Server Hacked Thanks to Insecure PHP Script

September 7th, 2010 by Chris

I get frustrated sometimes. I run my business, and I probably really could benefit from hiring out more of the work instead of doing it myself, but I have gotten burned so many times. People walking off without finishing jobs, cash in hand, I’ve probably lost $10,000 through the years to that problem. That is like a small car being stolen. Or I end up with people providing substandard work, vastly reducing the value I get for my dollar. It doesn’t seem to matter if I take a low bid or a high one, I’ve gotten burned both ways.

I had hired through elance a company called Value on Web to do some programming for me last year. They had good feedback and lots of completed projects, including one just like what I wanted. Their bid was not even close to the lowest.

Look at this code they did:

if ($_POST['submitForm'] == "yes") {
if($_FILES['store_image']['size'] >0){
$image1 =date("Ymds")."_".$_FILES['store_image']['name'];
//@resize_img('../store_pic/'.$image1,150,100, false, 80, 0, "");
//@resize_img('../store_pic/thumb/'.$image1,52,100, false, 80, 0, "");

This is a bit of a script to handle an uploaded image.

These so called professionals thought this was good enough, can anyone see the problems?

You absolutely always need to check what sort of file is being uploaded when you accept uploads or you could unwittingly allow people to upload malicious scripts and code. You can check the mimetype of the file, and definitely the extension. If the file is not an image mimetype, reject it. If the file does not end with (not include, but end with, otherwise someone could upload image.jpg.php) .jpg (or .gif or .png, etc) reject it. Also, have the system generate the filename randomly, so the user cannot access it after upload.

This isn’t a secret, this isn’t complicated code, had they done a basic google search for how to do a php image upload they would have found numerous examples of code that they could copy and paste that would do this. They were just lazy, or they didn’t know any better. I’m not sure which is worse.

I expect when I pay thousands of dollars to a company I don’t need to go over every line of their code to make sure it works, if I need to do that, I might as well just code it all myself.

So, my server was hacked, website homepages were defaced, and I spent an evening cleaning it up. The extent of the infiltration was such that I am no longer comfortable with this server, it is tainted. So I’ve decided to get a new server and migrate all sites. Thankfully cPanel/WHM has AWESOME migration tools that can move a site in minutes instead of the hours it used to take me manually. This is hugely beneficial when you have many sites. Also, the server was 4 years old so probably about time to get a new one anyways, and because of Moore’s law and whatnot, my new server will be 3x more powerful for the same monthly price.

Don’t think that this can’t happen to you, it can. Botnets scour the Internet for insecure forms, no matter how small and insigicant your site is you can and will be targetted because everything is automated. I believe most servers end up probed within minutes of being hooked up to the Internet.

The Coming 1099 Avalanche

August 26th, 2010 by Chris

The ObamaCare bill is full of crap. Any time you have something so long that “you have to pass to find out what is in it” you’ll find crap.

Included in the bill is a new requirement that would make all businesses send 1099 forms to all providers of goods and services who you spend more than $600 with, starting in 2012. Currently you have to send them only to contractors really, and those who are not incorporated.

So, you will need a W9 form from every company you do business with. If they fail to provide it you will be legally obligated to withhold a portion of their payments. So if Vonage fails to provide me a W9 I am legally required under federal law to withhold payments to them. Do you think I’ll still have phone service after that?

Imagine you’re a trucker, and every single gas station you stop at along your route you need to get a W9 form from them. Seriously? Yes, seriously.

If you take clients out to dinner or lunch a lot at one restaurant, gotta get it. Your ISP, your host, anyone you buy inventory from, the gas company, the water company, the electric company.

You have to accept W9s from all these places, then file 1099s at the end of the year. The paperwork burden on employers alone has to be enough to move our GDP.

Some people say it could result in a billion, yes, with a b, additional papers being sent to the IRS in January. The IRS will have to hire more people just to deal with these billion pieces of paper. I kinda think they should rename the bill to the “Accountant and Postal Service Full Employment Act” or something like that. What is a stamp times a billion?

Can you imagine a truly big company, perhaps one that did B2B selling. You could be dealing with hundreds of thousands or millions of forms. 1 per customer, 1 per supplier. How many trees must we kill?

Apparently, lawmakers, and I use that term loosely, from both parties hate this provision, which had they read the 2400 page monstrosity they might have seen it, and they pledge to repeal this. What if they don’t? What if they get too busy worried about baseball players taking steroids or scoring political points? Are you ready to start doing this crap?

