Wagento Creative

  • New SUPEE-8788 v3 Patch Available for Enterprise Edition 1.13.0.x

    Security Announcement


    An updated SUPEE-8788 v3 patch for Enterprise Edition 1.13.0.x is now available in the “Security Patches – October 2016” folder in MyAccount. It addresses missing files that prevent many Enterprise Edition 1.13.0.x merchants from successfully deploying the SUPEE-8788 patch .

    If your merchant was unable to apply the SUPEE-8788 patch, they should deploy the version 3 patch. If they already successfully applied the version 2 patch, there is no need to do anything.

    To install the new patch:

    • Revert SUPEE-1533 if it has already been installed.
    • Deploy SUPEE-3941 if it hasn’t already been installed.
    • Install the new SUPEE-8788 v3 patch. This patch includes SUPEE-1533, so there is no need to worry about re-installing it.

    • You can find SUPEE-1533 in the “Security Patches – October 2014” folder and SUPEE-3941 in the “Security Patches – August 2014” folder in MyAccount. More detailed installation instructions are available in DevDocs.

    Thank you,
    Team Wagento

  • Steps You Can Take to Boost Security

    Malware attacks targeting ecommerce sites are on the rise and it has never been more critical for merchants to follow security best practices. In most malware cases we’ve analyzed, attackers are not developing new ways to penetrate Magento sites. Instead, they are taking advantage of existing, unpatched vulnerabilities, poor passwords, and weak ownership and permission settings in the file system.

    To ensure the highest level of security, here are actions you and your clients should take:


    • Set up strong passwords and change them at least every 90 days, as recommended by the PCI Data Security Standard in section 8.2.4. You can check password lifetime setting in the following locations:
    • Magento 2.x: Stores > Configuration > Advanced > Admin > Security > Password Lifetime set to 90 days (default setting)
    • Magento 1.x: System > Configuration > Advanced > Admin > Security > Password Lifetime set to 90 days (default setting)
    • Keep systems up-to-date and install all security patches and updates immediately.
    • Stay informed of new patches by subscribing to Magento security alerts at https://magento.com/security/sign-up.
    • Scan stores monthly on MageReport.com to detect malware and to identify any security patches that may not have been deployed. MageReport.com is a highly-regarded service that is available at no charge.
    • Each month, review all Admin user accounts and remove any that are not recognized, or are no longer valid or active.
    • Verify that the system file permissions are set according to Magento 1 and Magento 2 file permission guidance. Misconfigured permissions may allow attackers to modify Magento code files and inject vulnerabilities into your client’s environment.
    • Check systems for unauthorized programs. For example, check for processes that perform key logging functions and unnecessary processes that are not required for Magento system operation.
    • Make sure your clients put other Magento Security Best Practices in place.

    If you discover that a client’s site has been attacked, immediately clean the site of all malicious code, install any missing patches, and update all Admin passwords. If you think that you have found a specific vulnerability in Magento and can provide more technical details, please report it to security@magento.com.

    Thank you!

  • SECURITY ANNOUNCEMENT UPDATE

    Earlier this week you may have been contacted by your Account Manager, Product Owner or Business Owner about the latest Magento security patch that was released on Tuesday 10/11/2016. Magento security patch SUPEE - 8788 was found to have some issues with earlier versions of Magento EE 1.13 and earlier. Here is the press release for that issue:

    We’d like to make you aware of an issue with our recent security release. The SUPEE-8788 patch for Enterprise Edition 1.13 and earlier versions fails if a store has previously applied SUPEE-1533 or SUPEE-3941 security patches. We are working to correct this issue and will provide new patches in one to three days in the “Security Patches – October 2016” folder in MyAccount. Until then, we are removing these versions of the SUPEE-8788 patch from distribution.

    PATCH UPDATE - PLEASE READ


    Updated versions of the SUPEE-8788 patch for Enterprise Edition and Community Edition are now available. The Enterprise Edition patch is in the “Security Patches – October 2016” folder in MyAccount. The Community Edition patch is available in the Release Archive of the Community Edition Download Page.

    The new patch addresses two issues:

    • Removes compatibility issues with SUPEE-1533 and SUPEE-3941 security patches experienced by merchants using Enterprise Edition 1.13 and earlier and Community Edition 1.8 and earlier releases.
    • Resolves issues with some 3rd party payment methods during checkout.
    Installation process:

    • Revert SUPEE-8788 if you have already installed it.
    • Revert SUPEE-1533 if you have already installed it.
    • Deploy SUPEE-3941 if it hasn’t already been installed.
    • Install the new SUPEE-8788 v2 patch. This patch includes SUPEE-1533, so you don’t need to worry about re-installing it.

