For us, this was a strange problem in FreeBSD where even with a vanilla latest version of WordPress the error still occurred and we got a white screen trying to login to our admin area.

It seems to be caused by FreeBSD incorrectly thinking that the required files have been included as asked for in PHP using a require_once function.

So to fix it we manually added the wp-includes/functions.php file and change the existing require_once for wp-load.php in ‘wp-admin/admin.php’ to be:

[modified wp-admin/admin.php lines 20 and new line 21]

require(dirname(dirname(__FILE__)) . ‘/wp-load.php’);
require(dirname(dirname(__FILE__)) . ‘/wp-includes/functions.php’);

[original for reference line 20]

require_once(dirname(dirname(__FILE__)) . ‘/wp-load.php’);

Problem solved!

Magento the nice Community Version available e-commerce platform that we are using at Skywire for a number of our client builds is incredibly feature rich, but with all of these features comes the trade-off that to get any kind of speed out of the system you either need SERIOUS server hardware, or an awful lot of performance tuning.

To be honest it can run like a real dog if you don’t really work at it!

Well we like to make things work hard at Skywire so went on a journey of discovery on how to make Magento fly, and here’s our understandings to share with everyone else.

1. Server software selection and tuning

Lots of articles out there about this around the web, but you can sum it up in a few points really.

- What webserver (Apache vs. Lighttpd vs. Nginx) and how many threads for that webserver you need. Interestingly, against every article out there, Apache 2 was faster for us that Lighttpd and NginX but I think this was to do with the PHP CGI access the other two were using being slower on our Media Temple server

- Fine tune your mySQL database – we found that the two great scripts mysqlreport and mysqltuner are your friends here

- Get rid of any other processes you don’t need that get in the way (xinetd, spam assassin etc.)

2. Turn on lots of Caching

Magento has caching so turn that on for starts, and then get a minify type plugin (there’s lots of them out there but ) to complement that and join all of your CSS and JS into a single compressed file.

Install a PHP Byte Code caching system to cache any code generated by PHP – we used XCache as it was available via yum but eAccellerator gets good reviews too [although it just hung in our environment].

3. Turn on the Page Compilation feature in Magento!

Yes, I know it’s labelled as Beta, and yes I know it falls over most of the time you run it, but if you run it from the command line, as the same user that owns your web files then it works just great creating a new single directory in /includes/src containing flattened files of all your Magento files with the naming format directory_directory_etc_filename.php

This shaved at least 1 second off of every page load for us (amazing but true) however was a job to install as it ignores any modules installed in /app/code/community.

No worries though, you can work around this by just copying the whole module directory to the /app/code/local directory and rerunning the compiler and then it works great.

4. Load you Magento cache directories into a memory filesystem

Sounds a strange thing to do but you can load your /var/cache/ directory into a memory based ‘tmpfs’ which makes it much faster. Also you can move your sessions to your database instead however this slowed things down for us so we left them as files.

Summary:

So once you’ve done this on a mid-spec Media Temple DV server you can reduce page times from about 10 seconds down to just over a second, which believe me seems fast compared to how clunky Magento can be when running. Have fun!

References:

Magento performance and optimization

http://www.magentocommerce.com/group/view/168/

How do I use the inbuilt magento profiler to see bottlenecks?

http://www.magentocommerce.com/group/blog/action/viewpost/1405/group/168/

Magento Compiler – Improve your performance

http://www.magentocommerce.com/group/blog/action/viewpost/1243/group/168/

9 Methods to Speed Up Magento – A Guide to Making Magento Faster

http://www.blastedthing.com/magento/questions/mag-9-methods-to-speed-up-magento-a-guide-to-making-magento-faster/

Magento performance hosting

http://yoast.com/magento-performance-hosting/

Magento Site Performance Optimization

http://www.yireo.com/tutorials/magento/magento-spo#compress-output-in-general

Performance is Key! – Notes on Magento’s Performance

http://www.magentocommerce.com/blog/comments/performance-is-key-notes-on-magentos-performance/

One of the recent reasons we were failing PCI compliance with some of our sites is because our forms that submit to themselves, namely those with code in the top and html in the bottom, use the PHP $REQUEST_URI to use their own URL as the action for the form to POST back to.

Now… the reason this is dangerous is because it includes all the query string parameters too so if you add code after the query string it includes it in the page = BAD

So…. how do we fix it?

The trick is to use the parse_url() function in PHP to ONLY grab the main path of the page itself rather than all the query strings.