This is the problem with big bills and big government people. If I were president I would tell congress keep it under 100 pages or it always will be vetoed. No one in Washington has ever heard of K.I.S.S. and when you have ridiculously complicated bills, that the people voting on don’t read, you will always have unintended consequences. This is just one, there are many more, there are most assuredly even more we don’t know about yet.

Write your representatives people, make sure they don’t forget to repeal this stupid requirement, or find yourself spending more and more of your productivity pushing paper around. I wonder if it would be possible to measure what percentage of our GDP is just pushing paper.

Bing to Power Yahoo Next Week

August 17th, 2010 by Chris

I just got an email from Microsoft informing me that Yahoo’s search engine is going down next week, to be replaced with search powered by Microsoft’s Bing, as announced in a deal long ago.

The changes will finally be live.

I for one am ecstatic.

Yahoo has always provided subpar results for me, my sites do not rank nearly as well. Their directory has also failed in usefulness, and it is their own fault for devaluing it. Their crawler, Slurp, is also annoying.

Just as one example, on Google and Bing I am #2 for william shakespeare, second only to wikipedia, I actually was #1 before wikipedia went to nofollow (I had 1500 links from wikipedia, it was good). I’ve been ranked this well for years and am well established. On Yahoo? I’m #9.

This pattern is true over all of my search results. Yahoo is always about a page behind, at least. I overall find Yahoo algorithm to reward spammy links more, which is something I don’t generally engage in. There is not a single listing on any site of mine that I track that I do better in Yahoo than in Google or MSN.

So I’ll hopefully have Slurp sucking down less resources, and get more traffic from Yahoo at the same time. This is good. Soon Yahoo’s horrible search marketing program will die as well, also good. I’ve already posted previously why Yahoo is the worst company on the Internet, and I firmly believe it. I will have to have a little celebration tonight to ring in the demise of their search index.

Server Attack from WinHttp

July 30th, 2010 by Chris

Something is going on with the server this site is on right now. I’m getting thousands of requests with user agents of Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), which would appear to be scrapers, but it is very very difficult to ban them, because they’re coming from thousands of different IPs. All trying to view a few pages (not even all the pages) just a few on this site, over and over.

Anyone got advice?


So I think I got the attackers blocked. I don’t think it was malicious, in that I was the target, it was obviously a botnet of some sort, but why would they try to shut WSP down? It makes no sense, this is a tiny site.

I saw a lot of examples on the Internet on message forums to just do this:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^WinHttp
RewriteRule ^.* – [F,L]

I didn’t know you could use mod_rewrite on user agents like that, but I guess it makes sense. Maybe I had learned it at one point and forgot, probably the likely scenario.

Anyways, the above will not work, despite the fact I saw that example, or ones like it, plastered everywhere. I think people were parroting other people and they didn’t really understand it.

I definitely do understand regular expressions though, so when trying that and finding it doesn’t work, and then swapping “WinHttp” for “Mozilla” and being blocked myself to verify the code works in theory, I took another look at it.

The ^ symbol denotes the beginning of a line in a regular expression. If your user agent begins with “Mozilla” and you try to block “^Mozilla” it will work. But if the keyword you’re after is further down the line, you need to accomodate it by telling the regular expression other characters can appear between the start (^) and the word you want.

In regular expressions a period matches any character and an asterisk matches the previous character any number of times. So .* matches anything to any length.

As such I changed my code to this:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp
RewriteRule ^.* – [F,L]

And it works, the bots are blocked. Happy days. I can go do other work now.

An Obvious Case of Credit Card Fraud

May 19th, 2010 by Chris

Check out my credit card logs for one of my ecommerce sites.

2996091721 12349 Captured/Pending Settlement 19-May-2010 05:21:48 Sadchik, Nikola V XXXX5834 USD 321.08
2996091247 12348 Declined 19-May-2010 05:21:00 Sadchik, Nikola V XXXX1251 USD 321.08
2996090463 12347 Declined 19-May-2010 05:19:43 Sadchik, Nikola A XXXX1006 USD 321.08
2996089776 12346 Declined 19-May-2010 05:18:31 Sadchik, Nikola V XXXX3056 USD 321.08
2996089396 12345 Declined 19-May-2010 05:17:52 Sadchik, Nikola V XXXX2150 USD 321.08
2996087233 12344 Declined 19-May-2010 05:15:10 Sadchik, Nikola V XXXX4741 USD 321.08
2996086915 12343 Declined 19-May-2010 05:14:35 Sadchik, Nikola V XXXX0838 USD 321.08
2996086430 12342 Declined 19-May-2010 05:13:37 Sadchik, Nikola V XXXX6155 USD 321.08

This has a Russian billing and shipping address, and as a rule I never ship to Russia. I have never had a legitimate order from Russia, the few I have shipped in the past all turned out to be stolen credit cards, so now, I never do. There are many countries I will not ship to because of the risk of credit card fraud.