    You can find SUPEE-1533 in the “Security Patches – October 2014” folder and SUPEE-3941 in the “Security Patches – August 2014” folder in MyAccount and in the Release Archive of the Community Edition Download Page.

  • Upcoming Magento 1.x and 2.x Releases Provide Critical Security and Functional Updates

    Get Ready to Assist Clients


    To help you better serve your clients, we are providing a preview of important Magento releases scheduled for Tuesday, October 11, 2016. This information should be kept confidential and should not be shared or discussed publicly until the release date.

    ENTERPRISE EDITION 1.14.3, COMMUNITY EDITION 1.9.3, AND SUPEE-8788
    Enterprise Edition 1.14.3 and Community Edition 1.9.3 deliver over 120 quality improvements, as well as support for PHP 5.6. They also resolve critical security issues, including:

    • Remote code execution vulnerabilities with certain payment methods
    • Possibility of SQL injections due to Zend Framework library vulnerabilities
    • Cross site scripting (XSS) risks with the Enterprise Edition private sale invitation feature
    • Improper session invalidation when an Admin user logs out
    • The ability for unauthorized users to back up Magento files or databases

    The SUPEE-8788 patch addresses these security issues in earlier Magento versions. Functional update details and installation instructions will be available Tuesday in the Enterprise Edition and Community Edition release notes; a full list of security updates will also be published Tuesday in the Magento Security Center.

    ENTERPRISE EDITION AND COMMUNITY EDITION 2.0.10 AND 2.1.2
    Updates to Magento 2 software address the same critical security issues described above. Additionally, the releases make several functional improvements and API enhancements. New API methods allow 3rd party solutions, such as shipping or ERP applications, to use APIs to transition an order state when they create an invoice or shipment. Magento 2.1.2 now also includes PHP 7.0.4 support and Magento 2.0.10 and 2.1.2 are compatible with MySQL 5.7. A summary of improvements will be available in the release notes on Tuesday; all security updates will also be listed Tuesday in the Security Center.

    We strongly encourage you to work with your clients to implement these releases immediately, as attackers may target merchants who are slow to patch these issues. Updates should be installed and tested in a development environment before being put into production. Also, please use this occasion to do a security assessment of your clients’ systems in accordance with our Security Best Practices.

    Thank you for your continued cooperation and support.

  • Things Change - The Fix Bid Project

    ever-changing-project

    Things Change

    by Brent W. Peterson Directory of Customer Experience.

    A continuation of my Customer Experience series. At the end of the day, the client wants to have their website completed in the way THEY want it. The trick is when you start your project things change. Things change and whoever starts a project as a fixed bid and will hope to come to the end of a project with what they started is only fooling themselves. Things change from the client perspective and things change from the agency perspective. The bottom line is that these changes will affect your project and the sooner you can wrap your head around this concept the more successful your project will be.

    The Basics

    Client wants something -> Agency delivers something

    The success or failure of a project resides in the middle of these two things. What we can do now is to continue to break down the high-level items in any project. From these items we can ask questions about what is important to getting from A to B. How we navigate that road and how we report where we are and the road blocks involved will determine the success of the project. Let me add that the length of the road and the amount of work that needs to go down the road will also contribute to the success of the project. If the project is projected to last 2 years there is a much higher probability of failure than a project that will last only 2 weeks. The ratio of work to time is an important number to look at. The risk of a lot of work and a short amount of time is that something has to be given up. One cannot simply deliver everything in a given time when it is impossible to do everything in that time.

    Let's break down the project at a high level

    • Client wants something
    • Client communicates to agency what they want
    • Agency digests what they want to communicates back to client what they will do and how long it will take to do it.

    The “want” in a project is not always 100% to everyone. The “want” is sometimes all determined at the beginning but most likely wants will trickle out during the project. This is the biggest reason why Agile is the best approach for project management. So the next question is “How do I translate what the client wants into what we are going to do?” This communication is the key to the success of the start of the project, but continued communication and a partnership point of view is how the project will finish successfully.