So if we use

action="<?php echo parse_url($REQUEST_URI, PHP_URL_PATH);?>"

then we fix the security loop hole above and happy days

Additional: If we want to get the complete URL just without the query string we can tokenize the string using strtok as follows:

action="<php echo strtok($_SERVER['REQUEST_URI'],'?');?>"

Plesk is a right pain when it comes to having your site successfully audited as being PCI compliant, as it has it’s own versions of everything that it uses that you need to patch/fix/SSL upgrade or disable.

Luckily most of these are started with the xinetd daemon, so for SMTPS certificate problems (port 465 if my memory servers me correctly) simply create a folder to move the ones you don’t want into (in my case I used /etc/xinetd.disabled) and move the following files out of /etc/xinet.d

mkdir /etc/xinetd.disabled
mv /etc/xinetd.d/smtps_psa /etc/xinetd.disabled/.
mv /etc/xinetd.d/submission_psa /etc/xinetd.disabled/.

and restart your xinetd

/etc/init.d/xinetd restart

Then the last tasks should be to create valid SSL certificates for the Qmail and disable weak SSL ciphers in Plesk.

To disable weak SSL ciphers in Plesk edit the Plesk config file and add the following line

/etc/sw-cp-server/applications.d/plesk.conf

ssl.cipher-list = “TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH”

so the file will now look like this

include_shell "/usr/local/psa/admin/conf/ssl-conf.sh"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
index-file.names = ("index.php")

Creating Qmail self signed SSL Certificates is best illustrated at the following guide http://www.akadia.com/services/ssh_test_certificate.html

References:
How to create a self-signed SSL Certificate
How to find out which process is listening on which port
port 8443 medium strength SSL ciphers in Plesk
Generating QMail SSL Certificates

SSL throws a weird error in that if you have http (port 80) bound to one IP address [say an internal one] and you bind https (port 443) to a different IP address [say an external one] then SSL throws the following very undescriptive error:

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

To fix, edit your Apace configuration file in /etc/httpd/conf/httpd.conf (or similar) and make sure that both virtual hosts have the same IP address – job done

references: here and here

We’re just starting to move one of our clients Merc (http://www.merc.com/) onto a new webserver as their site has been doing so well that it need a faster, more optimised server to cope with the traffic and went with a new Cloud CentOS x_64 server from UK Fast for a very reasonable £70.00 odd per month.

The server seems lightening quick which is great, but didn’t come with a nice install of Plesk or cPanel or similar so we decided to install cPanel.

It’s actually really easy to do – just follow this really helpful guide here from Network Data Center in the US and you are up and running with a full blown cPanel in a couple of hours.

Job done!

References:

https://helpdesk.ndchost.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=25

More PCI compliance checks meant that we found a number of scripts in some of the simpler pages on our sites (email register for example) were subject to possible cross-site scripting attacks

(see the Wikipedia entry for a pretty good explanation of what they are and why you need to fix them http://en.wikipedia.org/wiki/Cross-site_scripting)

Anyway – here’s the quick code to fix pretty much any form using htmlspecialchars to encode the input.

Original: (note the weakness in using REQUEST_URI here)

<form method=”post” action=”<?php echo $_SERVER['REQUEST_URI']; ?>” id=”registerTop” class=”smallForm”>

Fixed: (note the replacement of PHP_SELF for REQUEST_URI to stop injection of different pages)

<form method=”post” action=”<?php echo htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES); ?>” id=”registerTop” class=”smallForm”>

Happy days – PCI test passed

I found this last night while scanning for another document, the thankyou note from Microsoft sent to me for being one of the beta testers on Microsoft Internet Explorer 4 (IE4)!

Obviously I didn’t do a very good job as IE5 and IE6 both turned out to be horribly buggy browsers, but then again they didn’t pay me for the pleasure so it can’t be all bad

Upgrade Plesk 8.0.3 to Plesk 9.0.x on a Media Temple DV server and it dies

Error 500, nothing in the log files, no where to turn.

Anyways… after a chunk of digging around the problem is to do with running out of memory on the container that Mediatemple allocate for the DV server.

So… you can fix it by lowering the PHP memory requirements in the Plesk 9 PHP.ini file


cd /usr/local/psa/admin/conf/
vi php.ini


Then the setting you want to change is apc.shm_size from the default setting of 40 (Mb?) to 10


apc.shm_size = 10


And then check Plesk to see if it is working


/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm


..and with a bit of luck you should be away! More details in a good discussion on the Plesk forums here

Boot IE6 or IE7 virtual machines on your Mac like our team do without needing to pay Parallels a penny!

http://gizmodo.com/5383982/how-to-virtualize-any-os-for-free

Awesome