Anyways, so I had this order come through and while I wouldn’t ship it anyways just to check I pulled up my credit card transaction logs. What do you know but this guy tried to place his order 8 times with 8 different credit cards, the first 7 of which were rejected. What are the chances he is legitimate? Next to 0 to be sure.

One thing that annoys me immensely about credit cards in general is that banks seem so apathetic about stopping fraud. I honestly think Visa and Mastercard could care less about credit card fraud. Merchants are the ones who fit the bill, they make their money even off a fraudulent transaction, so what do they care?

For instance, I catch fraud all the time doing my manual reviews, but there is absolutely no one who I can report it to. You’d think it’d be really really easy for the credit card companies to setup a website or a phone service where merchants could phone in suspected stolen credit cards. But there isn’t, not for Visa and Mastercard I can call my merchant provider to ask them to stop any transaction, but that just shelters me. I can lookup the card issuing bank and try to contact them (which is a pain if they are foreign) and warn them, but I need to speak the language, and it isn’t always possible to look it up or get an accurate phone number. With American Express there are numbers I can call, both to verify international addresses and report fraud, but not for Visa and Mastercard.

This is the computer age, why can’t they provide such an automated service?

Anyways, credit card fraud is often this obvious, if you’re the least bit diligent you can usually avoid most of it.

The card that finally worked in this case turned out to be from an Australian bank, so because there is no language barrier I decided to call them and let them know to block that customer’s account, my good deed for the day.

On Website Valuation

May 18th, 2010 by Chris

I think, perhaps, people in the know about websites really have a golden opportunity in current times to buy good assets for cheap.

I invest a lot in real estate, and of course in websites, and I see a lot of parallels. They are both properties that can provide almost completely passive income.

Where they differ is in price, and real estate, even today, after the crash, is far far far more expensive than a website, on an income valuation basis.

Even if you consider all investments, a website is one of the cheapest.

Now sure, some people will claim websites are cheap because there is risk. Well, where have you been the last two years if you don’t think there is risk in real estate, bonds, or equities?

Others will claim that managing a website requires time, and that is true, but how much depends largely on the type of website. A blog will languish without regular updates, and that will take time, a generic resource site though can coast on autopilot for years, earning you passive income.

A typical yield on a corporate bond might be 5%, a yield on a US Treasury bond is too low to even consider right now. A bond provides no protection from inflation, but also very low risk. A yield on a higher yielding equity can also be 5%, and that does include some protection from inflation, but the yield can also go down, so there is added risk. But you also have the chance for capital appreciation. The highest yielding equiting, REITs and MLPs and some Preferreds, might yield 10%.

A yield is how much of your initial investment you get back each year. So on $50,000 at 10% you would get $5,000 a year, at 5% just $2,500 a year.

There are also tax implications, the tax code is scheduled to change a big deal in regards to most of it so it probably isn’t worthwhile for me to give specifics, but if you’re in a higher tax bracket, in a couple years you may end up paying 44% of your dividends in taxes. It makes very little sense for investments to be the most highly taxed form of income (because then you’re just discouraging investment, which hinders job growth and business expansion) so I’m sure congress will act, but right now, that is what you’re looking at (before any state or local taxes too).

Now, with real estate. Most banks require 25% down for an investment property, and it is hard to make a profit on rent unless you’ve owned the property a long long time. So in general you break even on the rent and your profit comes from the equity you’re building as your tenants pay down your mortgage.

If your property costs $100,000 and goes up in value at 2% a year you’re gaining $2,000 a year (the first year) in additional equity. Meanwhile, if you’re on a say 30 year mortgage (at $75k) you’re also gaining equity of, on average (I don’t want to figure amortization for this example) $2,500 a year, as your tenants pay down your mortgage. Meaning your total equity gain is $4,500, or 4.5% of your total house value.

However you didn’t pay cash for the entire house, you used leverage, debt, to get it. So to calculate your true return on investment you take the equity gain vs. your downpayment or whatever you put into the property and that gives us an 18% yield. Way better than stocks or bonds.

You of course have to deal with being a landlord, which isn’t for everyone, but the potential for returns is much greater (so long as you don’t overpay in the first place, which is what so many people did during the bubble).

On the tax front, real estate acts as a tax shelter for people with lower to middle incomes, and even people in the highest tax bracket can still use it to shelter some income. So long as you don’t sell the property your tax exposure will be very limited to nothing. When eventually your loan is paid off you can even refinance and the bank will hand you a big fat check, which you can just pocket as return of capital, no tax required.