    The how long it takes to do it is a number that will cause great contention later in the project. Why? Because what the client expects will be done may be different than what the Agency thinks they want. To further complicate things we have time that is lost because people need to eat and sleep and we have weekends and vacation. So 80 hours of work doesn’t necessarily mean it will be done in two weeks. It is the responsibility of the agency to communicate that the time to complete the 80 hours will be compounded by the fact that there may be a time that work goes through Q/A and the Q/A team will need time to review and look at tickets. (This is just an example, but there are many other factors that will contribute to this time) What we do know is that we can come up with an average of how long it takes to complete 40 hours of work. An example is the following:

    40 hours = 5 man days. The 5 man days will take unto 15 days to complete because each item that makes up those 8 hours of daily work must be reviewed by a project manager, worked on by a developer, Q/A by a technician, code pushed around by a DevOp and reviewed by the client. All these steps assume that everyone will take them in serial order. The client can argue that the agency can simply put more developers on a project. So theoretically a 40-hour job could be done by 5 people in one day. This assumes that the client also has enough people to review the work being done in that day and that the work CAN be done in parallel. It is at this point that the agency has the responsibility to communicate truthfully to the client that something CAN’T be done in the timeframe the client requests.

    Next week we will dive into the Client.

  • The Wagento Approach to Customer Experience

    customer-experience The Customer Experience

    Wagento’s Approach to Customer Experience

    by Brent W. Peterson Directory of Customer Experience.

    To start off this will be a series of blog posts that will last a number of weeks. The title is not meant in anyway to say this post is the end result of all our customer experience!

    To this we have learned our first lesson. Aligning Expecations. When I first published this I was told that the complete guide surly can't be a couple of paragraphs! So to help everyone understand what I am doing and what I am trying to accomplish we will walk through a number of stages in the experience and then dig deeper to see what we can learn. Along the way I would be eager to hear your feedback. This will help to shape our experience together so it is not just Brent's experience but the experience as a community. I did notice I say this at the end of this post, but some of you may stop right now and not read any farther.

    For the last couple of years I have been fixated on making the customer experience better and more specifically making it better within a project and with our project managers. It started back in 2014 when I gave a presentation at Meet Magento NYC about the idea of an open source agency. This theory looked at the idea that we share our knowledge on open source software, then why can’t we share our knowledge with our process for running an agency. Were there so many things that were proprietary that it meant we couldn’t talk about these things? If you would like to see my talk in Germany here it is:

    The talk lead me to start asking questions of our own process and my next presentation was wrapped around the “Awkward Conversation.”  When I gave this presentation at MagentoLive Germany I thought I would address it to merchants who would like a better understanding of how a developer or agency interacted with them. If the success of a topic can be measured on questions asked, my topic was successful. In fact, my wife was sitting in the audience and a merchant leaned over and mentioned that he had not thought about this but this is very helpful. What was more surprising was that the majority of the questions from the audience came from developers.

    For Magento Imagine in 2015 I submitted the same idea with a slight twist. I would focus equally on the merchant and the agency. Giving each equal weight. With this balanced approach, I thought I could speak to both the merchant and the developer/agency and hopefully raise some ideas that would resonate to everyone in the audience. After this presentation nearly all the questions came from developers. This could be the audience that I was put in, but what it told me is that there is a disconnect in what we as developers or agency leaders think customers want and what the customer wants.

    Over the next weeks, I will outline my thoughts on Customer experience within a project.   I would like to foster an open conversation on what works and what doesn't work. You can comment freely on the post or email me privately.

  • 2016 Magento Masters and Our Very Own Mentor

    At MagentoLive France, they announced the Magento Masters program to recognize top contributors in the Magento community. We are pleased to learn that our very own Brent Peterson was chosen as one of the 2016 Magento Masters!

    What is a Magento Master Mentor? Mentors are top contributors to the Magento Community who are highly active educating others and developing resources for them. They have proven expertise in building successful Magneto implementations.

    A little more about Brent and why he was chosen:

    Brent W. Peterson is the Chief Magento Evangelist and Agency Coach at Wagento. He loves to run, bike, and ski, in that order. He is often found at Magento events organizing running meetups with wife Susan. You can tweet him @brentwpeterson

    Brent was selected as a Magento Master for 2016 based on his 2015 speaking engagements on a variety of Magento topics from project management to kickstarting a Magento store, keeping the Mangento community in shape by organizing running events everywhere he goes and consistently helping the community by moderating, and answering questions on the Magento Forums.

  • Security Announcement - Magento Upgrade

    Upgrade Your Site Now

    Today, we are releasing Magento Enterprise Edition and Community Edition 2.0.6, which contain important functional improvements. You can now use Redis for session storage and a file permission issue has been fixed by providing a more flexible way to set file ownership. Full details on the functional enhancements are included in the release notes for Enterprise Edition and Community Edition.

