MediaWiki API result
This is the HTML representation of the JSON format. HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format. To see the non-HTML representation of the JSON format, set format=json.
See the complete documentation, or the API help for more information.
{
"batchcomplete": "",
"continue": {
"gapcontinue": "Speed_Up_Magento",
"continue": "gapcontinue||"
},
"warnings": {
"main": {
"*": "Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes."
},
"revisions": {
"*": "Because \"rvslots\" was not specified, a legacy format has been used for the output. This format is deprecated, and in the future the new format will always be used."
}
},
"query": {
"pages": {
"268": {
"pageid": 268,
"ns": 0,
"title": "Securing Magento",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "==Overview==\nMagento has a few basic things to keep an eye on to keep you and your customers safe.\n\n==Quick Wins==\n\n===Change the admin url===\nThe default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.\n\n# Edit the {{folder|/app/etc/local.xml}} file.\n# Look for <code><frontName><![CDATA[admin]]></frontName></code>\n# Change 'admin' to something else.\n# Clear the cache & login at the new URL.\n{{idea|Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site}}\n\n===Restrict access to your un-used store RSS feeds===\nIf you're like 99% of Magento stores, you're not using your Magento rss feeds.\n\nThese have some security vulnerability, so if you're not using them, disable them:\n\n<code>location ~* ^/?(index.php/?)?rss/(order/new|catalog/notifystock|catalog/review) { return 404; }</code>\n\n===Restrict access to the Magento Connect page===\nThe default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker.\n2 different ways to protect this:\n\n====Move the /downloader folder====\n# Just move it outside the web root. When you need it again move it back in.\n\n===Check your admin logins===\n* Remove any that aren't in use (these easily build up with old team members, 3rd party access, etc)\n* Check the usernames\n:* remove or change any like 'admin','aheadworks','amasty','magestore','mirasvit'\n:* remove or change any 'one word firstname' like 'John', 'Jane'\n* Change the passwords on a regular basis, if possible (by regular, at least once every 6 months or so).\n\n===Restrict access to specific IPs===\n#'''If you're using Nginx:'''\n##Edit your /conf.d files, inside the <code>server {</code> block, to include this:\n##:<code>#block access to downloader</code>\n##:<code>location /downloader/ {</code>\n##:<code>allow 11.22.33.44;</code>\n##:<code>deny all;</code>\n##:<code>}</code>\n##:''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.''\n##:Remember to restart Nginx after editing this.\n#'''If you're using Apache:'''\n##Edit your {{folder|/downloader/.htaccess}} file to include these lines:\n##:<code>Order deny,allow</code>\n##:<code>Deny from all</code>\n##:<code>Allow from 11.22.33.44</code>\n##:''Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.''\n\n\n===Check Your Server===\n\nIf you're on a managed host, all good.\nIf you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type.\nIt's beyond the scope of this article as it's such a huge area, but couple of ideas:\n\n\n====Check File Ownership====\nIf you get errors uploading files, especially when upgrading, you'll want to check the file permissions.\nIf you're uploading via FTP and easy way is to create a file and check the ownership of that file.\n\nThen go into the part of the server where Magento is located and set the recursive ownership:\n\n<code>chown -R {server user name} .</code>\n''Replace {server user name} with the actual user name.''\n\n\n====Check File Permissions====\nThis is a pretty standard set of file permission resets:\n\n<code>find . -type f -exec chmod 400 {} \\;</code>\n\n<code>find . -type d -exec chmod 500 {} \\;</code>\n\n<code>find var/ -type f -exec chmod 600 {} \\;</code>\n\n<code>find media/ -type f -exec chmod 600 {} \\;</code>\n\n<code>find var/ -type d -exec chmod 700 {} \\;</code>\n\n<code>find media/ -type d -exec chmod 700 {} \\;</code>\n\n<code>chmod 700 includes</code>\n\n<code>chmod 600 includes/config.php</code>\n\n{{idea|Top Tip: Install fail2ban and check it's working}}\n\n\n====Install Fail2Ban====\nThis is an easy one - if you've not got this running, and then install it, it's not uncommon to see thousands of IPs immediately blocked.\n\nThere's a good guide to this over at [https://www.linode.com/docs/security/using-fail2ban-for-security Linode].\n\n====Ban bad IPs====\nYou might spot some IPs repeatedly having a pop at your admin logins. Probably best to show them the door.