The big downside of real estate is that your money is locked up for decades, it isn’t a liquid investment.

So bonds get us 1-5%, stocks 5-10%, and our real estate example nets us 18%. What about websites?

Well, think of a website as a rental unit where you have no tenants to worry about, never have any vacancies, and where the rent is paid to you by advertisers or consumers doing shopping.

The typical valuation tossed around is two years of profits, which I find ridiculous for all but very speculative websites, unoriginal ones, ones just this side of copyright law (or breaking it), websites that have only existed for two years or less. 90% of websites you see for sale fall into this category, I don’t bother with them in general, but I suppose that valuation is fair for them.

But for legitimate unique established websites that valuation is way to cheap.

I recently bought a website for $50,000. The website should make at least $20,000 this year in profit, which is a little bit better than what the previous owner was getting but I added some content and some ad units (and will be doing more). In the end I paid about 3x yearly profits of what it was getting for him, or 2.5x what it will be getting for me. This website is a passive resource site that requires no regular updating or maintenance and that has been around for almost 10 years, with wide and varied sources of quality incoming links.

It is very easy to figure that I’m getting a yield on it of 40%, which kicks the pants off real estate and stocks. Why would my yield be so much higher? Because it is a riskier investment? If this were a bond and it was yielding 40% that would mean that most investors were predicting the bond issuer would go bankrupt within 3 years. What do you think is the chance that my website would lose 100% of it’s value in 3 years? There is hardly any one force that could remove 100% of a website’s value, even an across the board Google ban will still allow you to get traffic from MSN and Yahoo and whatnot, the website might still make money. And, since you’re buying a well established site, and assumingly not changing it a whole lot, what would be the risk of suddenly now for no apparent reason it gets a ban?

I got a good deal, and there were other bidders, who refused to pay more than 2x annual profits, they needed a 50% yield or nothing.

I regularly get offers to buy certain of my websites and they often limit themselves to this stupid metric as well, and I tell them no thanks. You have to think of opportunity cost. Suppose I own a website that makes $100,000 a year, and I’m offered $200,000 for it. Since I am not in debt and needing a bailout or otherwise am I distressed seller I have to think about what I could do with that $200,000. Leaving taxes out of it, I could invest that $200,000 in real estate and make a 20% return, but my money would be tied up in it, still, it’d be $40,000 a year in equity, and all the headaches of being a landlord. I could invest it in a bond or equity or something yielding say 5% and make $10,000 a year, completely passive, no work on my part, and some chance for capital appreciation.

Or, I can keep the website, let it yield 50% for me, and have chance for further capital appreciation.

This is not a hard decision, especially when the website in question doesn’t require regular updating (which is the case for most of my websites).

Even a dropship ecommerce business might not require more than 30 minutes of work a day, which is certainly worth maintaining a 50% yield.

I can’t explain the prices some websites sell for, my only thought it is must be a combination of distressed sellers, and of the fact that buyers need to be specialized. Anyone can buy a website, but 99% of the population doesn’t understand how to run one, so there is a knowledge barrier, and that allows investors to get a massive yield premium.

So, as I said in the beginning of this post, if you know how to do it, investing in websites is a good idea.

Oh, before I forget, on the tax front, websites are much like real estate. Assuming you have a logical business formation like an S-corp you will not need to pay medicare and social security taxes on your business income. You will also be able to depreciate the cost of your website purchase over time. The fact that the website is bound to make more money than the depreciation (which is unlikely with real estate) does mean it’ll increase your yearly tax burden, but that should be seen as a good thing, not a bad thing. The biggest difference is you’ll probably be unable to find a bank willing to finance the purchase of a website, so you can’t use leverage to goose your yield.

X-Cart 4 Review

April 18th, 2010 by Chris

I was asked by the people at X-Cart to review their software, I was given a free license for X-Cart Pro 4 and went at it, though, I didn’t really need the “pro” version, the Gold would have done fine.

The install was simple an easy, there was one issue I had where I thought I had the Gold install and so was following the wrong directions. Partly because the customer control panel of their website is not very intuitive as far as downloading software and downloading directions, they’re often stored in different places. It would seem to me they allowed complexity to be the enemy of usability.

Support was excellent though, I just told them the issue and gave them FTP details and they fixed it for me, which is nice service.

During install it asks you for the layout you would like for your store from some default templates, but it gives you no thumbnails or anything, so you really have to guess, which is really annoying.