    Additionally, the release has several security improvements, including:

    • Stopping unauthenticated users from using REST or SOAP API calls to remotely execute malicious code on the server.
    • Preventing a site from being remotely triggered to reinstall itself so that the attacker can potentially take control of it.
    • No longer allowing authenticated customers to change other customers’ account information using SOAP or REST API calls.
    • Fully resolving a previous vulnerability with cross-site scripting in the Authorize.net payment module.

    More information regarding the security updates is available on the Magento Security Center.

    ACCESSING THE RELEASE

    You are advised to deploy this new release right away. It can be accessed from the following locations:

    Enterprise Edition 2.0.6 (New .zip file installations) - My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.6

    Enterprise Edition 2.0.6 (New composer installations) - http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

    Enterprise Edition 2.0.6 (Composer upgrades) - http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

    Community Edition 2.0.6 (New .zip file installations) - Community Edition Download Page > Download Tab

    Community Edition 2.0.6 (New composer installations) - http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

    Community Edition 2.0.6 (Composer upgrades) - http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

    Community Edition 2.0.6 (Developers contributing to the CE code base) - http://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

    If you have not previously upgraded to Magento Enterprise Edition 2.0.2 or later releases, you should review the upgrade information posted on our Security Center as there are some additional steps you may need to take. This update should be installed and tested in a development environment before being put into production. Also, please use this occasion to do a security assessment in accordance with our Security Best Practices.

    Thank you

  • Security Announcement - New SQL Injection Vulnerability

    Third-Party Themes and Extensions Are at Risk

    We recently learned that an SQL injection vulnerability has been found in several third-party themes and extensions. Extensions with the vulnerability include:

    • EM (Extreme Magento) Ajaxcart
    • EM (Extreme Magento) Quickshop
    • MD Quickview
    • SmartWave QuickView

    These extensions are used in several different themes, including Porto, Trego, and Kallyas from SmartWave. Other SmartWave themes may also be at risk. Vulnerable EM modules are used in some EM themes. The core Magento application is not impacted in any way by this vulnerability.

    We’ve received reports that the SQL injection vulnerability is potentially being exploited. If you currently use these extensions or themes, you should immediately contact the company from which you purchased the extensions or themes to request updated code. We understand that Themeforest, part of Envato Market, has already removed the vulnerability from the Porto theme, but the status of other themes and extensions is unknown.

    It is also important for you to evaluate all your Magento administrator accounts to make sure there are no unknown users and to reset all your administrator passwords. Please review the Magento Security Best Practices for more information on how to secure your site and use magereport.com to scan your site for missing patches or known issues.

    This update is part of our ongoing commitment to advise our merchants on security issues as we become aware of them. We thank you for your attention to this matter.

    Thank you.

  • We Are Magento: Imagine 2016 Highlights And Recaps

    Magento Imagine 2016 has wrapped and it appears that everyone survived! Albeit a little bit tired and a little less money in the bank, it was otherwise a success and a great time! The theme this year was "We Are Magento" and it was embraced by all who attended. This was Magento's first Imagine as an independent company so it was exciting that they celebrated the diversity, creativity, and shared passion of the thriving global community of engineers, entrepreneurs, investors, and inventors—from the trailblazing merchants who know exactly the kind of customer experience they want to create, to the technologists and innovators who help them realize their vision. Magento made some important announcements about how Magento Commerce continues to innovate to support this global community. Of course Magic Johnson wowed the crowd Tuesday night, and the parties are always fabulous, but here are other key highlights. Enjoy!

    Magento News

    Recognizing Excellence Across Our Ecosystem

    Imagine is all about recognizing the best among our merchants, partners and developers. We kicked off with awards for our incredible Magento Masters, representing the 20 most active members of the Magento developer community. Our very own Brent Peterson is right in the middle of the picture in a bright blue shirt!!

    Magento Masters

    At Imagine 2016 we talked a lot about the trailblazers of commerce. We honored the winners of the 2016 Imagine Excellence Awards, recognizing the exceptional creativity, innovation and success of merchants across the global Magento ecosystem. These trailblazing merchants who are conquering the wild country of commerce with Magento inspire us all.

    Fun Stuff and Events

    #PreImagine Cocktail Party hosted by @interactive4’s @ignacioriesco, and @magentogirl Fun was had by all!

    The Big Dam Run - which was hosted by Wagento. Rumor has it that the run was the best part of Imagine ;)

    Big Dam Run

    Lots of exciting things are happening with Magento over the next year - Cloud, B2B, Magento 2.1 (to be released in June), plus lots more! Everyone walked away from the conference with an energy and an excitement to improve Magento further and bring better technology and features to our clients sites. Here's to 2016 being an amazing year for Magento and our clients and always looking forward the next Magento Imagine! :)

11-20 of 107