\n\n#'''If you're using Nginx:'''\n##Edit your /conf.d files, inside the <code>server {</code> block, to include this:\n##:<code>location / {</code>\n##:<code> deny 11.22.33.44;</code>\n##:<code> deny 22.33.44.55;</code>\n##:<code>{</code>\n\n(Change 11.22.33.44 etc. to the IPs that are keep trying to get in)\n\nHow to see which IPs are trying to get in? Easiest way is with slackCommerce:\n\n===Install [https://www.moogento.com/slackcommerce slackCommerce]===\n\nslackCommerce has an option to send an instant message whenever there is an admin login fail.\nThis works for both attempts to the login page and to the downloader page.\nIt's a free extension and will take the worry off needing to check emails constantly to see if there are any breach attempts.\n\n\n\n[[Category:Extension Setup]]"
}
]
},
"446": {
"pageid": 446,
"ns": 0,
"title": "Sending Reliable Emails With Magento",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "__TOC__\n\n{{idea|We can help you get this setup, just get in touch for a quote :)}}\n\n\n\n\n\n\n\n\n\n\n==Email basics==\n===Background info===\nSome basics to start with:\n# PHP (which Magento runs on) used to be able to send emails via one-line of code.\n# This was a major cause of global spam (as it didn't need a user/pass to send).\n# Most receiving email servers will now flag any email sent like this as a major spam flag.\n#: ''* ie. there's a high chance your emails won't be delivered.''\n#: ''* If you're also sending (non-Magento) business email with the same sending domain (eg. your-site.com), there's a good chance the delivery of those emails will also be impacted, due to the flagging of other emails.''\n# A lot of hosts will also block emails sent that way from being sent, so that their servers aren't blacklisted.\n# Default Magento sends emails with this system.\n# That's right. If you haven't specifically added a way to authenticate (with user & password) the emails you're sending with Magento, then it's likely that both transactional emails from Magento, and your regular company emails, are not all being delivered.\n\n===Check your current status===\nHave a quick check to see if your domain is blacklisted:\n[https://mxtoolbox.com/blacklists.aspx Email server blacklist checker]\n\nHere's an example of a blacklisted email server (this domain will have deliverability issues).\n[[File:email-blacklisted.png|link=|500px]]\n\n==Action plan==\n===Use a separate sub-domain to send emails===\nYou should use a different subdomain for transactional emails, marketing emails, and business emails.\n\nThe aim here is if one get's blacklisted, the other ones can carry on.\n\neg. if your site is example.com then you might want to setup subdomains for:\n\n# Optimal:\n## '''e.example.com''' ''(transactional emails)''\n## '''e.example.net''' ''(marketing emails)''\n## '''mail.example.com''' ''(main biz emails)''\n#:\n# Good:\n## '''e.example.com''' ''(transactional emails)''\n## '''email.example.com''' ''(marketing emails)''\n## '''example.com''' ''(main biz emails)''\n\nIf you're not familiar with setting up DNS for different subdomains, I recommend checking [https://dnsmadeeasy.com/ DnsMadeEasy.com]. Your main domain registrar likely also has the ability to setup and direct multiple subdomains.\n\nCheck that you can send & receive email at each of those (sub)domains.\n\n===Setup an email sending service===\nYou now need to setup an email sending service for your transactional emails (ie. the emails that Magento sends). \n\nThese guys ensure the email servers are live, off blacklists, and generally make sure your emails get sent.\n\nI recommend [https://app.mailgun.com MailGun] but there's a bunch out there, eg. Mandrill, SendGrid.\n\nYou'll need to configure some settings in your DNS provider (dnsMadeEasy or your domain registrar) to verify your ownership to Mailgun.\n\n===Setup Magento to connect to Mailgun===\n# Get Magento connected to your email sender\n#: ''* I recommend [http://www.aschroder.com/product/smtppro-magento-smtp-email/ SMTPpro]. It's a free plugin and works great.''\n# Once you've got it installed, head to the config section of that plugin and enter your MailGun settings.\n# Check it's all working - make a test order, check that you get the correct emails.\n# Log into MailGun and check the activity, check you see the emails you're expecting to see\n#: ''* This is going to be useful in the future if you think you have email delivery issues - you can see exactly what has been sent to who, from Magento.''\n# In your receiving email app (where you are receiving the test transactional emails), look at the raw message contents. Check that everything looks as you want it to, as a representation of your business (eg. sender name, reply-to email, etc)."
}
]
}
}
}
}