So right as I was getting ready to do this review the first time they announced another update, great I thought. I login to their member’s area and look for upgrade instructions, and again depending on where you look they are different. So I found instructions to get an upgrade pack, they tell me to go to the “My Licenses” page, click on get an upgrade pack, and select the versions and whatnot. The problem is, the best upgrade pack listed is fom 4.2.2 to 4.2.3, there was no upgrade pack for 4.2.3 to 4.3.0, the most recent update. So, basically, the official instructions for upgrading were incorrect.

Then I found another set of instructions telling me to upload a dozen or so .sql files then run them to change the database, then to upload all the files from a 4.3.0 distribution, then install it, but indicate a setting during install to let it know the database had already been done.

Well, I didn’t do that because last time I upgraded by just uploading files everything broke and I couldn’t login to the admin area on the site.

Since I hadn’t really started building the site yet, I decided to just delete everything, and do a fresh install. Because, quite frankly, I was afraid to do anything else.

I get the impression x-cart is put a lot of thought into upgrading, but I also get the impression they’re making it far more complicated than it needs to be.

I thought the software was to include the ability to print UPS etc labels directly from the cart, it does not. To set up UPS it makes me register for UPS instead of just configure, maybe I already have a UPS account? That seems short sighted. Then the options provided for the setup are less than I’ve seen in most other carts. It will not let me define a shipped from zip code to use with the UPS module, uses store contact zip code. Store office could be a different location than warehouse, this is a problem. Even further, in an ideal situation you could set a shipping-from zip code per product, as different products may ship from different locations.

Perhaps the biggest issue with the software is how they deal with customer reviews. Customer reviews are ridiculous. Can you believe all reviews are automatically approved? How crazy is that? Of course they get spammed all to hell and you have to buy a third party mod just to deal with it. Also, stupidly enough, by default ratings are setup so that search engine crawlers will rate products while visiting your site. Google rated all my products all possible ratings, nice of them. This just seems to be, amateurish, how could you, in 2009 or 2010, release software that had no consideration for comment spam?

Cannot find what version you’re currently using in the admin area. That is a really silly oversight. Interspire had that problem too but they fixed it like a week after I published my review.

The picture management is really poor. Really really poor. There is no multiple size images, no click to enlarge, no lightbox, and any additional pictures for a product just are tossed at the bottom in an unorganized and haphazard way that looks amateurish. No thumbnails, just tossed down there in their original size. There is a setting for thumbnails but it does not seem to work.

Their integration with works appropriately, the only issue is an improper use of the description field for the transaction, which they do what Interspire and CubeCart do and just repeat the invoice number, rather than listing the contents of the order as it is meant for. But that is a small annoyance only.

Product variations work fine. The checkout is good and user friendly. The SEO naturally in the software is less than stellar with inadequate use of page titles among other less egregious issues.

Skinning is passable, there is an attempt to do a “webmaster console” for easy design changes like Interspire has, but in execution it isn’t near as useful, it does not work as well and the code you’re editing is not organized or commented so well, or as accepting of simple changes. I found it enough of a challenge just to add my logo and change one color. Doing a complex skin would be significantly difficult using that system.

Other than the SEO issue, the image issue, and the comments issue. The frontend is user friendly enough, I do not dislike it.

However, the backend annoys me. It is not intuitive in the least, options are not intuitive, navigation is not intuitive, product and order management is not intuitive. You don’t get a list of products or orders, you have to search for them, sometimes the link to edit something is a tiny one letter link, it is just weird. Way different than any other cart I’ve used, and I can’t say that I like it.

I would have to say, my favorite cart of all carts I’ve used, in this regard, for order management, is probably Interspire, and for catalog management (viewing and editing products) is Oscommerce (or it’s clones). And my least favorite in both categories is probably X-Cart, though Interspire still annoys me with their product variation management, but with my custom fix for that it isn’t so bad.

All told, I don’t like X-Cart. It works, it is functional, in fact it is quite powerful and flexible, but I don’t like it, from the admin side of things, I hate the usability. Almost all the problems I’ve mentioned can be fixed with third party add ons. There are mods for images, for product reviews, for SEO. All these things can be bought, installed, and paid for. Just search on Google and you’ll find quite a few sites selling this software.

But, see, the thing is, I don’t know if I will even keep this site, the site I built to test out the software. I got this license for free, but that doesn’t mean I get free mods too. The cost of ownership thus being so high I think maybe I don’t want to spend money to outfit it and upkeep it when I’d rather have different software.

Interspire is an expensive cart for instance, but when you buy X-Cart and then add in the cost of the mods required to run it at a bare minimum… suddenly the cheaper initial price ends up not being so cheap.

