Drupal: Ubecart.. starting to use it - drupal

What kind of things do I need to know before to start to use Drupal Ubecart ?
I'm already experienced with Drupal.
I was wondering if I need to setup secure https connection, or doing additional work for my webshop.
Or can I just install ubecart and configure it ?
thanks

One thing I found about using ubercart was that it was a pain to override theme. It wants to make all these horrendous looking tables, making it fit in with the rest of the site was pretty horrible.
Also, if you want to get the most out of it, install it on a local machine and take some time to explore the interface - there are a LOT of options there and it can take a while to get your head around how it fits together.

To get a sense of how to use Ubercart, you can certainly install it on a development server and start going through the customization settings. For production, though, definitely consider installing a SSL certificate and using this module to secure the appropriate pages. And you'll need to determine which payment gateways to employ (credit cards, Paypal, Authorize.net, etc.), and set up the appropriate accounts so that when you configure Ubercart payment gateways, you can provide the needed information.
If you have some time after getting to know basic Ubercart, you might check out the Ubercart contributions page for more ideas of what you can do.

If you are looking for a quick payment solution for payments and can't really be bothered with ssl and all the payment issues, Paypal IPN is a godsend. This is the paypal option where the customer goes to the Paypal site to complete checkout. This is quite a bit simpler to implement than the other payment options and gets around the most important security issues, by not collecting any financial info on your site.

Related

PCI Compliance with Paid Memberships Pro and Stripe

I'm posting this on multiple platforms because I understand that there may be multiple options. I just want to get as much feedback as possible.
So I have a website up with WordPress through Hostgator. My WordPress site has an option where people can sign up for paid subscriptions filling out payment forms generated by the plugin: Paid Memberships Pro. I have PMPro integrated with my Stripe account, and the payment page is protected by the SSL: Let's Encrypt. The page is also TSL 1.3. So I am almost 100 percent confident that I'm PCI compliant.
The reason I'm posting on here, however, is that a colleague is concerned that my payment forms are on my site, not Stripe. So there's concern over security in that respect. So my question: Is there a way to have the payment forms on the Stripe site instead of my site in a way to still be able to use Paid Memberships Pro? If not, am I safe as is or do I have to forget about Paid Memberships Pro and try to do everything through Stripe? If I have to do everything through Stripe, how do I get Stripe to have my website let my user generate a username and password for my site after paying?
If I'm asking anything that could be answered easily through a tutorial of some sorts, forgive me and give me a reference to that sort. I just want to make sure I'm doing everything correctly. So thanks everybody in advance.
You should review the PCI Compliance guide and reach out for support from the plugin provider to understand how their plugin works. All card information should be collected securely with Stripe.js & Elements. While this appears to the customer as though it is "on your site" it is actually inside a Stripe-hosted iframe for exactly this reason.
You can also use redirect-based products like Checkout to set up subscriptions, but I don't know if this is supported by your plugin.

Wordpress Payment Plugin Site-Wide Cookie Preventing Varnish Edge Caching Through Pantheon

Running in circles trying to leverage Pantheon's CDN/Varnish edge caching.
Have a Wordpress site uses the WP Simple Pay Lite plugin to process Stripe transactions on one page. That plugin creates a session cookie to allow correct handling of payment success/failure.
That session cookie prevents caching via Varnish. As I understand it, a lot of people run into this with WooCommerce as well, but I'm having a hard time finding a clear solution and Pantheon support is giving me the "this is beyond our support", which is fair, but it seems this would be a very common issue.
Simple Pay's docs specifically mention Pantheon as an exception and refer to using Pantheon's Native Session plugin (which we are), which as I understand it, offloads sessions to the database. The next step isn't really clear to me though as that alone doesn't eliminate the session, only switches how it's handled.
So does anyone have a solid workaround for this site-wide cookie whether through Simple Pay Lite, WooCommerce or otherwise?
If I can't get a better solution working, I suppose I could just move the payment piece to a subdomain, but would love a cleaner solution.
I've done a little looking at selectively loading the plugin only for the one page that uses they payment form, but a lot of the solutions there are pretty generic and I'm not sure my level of expertise is going to get me over the hump.
Bear with me... kind of flailing here.

Architecture ideas to allow customers to build their own site, based off external site's data?

