Threats to a server can come from many different locations and one of these is when files are uploaded to a site.

We have always been a leader in the field of server security and on more than one occasion have been the first company in Australia to incorporate new security scripts and measures on our servers.

In line with this are very pleased to announce a new measure that is available to secure against infections arising when uploads are made to a site / server.

Click here to read our article

(1) Meta-data:

Ensure all pages of your site have meta data eg relevant titles, descriptions and keywords. There are a number of SEO tools available that can check keywords density, title and description relevance to page content etc. It takes time to get the right balance and have the meta data and actual page content have relevance, but the time you invest with certainly be worth it.

(2) Images:

Put text/alt tags on images throughout your website. Not only does it provide additional descriptions and information to customers, but it also assists Google to understand better what you page is about and also assist screen-readers to more effectively analysis your website, making it much more user-friendly.

(3) Content & Internal Linking:

Write up a keyword rich homepage introduction to include the words relative to your products/industry + links into your cart categories and directly to your products.

(4) Google Stuff:

• Click here for the one-stop shop for Webmaster resources
• Click here for webmaster guidelines. These tips will assist Google to find, index and rank your site
• Create a site map – click here to generate your site map online
• Create a Webmaster acccount so you can add site maps, manage robot text files and more.
• Create a Google Adwords campaign focusing on keywords that people are looking for and be willing to pay more than necessary on the keyword/s for 1-2 months. Once you start getting the click-thru history then you can knock the cost back to less. Click here to sign up.

(5) Forums:

Find forums that you can give your professional opinion on. Don’t just go into the forum and tell everyone to come and visit your site – this is not the objective. Instead, find forums that you can assist others with your knowledge. Take the emphasis of trying to promote your business, and place it on actually answering a question to the best of your ability. Ensure, however, to put your website URL in your signature so that when you do post comments to a forum with your answer goes up your web address.

(6) DMOZ Submission:

Sign up in the DMOZ directory – http://www.dmoz.org/  (ensure to drill down into the specific category, one only, that you want to be listed under, then click on ‘Suggest URL’ from top of page)

(7) Resources/Links:

Actively seek to place your link on sites with good pagerank, or that are popular and within your industry type. We strongly advise against link-farms and simply exchanging links for the sake of it. You can also place on this page links to other sites that you feel your visitors may find useful. Ensure to have written into your Privacy Statement however that all external links are provided to them as a courtesy and that you are not responsible for the content or activities of the business etc should your customer visit the links.

(8) Be Proactive:

Make regular changes, updates, add pages to your existing website. Add pages but do not delete existing ones, not change the actual names of the pages. All pages of your site has ‘history’ attached to them and if you delete pages, or change their names that ‘history’ is lost.

(9) Constant Contact:

Keep in contact with visitors to your and customers. Provide the option of subscribing to your newsletter on your website and then use that email addresses provided to notify site visitors of everything happening in your business, from the launch of new products, upcoming events, specials, sales etc. Whether it be a weekly or even monthly newsletter, the aim is to keep your web address clearly in their minds – and what better way than via their inbox!

(10) Monitor your site:

How can you possibly know what is going on with your website if you don’t actively monitor what’s going on with your website! X-Cart comes inbuilt with a variety of statistics and analysis tools, however, if you really want to view your websites activities get yourself a program that enables you to see where people are coming from, what are the most popular pages, how many ‘unique’ visitors have visited, how did they get to your site eg by search engine search term, adwords link, or other referral link, and the click-path they took through your site. All of this information is invaluable to see how your website is going. In conjunction with monitoring software/tracking script, keep you own journal of keywords and how you are ranking in the search engines. Just put together a spreadsheet and list down the keywords you want to rank well in. Then weekly take the time to actually type those keywords into Google and see where you are positioned. The only way to tell if you are improving is to check if you are actually improving! If you are, keep doing what you are doing. If not, then at least you are aware that things need to change in order for your search engine success to change.

(11) Add a Blog:

Just like the forums, a blog can be a fantastic place to provide resources and information to your customers and site visitors. It can also encourage regular interest in your site, resulting in repeat visits from people just to see the latest news, review and information you have on your blog.

(12) Reward your customers:

Have incentives to encourage repeat patronage ie all first-time customers you could send a $10.00 gift certificate to – they would have to either come back themselves to redeem it, or forward it on to another person – either way you get another sale, even if you loose $10.00 on the sale itself.

Have ‘special offers’ or bonuses such as free shipping etc, especially o Special Occasions such as Mothers Day, Fathers Day, Valentines, X-Mas, Easter – basically utilise all the special times of the year as a good excuse to have a special, have a sale, have a bonus offer etc  

(13) Social Networking:

There are numerous places on the internet where groups of people gather these days, that form the perfect marketplace for promotion of your business. As such it would be within your best interest to take advantage of such places including:

• Twitter
• MySpace
• Facebook
• Skype
• MSN

You may not understand much about such social networking sites however even a little knowledge and utilisation of these sites can increase traffic to your site, resulting in sales from strangers that are now your new customers!