The next review I am going to do is going to be on CRELoaded, which I use as the basis for two of my OScommerce sites already, but I’ve never installed it and supported it and skinned it myself. I am going to do so now. So I know, the older versions I use, do a lot of what I like already. I know the company is really good about staying on top of updates, and security, and things like PCI compliance. Assuming this review works on well, I am probably going to take the site I built on the free X-Cart and port it to CREloaded, even though I would need to buy the CREloaded license whereas I got the X-Cart for free (I am getting 1 CREloaded license free to do the review on, but that is spoken for on another site already). Plus, right now, CREloaded is only $125, which is what a mere two mods for X-Cart would cost me to fit out my X-Cart license.

The FastCGI and the Furious

February 25th, 2010 by Chris

Let me start by saying I am not a server management or Apache guru, I’m not. I’ve been working with it on my own servers for about a decade now, but I am not a guru. I’m the guy who wears many hats. The graphic hat, the css hat, the programmer hat, the SEO hat. I’d consider myself guru quality in SEO and in generic Internet business management, but the rest I’m just a jack.

So, anyways, I’ve struggled for many years to get my literature site to run smoothly. I think there are three articles on this site about caching php pages that were born out of me needing to do that. The site is my oldest, 10 years, and very popular, with unique monthly visitors measured in the millions, but it is also a beast to run.

Currently it is on a pretty high end dual dual-core (thats 4 total cores for you math majors) server with 12 GB of ram. And it was still having problems. All the heavy hitting non-forum non-search page was cached as plain HTML, and it was still having problems, then I cached all the deep content pages as well, and it was still having problems.

Awhile back I had it set to use Apache’s worker module, as opposed to pre-fork, because I heard it was better, I believe I was told so in a forums server optimization thread. Regardless, still problems. Though, I’m not entirely sure, the new configuration of Apache 2.2 in cpanel servers is a little more confusing to handle how all the config files are spread out and the need to distill and whatnot (Sorry if you have no idea when I mean with that last line).

Now, PHP was compiled as an Apache module. I’ve done this and requested this for years going back to when I was first doing search engine friendly URLs (and popularizing the practice through my articles on Sitepoint about it). I always thought PHP as CGI ran slow, and more specifically it had a bug where a few of the search engine friendly URL methods would fail. That was in 2001, and in the intervening years no one had bothered to change my mind, and, because I’m not an Apache guru, I don’t keep up on developments unless I have a problem I need to solve.

Then last Thursday and last Friday night my site started crashing every 2 hours. Looking into the log files I couldn’t detect anything weird except that I would get a warning about Max Clients being reached and it’d crash. The thing is though that Friday the site gets about half as much traffic as any other day of the week. So it made no sense.

Looking at current activity it seemed like MSN and Yahoo (why do they both need to crawl still?) and an obnoxious VoilaBot were all crawling my site at the same time, that might have done it, but I banned VoilaBot and throttled the other two and it was still crashing every two hours.

I still don’t know for sure what was causing the problems, but in my search to find a solution I came upon some information about when to use Apache’s worker module, and when to use pre-fork, and how worker really isn’t helpful when PHP is compiled as an Apache module, and how running PHP as CGI, specifically FastCGI (or fcgi) is better in a multiprocessor environment (such as I have). The reasons are a little more technical than I want to go into, but maybe someone who IS an Apache Guru will comment and explain if they like, I don’t want to because I’m afraid I’ll get it wrong.

So, I load up cPanel’s EasyApache (Apache configuation and upgrade utility) which is wonderfully easy to use (cPanel is so much better than other server management software I’ve tried), and make the selections.

Now my server runs differently. Instead of PHP existing within Apache, it exists apart from it, and so when I check current processes and performance data I can see PHP’s usage outside of Apache (turns out, it must have been the lion’s share of Apache resource usage). This, I believe, lets me monitor things better.

But more importantly, the site is as fast as I ever remember it being, like wicked fast. The change was immediate, and awesome. The crashes stopped.

Traffic increased 15%, thats right, 15% more visitors & page views a day, roughly. It is not apples to apples because February 22nd was not exactly February 18th. But my site is typically very consistent (and on a large sample size) and I can see no other reason for the higher traffic plateau I’ve seen this week. I also noticed active forum users on at any one time has increased (a faster forum means more engaged users). Additionally, of course, over time more traffic will beget even more traffic like compounding interest works on your bank account.

The server isn’t even crashing in the middle of the night when it does the MySQL backups (which are huge, and which used to almost always cause a 10 minute “crash” (not really a crash, but unresponsiveness).

