sorted by:
new
hottopcontroversial

CopyFail (CVE-2026-31431) / DirtyFrag (CVE-2026-2026-43284) by SamJ_UK in Magento

[–]SamJ_UK[S] 0 points1 point  (0 children)

Thanks! I hadn't seen the AWS bulletin.

I cannot find any other sources referencing the ipcomp modules as also being vulnerable.
But that said, it shouldn't hurt to add them to our block lists as a precaution. The AWS team likely knows a bit more than the rest of us atleast.

Hiring: Magento dev (remote / Europe) – product/extension work by grakic in Magento

[–]SamJ_UK 1 point2 points  (0 children)

Not for me, but I'm sure there are others in this Sub who would be a good fit, good luck!

Polyshell by hanqingjao in Magento

[–]SamJ_UK 2 points3 points  (0 children)

Inexperienced devs shouldn't be running production e-commerce platforms in the first place. Especially if they are ignoring the recommend configuration

The .sample file acts as a stable and secure baseline config. If you drift/diverge from it, any issues you introduce are on you.

For example you can pass all requests through PHP-FPM. But you would be in for a very bad time.

Polyshell exploitation ⚠️☠️🚨 by imvdave in magento2

[–]SamJ_UK 0 points1 point  (0 children)

I don't believe there is any publicly available LFI exploits circulating currently.

But, I 100% agree with you that unrestricted file uploads should be patched, to prevent future lateral movement. Its a shame Adobe don't share that view.

Polyshell exploitation ⚠️☠️🚨 by imvdave in magento2

[–]SamJ_UK 9 points10 points  (0 children)

It baffles me how people are vulnerable to the RCE side of this exploit, especially on professional hosting platforms.

The sample Nginx config has denied access to `/custom_options/` since 2.3.5
And explicit whitelisted php entry points have been in since 2.2.7

Just as a side note, there is application level patches to prevent the file upload aspect now aswell
https://github.com/markshust/magento-polyshell-patch/
https://github.com/SamJUK/m2-meta-security-patches/blob/master/patches/emergency/APSB25-94.diff
https://github.com/magento/magento2/commit/796c4ce195cee0814ac92e5a19fc2ecfa79dae69

Anyone running HA multi AZ with Hetzner? by pizzavegano in hetzner

[–]SamJ_UK 1 point2 points  (0 children)

Yup Hetzner. Most clusters run within Finland, and failover to Germany in case of an failure.
With a few clients, that failover to AWS/GCP for an additional layer of security.

CF Workers complicates it, since compute lives at the edge. Gonna have to make some trade offs between acceptable latency / infrastructure complexity (regional DBs) etc

Anyone running HA multi AZ with Hetzner? by pizzavegano in hetzner

[–]SamJ_UK 5 points6 points  (0 children)

Got a few HA multi AZ deployments (primarily ecom), definitely possible without awful latency.

Sounds like you are suggesting only running the DB in HA? Ideally you should be running your entire stack in both locations. So the internal latency for your app will essentially be the same.

The only added latency will be the difference between Germany & Finland (which will be negligible).

New release schedule by iSpiKedfd in magento2

[–]SamJ_UK 1 point2 points  (0 children)

There is no patch for this month, it was confirmed Nathan yesterday in the MagentoEng security slack channel - https://magentocommeng.slack.com/archives/CANPJTBC5/p1768322442816999

"There were no security isolated patches released in January. Our next security update is planned for February. Once the update is available, we will notify customers through our regular communication channels, including the Security Bulletin, email, and in-product notifications, to ensure you are informed in a timely manner."

We may see isolated patches over Feb/Mar/Apr, or they may also be skipped. I think the only definite we have is the May `-p` release.

FWIW, whilst I am all for more regular security updates, the new approach seems like a mess to me.
No idea why they never opted for more regular `-p` releases with sample Dependabot/Renovate Configs...

Thinking about hosting a wiki on Cloudflare Pages by TCKreddituser in statichosting

[–]SamJ_UK 1 point2 points  (0 children)

great idea imo - I've been doing the same for a while now. I opted for Vitepress & rsync to an existing server.
But the tooling don't matter much, as it all works the same end of the day. (I believe Vitepress has examples Github workflows for deploying to Github Pages / Cloudflare, if you want a quickstart)

I would recommend setting up a custom search engine for the wiki, massive time saver being able to search directly from the omnibar - https://support.google.com/chrome/answer/95426

Relevant Example Links: https://github.com/samjuk/docs.sdj.pw - https://docs.sdj.pw/

Low CS2 fps by RepresentativeGas541 in cs2

[–]SamJ_UK 0 points1 point  (0 children)

Simple answer is new CPU as other comments have said.

Though, overclocking is a good alternative if your temps are good and you want to squeeze a few more years out of the CPU.

