-based systems require no software or hardware and are accessible from just about anywhere where an internet connection is available. The on-site systems require specialized software and hardware.


This involves storing your data on a server that you can access via the internet. You can choose to either host the website yourself or have it hosted by a third party. You can store information for emails or websites with this type of data storage.


Storage of data is not effective if it cannot have proper management. This is where Sharepoint comes in. This provides your company with a centralized hub through which you and your staff can store and access information. It makes sharing information with employees much easier. Sharepoint is customizable to suit the specific needs of a business.

It is important to talk to your business IT support firm to determine which method of remote backup data storage would best suit your business needs.

How to: Remove Google Analytics Spam

Do those look familiar to you?

  • get-free-social-traffic.com
  • floating-share-buttons.com
  • www.event-tracking.com
  • site8.free-floating-buttons.com
  • video–production.com
  • sexyali.com

I’m certain you’ve noticed such referrals in your Google Analytics profile:

analytics referral spam

Today we will see what, why and how this “spam” happens. And how to clean up your Google Analytics profile by removing referral, event and search term spam.

What are we talking about here?

This is one of the spam tactics which plays on webmaster’s and marketer’s curiosity of which websites bring them traffic.

If we would to simplify the basic referrer spam it would go something like this:

  1. I make a link from my website to your website
  2. Click through that link a multiple times
  3. Your Google Analytics profile will see my website as referral. You will be interested how people clickthrough from it and visit it.
  4. ???
  5. Profit.

Why they are doing it?

To get traffic.

Most spammers just sell some low quality webmaster-targeted products. Some are affiliates that will refer you to popular websites like AliExpress.com (Asian Amazon) in hopes that you will convert to buyer immediately or later and they will get a commission.

How they are doing it?

Notice that for you to push data to your Analytics profile, no special authorization is necessary. All you need is profile’s “UA” Tracking ID, which looks like this: UA-124214-1

And it can be easily extracted from your website’s source.

Now, with popularization of Apps, there was a need to move Google Analytics beyond websites. Universal Analytics was born.

One of its features is Measurement Protocol, which:

“… allows developers to make HTTP requests to send raw user interaction data directly to Google Analytics servers”.

This is basically a robust Google Analytics API. With it you can track anything, including offline events and tie them to user’s website or app behavior. All tracking is done server-side. Great stuff.

But this had a side effect. You can automate the heck out spamming and perform it in bulk.

This is how the process goes for the most advanced spammers:

  1. Make a Measurement Protocol request which mimics website hit from a defined referral
  2. Send is as a HTTP request from a server
  3. Repeat with next victim’s “UA” Tracking ID
  4. ???
  5. Profit.

But, the manipulations could be done for any visitor data. So step 1 could be: Event, Spam search term and even user’s browser.

And keep in mind that you don’t even need something special to come up with “UA” Tracking IDs. Google Analytics just uses progressive numbers.

So in theory, you could just hit all the existing profiles, even though most of them are abandoned. Because why not, we’re spammers anyway.

This is how fast you can make event 100 hits, all to different profiles:

analytics measurement protocol

It’s 2 lines of code in a loop using Universal Analytics for Python library.

And imagine running this on a server 24/7, or on multiple servers. Programmed by someone who knows what they’re doing.

Since most spam is done server-side, we see a caveat – most spammers don’t define which “hostnames” send the data.

Hostname of a visit exists to show what web property was used to register the hit. Basically most of your hits would arrive from your domain’s hostname. You can also see some hits from Google Translate hosts and from your local development hosts if you use any during development ( or localhost).

Sample referral spam hits from undefined hostnames:

analytics spam

So, by only including Google Analytics data only from known hosts, we can easily eliminate most spam.

We can then add a few more exclusion filters to remove more advanced spammers who define clever hostnames, or have more physical robots (which actually visit your website).

Setting up Google Analytics views to filter out spam

First, make sure you or someone else didn’t try to combat spam using “Referral Exclusion List” under “Property → Tracking Info → Referral Exclusion List“:

analytics referral exclusion

This is wrong. Your should only use this when you want to remove referral information from a domain, for example when your payment processor redirects people back to the purchase. Or your “support.” sub-domain, for example.

Next thing on your to-do list will be to create a new view and call it “Unfiltered”.

We will keep this one to fall back on if we suspect that filters on our main profile are wonky.

google analytics

Assign the same settings to it as to your main view (timezone, currency, enable Ecommerce etc.), make sure “Exclude all hits from known bots and spiders” is unchecked in settings.

Including only known hostnames

Now that we have a backup view, let’s add a filter which will only allow Analytics hits from known hosts.

Go to your main View, “Audience → Technology → Network“, change primary dimension to “Hostname”, and you’ll see something like this:

analytics hostnames

Breaking it down:

  1. Your own hostname.
  2. (not set) for server side tracks that don’t define a hostname. Most spam in my case.
  3. Hits from people using Google Translate for translations.
  4. Hits from my “development” environment – when I run my website on my computer.
  5. Spammers that define hostnames. HULFINGTONPOST is my favorite.

Keep in mind that your case may have more hostname hits similar to Google Translate, if you see substantial number that doesn’t look like spam, check it out. Perhaps it’s worth including it in the filter.

Important: if you are using server side tracking for some events, some of the (not set) events will be yours. I suggest you either add hostname to context of a server side tracking call or add (not set) along with other allowed hostnames to filter.

Ok, new let’s setup hostname filter. Go to “Admin”, select your main view and go to “Filters”. Click “+ NEW FILTER”, then configure it:

analytics hostname filter

  1. Type: Custom
  2. “Include”, as we will only be including needed hostnames.
  3. Field: “Hostname”
  4. Filter pattern: regular expressions work here. You should add all your domain, sub-domains and other valid hostnames
  5. Verify & save your filter.

By including only known hostnames in our reporting we will eliminate most spam, but not all. So let’s proceed.

Referral spam

Some spammers cleverly define hostnames of their target website.

analytics referral spam

For this will will just exclude them as referrals. And we will be adding more as we discover new ones.

Keep in mind that filters won’t work retroactively, so check for spam referrals for periods after you’ve applied hostname inclusion filter. Or go to Hostnames, pick your hostname, check referrals and find the fishy ones.

And here’s the filter:

analytics referral filter

  1. Type: Custom
  2. “Exclude”.
  3. Field: “Campaign Source”
  4. Filter pattern: add all spam referral domains that are left. Use “|” between domains, don’t use spaces.
  5. Verify & save your filter.
Search term (Keyword) spam

Some spam started appearing in organic search terms recently.

analytics keyword spam

And here is a filter to remove those.

analytics search filter

  1. Type: Custom
  2. “Exclude”.
  3. Field: “Campaign Term”
  4. Filter pattern: add spam keywords, separate using “|”.
  5. Verify & save your filter.
Events spam

Most spam event would be filtered by including only known hosts, like this one:

analytics spam event

analytics spam event

But still, if you see event’s spam, here is a sample filter to filter them out.

analytics events filter

  1. Type: Custom
  2. “Exclude”.
  3. Field: “Event Action” (or Category)
  4. Filter pattern: add contents of the event.
  5. Verify & save your filter.

That’s it, enjoy your Google Analytics view without spam data.

Don’t forget to update your filters if you notice new spam referrals, events or search terms coming through.