This setup is definitely working for me. So, if you’ve got a similar problem, try giving it a go.

Selling one of my sites

February 4th, 2010 by Chris

I’m selling one of my sites, for various reasons.

My coupon site was once my highest earner, pulling in over $1000 a day. One month’s revenue was the down payment on my house. Then I lost my rankings due to Google algorithm changes which favored a breadth of incoming links instead of a few really strong ones. My competitors starting making spam sites and using other methods to create tons of really low value incoming links. I did not want to compete like that. Unfortunately for me during my heyday of popularity I didn’t do something which I now consider to be a rule for all of my sites: build a forum. Because if you can get to critical mass with a forum your search rankings become less important, people will still come.

Additionally, at almost the exact same time, the ecommerce side of my business took off, doing $4000 a day in gross revenue in December of 03. So I shifted gears really. I’ve been very lucky, I’ve had so much success, and not just at one thing, I’ve had multiple ideas or sites become successful independently.

In the intervening years the industry changed and while it is still probably the single most profitable niche for a an affiliate content site (IMO) it is more competitive and requires a larger software investment and time investment. New coupon sites with innovative Web 2.0 features were launched, mine stayed the same because was focused on other things.

Last year I paid someone to reprogram the site and incorporate some Web 2.0 features, they did the work, but I never did the finishing touches I intended to (like a better design, automatic importers, launching the forum, etc). Meanwhile, I feel pulled in too many directions. I have a baby now, I have a todo list that is quite long, on sites I’d rather work on than a coupon site, and my ecommerce businesses keep growing and growing.

I don’t actually like affiliate marketing that much, mostly because I don’t like affiliate programs. Merchants move offers, change offers, expire offers. Many do not adopt standard methods of automatic communication (more need to use RSS). Programs will get terminated without warning, or maybe just you will be. So to run a website that in the end is just an organization of affiliate offers is not what I prefer to do. I prefer to do ecommerce, or strict content sites. I like to write, I like to publish, I like content that I can publish once and let it earn for me forever. I do like some affiliate programs, but with a coupon site you need to manage hundreds, and that is not my favorite task.

I’ve actually had this site up on the market for awhile, but only passively, I decided to give Flippa a try though and see if I’d move it actively. I figured with my taxes likely going up soon it’d be better to move it now, than a year from now.

In less than a day I’ve already had some private interest, perhaps I should have put the minimum offer higher. It looks like it’ll probably sell, only question is to whom and for how much.

If you’re interested, the listing is here.

Interspire Shopping Cart 5.5 Review

January 29th, 2010 by Chris

Interspire has gone through a couple interations of updates since I last reviewed them about 7 months ago (on 5.0). My original review can be read here: Interspire Review, and I wish to provide you with updates regarding the issues I encountered. If you didn’t read the original review, you should, I’m going to be referencing it a lot.

First let me say that Interspire has been fairly proactive in addressing the concerns raised by my original review.


They have changed their upgrade policy to allow you free upgrades for 1 year regardless of upgrade type (previously you had to pay for major upgrades) after one year you can renew at 50% the original cost of your licence.

This pricing scheme is more in line with other software vendors out there, and is an industry standard. While Interspire is still expensive compared to many other carts, their upgrade policy is now inline and shouldn’t be a source of complaints.

Installing, Upgrading, Importing

I’ve done more upgrades of the software since my original review, and all went off without a hitch, except the most recent one, which to fix I merely had to uninstall and reinstall my template (two clicks). They’ve also added more templates.

I am annoyed though at the lack of persistent data though some of the template changes. For instance, welcome text at the top of the homepage. I have to re-insert it every time I upgrade a template. It would not be that difficult to provide a field that persists through template changes for that sort of thing, or footer text, etc. In fact, stick them all over, they’re really simple to do. vBulletin finally caught on a few releases ago and stuck option advertisement templates all over the software so when upgrading you could have those templates persist and not have to redo all your advertising.

Order Summary

What I said previously:

Why is it so hard for some carts to provide a printable receipt after checkout? Honestly, Cubecart doesn’t, OScommerce doesn’t, what is the deal?

Interspire does not do it either when you select payment of check or money order (mail order form) they provide this sentence: “Mail a check or money order in US funds, along with a printed order summary, to:” But don’t actually provide the order summary. I guess you have to wait for the email and print it out? What if you don’t get it? Why not just put the order summary on that page?

When you pay with a credit card through Interspire provides a link for the order summary, but again, why not put the order summary on that page? There is a ton of whitespace on it, fill that space up!

The email summaries they send are nice, put that content on the page seen after checkout.