And even if you don’t have the time, knowledge or inclination to do anything with social networking right now, we strongly encourage to go and secure your social networking identities for future use – if you don’t you may very well find that your competitors!

 Here is how to create a post or article into your newly created Categories.

 Diff file (or a patch) is a file ‘describing’ changes which needs to be applied to the file. In UNIX world diff files are a standard way to apply changes/fixes to a program source code. There is a special program called ‘patch’ which reads diff files and applies the changes to the source code. 

In everyday use diff files are frequently called ‘patches’ which may sometimes cause confusion. 

An example of a diff file:

Code:

Index: admin/category_modify.php 
@@ -160,7 +160,7 @@ 
       db_query(”update $sql_tbl[categories] set category=’$category_name’, description=’$description’, 
meta_tags=’$meta_tags’, avail=’$avail’, order_by=’$order_by’, membership=’$cat_membership’ where 
categoryid=’$cat’”); 
       db_query(”UPDATE $sql_tbl[categories] SET membership=’$cat_membership’ WHERE category LIKE 
‘$category_name/%’”); 

-       db_query(”UPDATE $sql_tbl[categories] SET 
category=CONCAT_WS(”,’$category_name’,SUBSTRING(category,”.strlen($old_category_name).”)) WHERE category LIKE 
‘Books/%’”); 
+       db_query(”UPDATE $sql_tbl[categories] SET 
category=CONCAT_WS(”,’$category_name’,SUBSTRING(category,”.(strlen($old_category_name)+1).”)) WHERE category 
LIKE ‘$old_category_name/%’”); 
   } 

#

We suggest three methods for patch installation.

During internal audit activities we found a moderate security issue that makes X-Cart potentially vulnerable to attackers who wish to gain access to the application back-end.

The following security improvement has been included into this update: -

- protection from XSS attacks.

SEVERITY:
Moderate

IMPACT
Malicious users may inject an active content (for instance: JavaScript) into the application to fool users in order to gather data from them.  An attacker can steal the session cookie and take over the account, impersonating the user.

AFFECTED VERSIONS
All X-Cart versions

SOLUTION
We strongly recommend you to apply the security fix to secure your store.

To apply this patch, follow the instructions below:

1) Download the security patch (the security-patch-2009-08-04_***.tgz archive file, e.g. security-patch-2009-08-04_4.2.2.tgz) from the “File area” section of your HelpDesk account.

You can find the patch by the following path:
* For X-Cart 4.2.2 version:
X-Cart -> X-Cart 4.2.2 (current version) -> Updates and patches

* For all the other versions:
X-Cart -> X-Cart supporting files for prev versions -> {Your X-Cart branch} -> {Your X-Cart version} -> Updates and patches

2) Decompress the archive file.
The following folders will be extracted:
/DIFF-xcart – contains DIFF files to patch customized X-Cart files
/xcart – contains the X-Cart files with fixed vulnerability.

Note:
DIFF file is a file containing the difference between two files. In our case the DIFF file contains changes made to the current file by comparing it to a former version of the same file.

There are 2 ways to install the patch:
a) place the fixed files over the current ones;
b) manual installation using DIFF files.

3) Back up the corresponding files in your X-Cart before patching the store.

4) If the files from the xcart directory are not modified in your X-Cart, you may use the first method of applying the patch. This
way the files from the patch will overwrite the same files in your X-Cart.
You should copy the files from the patch into your X-Cart installation via FTP or another tool that you
usually use to manage files on your web-server. The copied files will replace the original ones that contain
the vulnerability, thus it will be fixed.

NOTE: The patch will overwrite the files completely, i.e. they will become default. If you made any
changes or customizations to the files, make sure you re-implement the changes after the patch has been
applied, or just install the patch manually.

5) If the files have been modified, it is recommended to apply the patch manually using DIFF files. This way you will keep your modifications intact. 

ATTN: In case you are running X-Cart 3.3.x and earlier, please contact our tech support directly. 

If you have any questions or concerns, please do not hesitate to contact Just X-Cart

Please note: all the issues fixed by the current patch have already been corrected in the newest X-Cart 4.3.0 version.

 Gift Certificate bug-fix

With the release of NABTransact externally hosted payments page recently, we have discovered a small bug whereby the NAB gateway will not recognise gift certificates monetary values when placed in the cart. This glitch causes the order to fail once it leaves the cart and attempts to process the order with NAB’s gateway.

Our developers have, however, investigated and rectified this issue.

Please contact Just X-Cart Australia if you have the first release of the NABTransact payment gateway add-on and we can supply you the file you require to fix the issue.