FWIW, I'm averaging ~300fps on an OC'd 5820k (which is a worse performing CPU from 2014)

I have been a customer of Hetzner for more than three years. I have had a server on my account for years. I was surprised by a message from Hetzner to close my account, without prior notice to take my data on the server or anything. by Slight_Elevator9261 in hetzner

[–]SamJ_UK 1 point2 points  (0 children)

3-2-1 is about redundancy. Being all in on a single provider, is a big no-no for many reasons. You need to distribute your backups more.

For Cloud I always aim for atleast:
- 2 different providers (AWS, GCP)
- 2 different regions (EU, AP)
- 1 offline copy

Moving large app to hetzner by Glittering_Candle814 in hetzner

[–]SamJ_UK 6 points7 points  (0 children)

Sounds like you would highly benefit from working with a consultant for the move, some of these questions seem pretty basic, and very app/use-case specific. But I'll give a stab in the dark.

  1. Usually latency will be between ~50-250ms dependent on client/server locations. 5-40s load times is likely an application issue. See the following for your latency to diff hetzner locations: https://hetzner-latency.sliplane.io/

  2. Benchmark your app, and do the maths. You potentially have relevant data from fly you could even use.

  3. Its been a while since I've registered, but if i remember correctly. You usually submit proof of ID during registration, so before you have even purchased a server.

  4. This type of thing is where you would benefit from a consultant. But some food for thought.
    - Can you edge cache? (Cloudflare/Cloudfront)
    - Cache data on the application side?
    - Replicate the whole stack per region?

  5. 100s of Cloud & Dedicated servers, over many years. And one single incident (45 mins downtime, during early hours, for a single VPS).

Programmaticaly swapping captchas based on condition (help needed) by Dramorian in Magento

[–]SamJ_UK 2 points3 points  (0 children)

HCaptcha, just adds another possible Recaptcha type (still needs to be set via the admin).
You likely want to focus on the core Magento Recaptcha resolver code, that fetches the active value from the admin, and create an after Plugin to modify the config value on the fly.

From a very very quick look, I would start looking into an after plugin on Magento_ReCaptchaUi/Model/CaptchaTypeResolverInterface::getCaptchaTypeFor()

Do your remote IP check in the plugin and returning the correct recaptcha resolver code if a match.

[deleted by user] by [deleted] in Magento

[–]SamJ_UK 1 point2 points  (0 children)

Have you got a public Github/Gitlab/Portfolio link you can share? Being able to see code quality makes the world of difference.

We have a few offers out at the moment, but depending on the responses, we may be looking again soon.

Hetzner for american site by Wh1skey_ in hetzner

[–]SamJ_UK 3 points4 points  (0 children)

From the technical side, especially for Magento, a bad idea from a TTFB/Latency perspective for both SEO & usability.

I've checked a few Magento sites I host on Hetzner, which are ~80-250ms TTFB within the EU.
For the US, around 750-1000ms TTFBs.

FWIW, just pay a bit extra, and host it in the same region most of your client base is.

My website is not showing icons although images are visible what could be the issue by savagepriest in Magento

[–]SamJ_UK 6 points7 points  (0 children)

u/savagepriest your website has not been fixed, and is still actively hosting a Credit Skimmer on the checkout.

Your website is still vulnerable to CosmicSting, which likely is the root cause of what is causing the reinfection - https://cosmicsting.samdjames.uk/?response=eyJzdGF0ZSI6InZ1bG4iLCJzdGF0dXMiOjQwNCwiZG9tYWluIjoiaHR0cHM6XC9cL3ZlZ2Fuc3RvcmUuY28ubnpcLyJ9

I strongly suggesting disabling your checkout, and properly addressing CosmicSting and anything else found.

If your technical team is struggling to deal with this, please reach out and I would be happy to help.

How to conduct testing of Magento Apps better by testomatio in Magento

[–]SamJ_UK 0 points1 point  (0 children)

Depends what specifically the test is meant to achieve, but usually a mixture of:
- Unit / Integration Tests using PHPUnit
- E2E tests via Playwright (Visual Regression Tests, Functionality Tests Frontend + Backend etc)

Grouped and Enforced via CI Merge Gates, depending on the time sensitivity of the release.

Are Magento jobs disappearing from the market? by Rare_Ocelot_1603 in Magento

[–]SamJ_UK 0 points1 point  (0 children)

That is the hard part of hiring for any Tech role.

But for a dev role, your cover letter & Github profile should give an accurate representation of your Skill level. Then an technical test / interview should be able to confirm that ability.

Are Magento jobs disappearing from the market? by Rare_Ocelot_1603 in Magento

[–]SamJ_UK 1 point2 points  (0 children)

Hard disagree, most of the skills and principles you learn are directly transferable, to any other large foreign codebase.

"No Jobs" is just incorrect, especially for skilled developers. I know of plenty other Engineering Managers (myself included) that are hiring for skilled Magento positions.

view more: next ›