Still holds true. No fix there.

Categories & SEO

My issues with the category setup on the menu in regards to SEO and headings as mentioned in my first review are still there. I would like to be able to have more control over the category listing, perhaps giving prominent locations to products or categories I wish to promote more, I can’t. I would also like the ability to section off my menu.


They now allow more than 5 product images. I would still like a lightbox to display them on product pages instead of a popup. Popups are old technology, take longer to load, and can be blocked.

Product Variations

What can I say? They’re trying.

5.5 included a new product variation handling tool and other upgrades.

Firstly, they paginated the product variation screens. So it will no longer crash your browser from information overload if there are tens of thousands of form fields (very possible).

Secondly they implemented a bulk variation editor. This, unfortunately, is almost worthless. It is like they just don’t get it. Let me explain.

Their tool allows you to filter variations and then edit the cost. Suppose you sell engagement rings available in silver, gold, and platinum. Each ring can be sized from 5-15, and can include a .5, 1, or 2 carat diamond.

Their tool allows you to replace existing values, which is not very useful at all. Say you have the following prices:

Gold .5 carat = $500
Gold 1 carat = $1000
Gold 2 carat = $2000

So suppose you need to increase the cost of your gold jewelry because gold prices increase at the wholesale level. You use the filter to select “gold” and then select say “add $30″ and instead of adding $30 to each gold ring, it finds every ring option that involves “gold” and replaces the value of that combination to $30. So now, instead of having rings costing $530, $1030, and $2030, you have rings costing just $30. Oops!

The solution is to go back and select gold and .5 carat and input $530, then gold and 1 carat and input $1030 and so on. Doing each combination individually. Which begs the question, I thought this was supposed to save time?

It does save time, if you’re only dealing with combinations that do not affect the price. Like suppose there was no price change depending on ring size. Then you could do a gold price change for all ring sizes at once. But the second you add a second price-affecting variable, you screw the system up.

This is true whether you’re editing or doing the initial setup of your product variations.

The solution would be simple, create a toggle to indicate whether you want to increment or replace existing values. If you did so and selected “increment” it would still filter out all combinations involving “gold” and then instead of saying “cost = $x”, it would say “cost = $current_cost + $x.”

Otherwise, all that they’ve done is created a new way to do things one at a time, which defeats the purpose entirely.

Also, it is far too easy to destroy thousands of existing variations. With the system as is you can easily accidentially not set a filter then hit submit and zero out or otherwise change all of your carefully done, perhaps 100,000 total, product options. That sort of devastation demands a confirmation step. I would strongly recommend Interspire code in a simple “Are you sure?” check, it will save someone’s butt sometime.

Finally, there is still no display of prices next to product options on the actual product pages customers will see. Almost every other cart will display the options, why? Because customers don’t like having to play “guess the price.” There are a couple Interspire hacks and modifications that address this, but so far, no support from the actual company. It should be a really easy change too. Integration

I complained about their integration in my last review. They left out customer emails, they left out the entire block of shipping information, and they did not appropriately use the description field (to list the actual products sold, rather than just repeat the order# information).

They’ve fixed everything except the description field.


Still no support for dimensional weight with UPS.


They have added a monthly sales tax report, which was my main complaint.

Other bugs

They now allow you to use an SSL domain, but you can’t set it to be your same domain, perse. For instance many sites use as their catalog, but drop the “www” for their SSL domain, you can’t do that with Interspire. Not a huge deal, but there.

They have also fixed the annoyance of not letting you know your current version in the admin area.

Order Management

Order management has gotten better, customer messaging is now included in all versions of the cart as I requested. However, the messaging system still just emails people to tell them they have a message, it does not actually email them the message, creating a second unnecessary step.

Final Thoughts

My thoughts on 5.5 are pretty much the same thing as my thoughts on 5.0. The cart is a Ferrari without tires. However, I see mechanics working in the shop putting tires on some wheels and so I am optimistic. The people at Interspire are listening to feedback, even here on my blog, and they are making changes based on that feedback. That is moving in the right direction, even if we are not yet at our destination.

As far as the product variations go, I still can’t fully recommend it for sites needing complex variations, but they’re getting closing, one more small change (the increment setting mentioned above) and they’re about there. In the meantime, my script that helps setup new products that need variations is always available. For other sites though, especially when you have a site owner not that adept at skinning, Interspire is attractive.

Also, apparently in their next version they plan to include the ability to print UPS labels directly from the cart, which would be stellar.

Coming soon will be my review of X-cart (almost done), and my review of the newest CRE Loaded (almost started).

Top of page...