Dear Just X-Cart client,

As part of our server maintenance, we will be performing a range of upgrades and security checks on your server in the next few days. There are a range of changes and enhancements so I will explain them individually. These include:

KERNEL UPGRADE

The kernel on your server will be upgraded this week and a reboot will be scheduled for 10pm AEST on Saturday 30th May to apply the kernel. The reboot should only take a few minutes to perform.

APACHE/PHP UPGRADE-SECURITY ENHANCEMENT

Apache and PHP will be upgraded on all servers that are currently running older versions to Apache 2.2.11 and PHP 5.2.9, some security adjustments to Apache and PHP will be made, including the introduction of Suhosin, a PHP hardening module to the server. Most changes should cause no effect to client sites however there could possibly be a few sites with older scripts etc that may require adjustment. If anyone has any issues please contact us immediately.

SUHOSIN – HARDENED PHP

Suhosin is an advanced protection system for PHP installations. It is designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core and on our cPanel servers will tie directly into the Firewall system to block offending users illegally accessing scripts on the server.

We have a well developed ruleset that we have been running and testing on our cPanel hosting servers for some time now and we believe the settings we will be applying will cause no issues to any clients, however if any issues please open a ticket at the helpdesk.

EMAIL SPAM ENHANCEMENTS

In a bid to reduce spam and to enhance email security cPanel has introduced SPF records and Domain Keys to the mail system and we strongly advise all clients to login to cPanel and enable these functions. Details about SPF records can be found at http://www.openspf.org and information on Domain Keys at http://www.dkim.org.

Clients can access and enable these functions by clicking on the Email Authentication link in their email hosting cPanel (X-Mail). See your ‘Welcome email’ for email hosting console link and your username and password.

FTP SECURITY

We have found an increasing amount of websites, in particular insecure PHP websites, being infected with Javascript and other related worms, trojans and hack attempts. A lot of these are caused by insecure scripts, which should be checked and upgraded or secured where possible, however an increasing amount of people are having these sorts of hacks caused via insecure FTP connections.

We strongly advise clients to either set their FTP programs to use secure FTP (FTPS) which is accessible on port or to use SFTP on port 22351 to ensure security of uploaded content. 

Clients will need to check their FTP programs to see what options they have available to them.

Further to this, despite previously recommending Filezilla to clients, we now advise against using Filezilla FTP client as we have seen a number of clients report connection issues. A number of people have issues with Filezilla and the global connection setting when they upload it causes too many simultaneous connections and they get blocked by the firewall.

Try using another FTP client such as:

• CuteFTP
• FireFTP add-on for Firefox Browser
• Fetch for Mac

Kind Regards,

If anyone has any queries or concerns, or find your site experiencing any problems, please do not hesitate to contact us for assistance.

Kind Regards,
Natalie Verhoek
Head of Technical, Data & Training

If you are hungry, you could go to McDonalds - If you are wanting to have some fun, you could go to Disneyland.

Of course, everyone knows who McDonalds and Disneyland are but how did they become so well known? 

 If one needs a hammer, he would go to a hardware store.
If one needs pain killers he would go to the drug store. 

And you may now say in return that everyone knows what hardware and drug stores are for.
But what would you do if you do not know where to look for something?

One option is to just walk along the street and ask the first man you meet to point you the right way.

But, the world of the Internet differs from real life, but there’s something in common.

There are site-giants like: YouTube, FaceBook or eBay on the Internet, just like McDonalds and Disneyland in real life, and everyone goes there and always finds what he expects.
If you don’t know where to go you can always ask Google and it points you in the right direction.

However, a user can surf the web at random for years and never come to your site if no one on the Internet, even Google, knows about it.

And the main question is: how do people know where to go if they need what you sell on-line, who will point them the right way?

And it is SEO you can utilize to carve the visitor’s way from the browser right to your site.

• Thus a distant aim of SEO is to make your site as popular as possible in your industry, like McDonalds is in the restaurant fast food business.
• A more material reason is to let the other know about your site so that people wandering in the Internet can run into your site.
• But the most important goal is to make sure that people looking for something special are told where to go and the place they are directed to is YOUR SITE.

Once you have updated your twitter page, why not add it as a ‘widget’ to your store?

All you have to do is to go to twitter.com/widgets/ and select the appropriate type of site (if its a store, then select ‘other’)

Hit ‘continue’ and you will have two choices : Flash or HTML. I personally select HTML to avoid any plugin problems. 

Hit ‘continue’ and you will be able to copy the code. If you are wanting us to add this to your store, please provide us with the code. This will be a minimum cost of which will be confirmed when job is scheduled in.

‘Happy twittering’

 Within X-Cart, you used to be able to generate an HTML catalogue in order to make the pages Google friendly. However, it limited the ability to design your own index or home page as the index page was overwritten.

However, if you run CDSEO, you can create your own custom designed home page and still have the google friendly generated pages within your store – and never run a generated catalogue again:)

Perfect for a fully customised store that requires a different look on the home page!