I'm not entirely sure how to properly ask this, so please bear with me.
I have an idea for a site I would like to build, which would basically be a site for members to create some data and have it housed in my database. I would like to offer a value-add to the site which would allow people to spin off their own website via my own "website builder" tool (probably some sort of CMS). Their website would be able to communicate with my master database to display their data.
Getting down to the crux of the topic, I'm looking for architectural advice/ideas/etc. regarding what services I could use to do this. I'm not looking a 100% automated solution, but something along these lines (which may not be completely correct, I admit):
Customer puts in an order to create their own site, using my tools.
I setup a separate domain for them, roll out the CMS foundation to the site, and the customer has full editing control of the CMS to design it however they would like.
The CMS would have some customizations so that it includes functionality to call APIs located on the master site, which would return the relevant data.
In the research I have done on SO, I've seen a lot of mentions of Umbraco which honestly looks like a good start. I'm just worried that when I go to upgrade a version, I have to deal with overwriting my custom API functionality. I'm guessing this is the nature of the beast, and requires me to accept/plan for it.
Does anyone have any thoughts about this? Some high-level starting points? Thanks!
I've been thinking about this same issue for my customers.
It is not hard to automatically roll out a stock cms such as Wordpress or Joomla. This sort of thing is done all the time by "1 click installers" that DreamHost and others have.
Including custom widgets or plugins for the CMS that can connect to your main app is also not hard.
For dns, you can use Amazon Route 53 or other DNS services that include a good api at the dns management level.
I suggest that you focus on using a CMS that is very popular (eg Wordpress or Joomla) rather than something less well known such as Umbraco. Using a more popular system will drastically reduce your training costs--remember that if you supply the CMS to your customers, then they'll also expect you to supply the support for it...

DRUPAL: is it safe ? / cron.php?

is drupal vulnerable under some aspect ?
Or is it in general a secure CMS ?
What about the cron.php. Can it be overloaded ?
thanks
Drupal is relatively secure in general, but vulnerabilities pop up regularly as with any web application now and then. Make sure to monitor the Security advisories and react to any flaws reported there for core and contributed modules you use (you can get these via mail by subscribing to the newsletter on your Drupal.org account pages).
As for cron.php, a default Drupal install does not protect it from being called by anyone directly, thus exposing some DOS risk, but you can shield it pretty easily by limiting access to it via .htaccess rules - see http://drupal.org/node/41049 for some discussion on it (Don't sweat this - cron.php will not expose any data by itself).
Drupal is in general quite safe. Just be sure to check for updates and install them. (You'll get a notice if there's a new update if you log in as an admin to your site.) cron.php is responsible for site maintenance and update checking. Have a look at this thread from the drupal forums http://drupal.org/node/41049 where a similar question was posed.
Drupal is used everywhere and is proven and professional. Anyone can introduce security vulnerabilities if they try hard enough, so make sure you don't do anything stupid.
If a security flaw was exposed in Drupal, the community would have picked it up within hours and probably issue an update within the same day or two. You really have nothing to worry about, and if hackers did want to target a Drupal site, they'd probably choose a higher-profile one.
Drupal has a good security team and community and many new security features are appearing in the next release (7) - but in theory having anonymous users able to call cron.php (in ver 6) is a security risk and presents a minor DDOS risk. But it is easily protected in the .htaccess (as mentioned by Henrik Opel ) - I use that method too with adaptations for other sensitive files . The good news is that it is being protected by a hash in Drupal 7 see Slide 26 in this presentation (http://code4lib.org/files/drupal7-c4l10.pdf)

Is there a multi-blog admin interface for WordPress blogs installed completely separately?

I'm an administrator of 10-20 separate WordPress blogs, and it's a big pain for me to login to all of them separately. Is there some sort of interface that allows me to do a single-sign-on administration of all of them, like there is under a WordPress MU umbrella?
If so, what's it called? I don't even know the term I'd use to search for this.
I've yet to try it, but Virtual Multiblog might solve your problem.
Or, try the search term:
wordpress + multi blog
Google tends to vary results depending on your country of origin, so I'm not sure that what I found is what you'd find.
If it's just managing posts & pages and a few other items, a blogging client might be the way to go. WordPress provides a good starter list of programs - http://codex.wordpress.org/Weblog_Client
I've heard a lot of good things about http://managewp.com/
However I believe WordPress is implementing some sort of multi-blog support system in the next version release, so you may want to wait until that drops before laying out some cash for a service like ManageWP.

Resources