Jump to content



  • Content Count

  • Joined

  • Last visited

  • Days Won


Matt last won the day on September 29

Matt had the most liked content!

About Matt

  • Rank
    Chief Software Architect

Contact Methods

Profile Information

  • Gender
  • Location
    Cambs, UK!
  • Interests

Recent Profile Visitors

256,955 profile views
  1. We've proudly used Commerce for close to a decade, managing close to a million support tickets. We decided to switch to a dedicated ticket platform so that we can bring our customer support and enterprise support into a single channel. We *could* spend 6-9 months adding features to Commerce's support desk but really that's not an area we see as growth for us. We want to create the best community platform we can, and creating a product to rival Zendesk isn't a direction we want to take. Commerce is not having its support desk removed. We do want to refine Commerce in a future release to strip out some of the things not often used (like hosting support) and improve areas which get more use (subscriptions, etc). We still stand by Commerce is an excellent community support desk too. The simple truth is that we just needed something a little more powerful to manage our growing base of customers.
  2. Just open a new ticket and I'll make sure all the ticket IDs from Commerce are added. Our staff still have access to the old ticket desk and nothing has been deleted.
  3. We have moved to a new support desk platform to manage client support. If you need any information from an older ticket, let me, or the support team know and we can look it up for you.
  4. Yes, we stated elsewhere in this blog and its comments that we intend to keep developing the PWA functionality. You may not view notifications as "must have" but a good number of people do. 🙂
  5. Yeah, I saw that yesterday. Pretty bad vulnerability for their customers to deal with.
  6. Security should never be an afterthought. Don't wait until an attack has compromised your site before you take action. All too often, site owners consider increasing their security only when it's too late, and their community has already been compromised. Taking some time now to check and improve the security of your community and server will pay dividends. In this blog, we run down 8 ways that you can protect your community with Invision Community. We go through the security features you may not know about to best practices all communities should be following. 1. Set up Two Factor Authentication Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrative staff. 2FA is a system that requires both a user's password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user's password is somehow compromised, a hacker still wouldn't be able to log in to the account without the current code number. You may already be familiar with 2FA from other services you use. Apple's iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses. Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which can send codes to users via text message or phone call. You can also fall back to security questions instead of codes. You can configure which members groups can use 2FA, as well as requiring certain groups to use it. Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA. This will ensure that no damage will occur should their account passwords be discovered. Allow members to use 2FA at their discretion. 2. Configure password requirements The password strength feature displays a strength meter to users as they type a new password. The meter shows them approximately how secure it is, as well as some tips for choosing a good password. While you can leave this feature as a simple recommendation for users, it's also possible to require them to choose a password that reaches a certain strength on the meter. Recommendation: Require users to choose at least a 'Strong' password. 3. Be selective when adding administrators Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Giving access to the AdminCP is like handing someone the keys to your house. Before doing so, be sure you trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?). Recommendation: Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have Administrative access by clicking the Administrators button under staff on the Members tab. 4. Utilize Admin Restrictions In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. Invision Community allows you to limit administrator access to particular areas of the AdminCP with the Admin Restrictions feature, and even limit what can is done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future. Recommendation: Review the restrictions your admins currently have. 5. Choose good passwords This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential. We recommend using a password manager application, such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them. Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for other sites too. Recommendation: Reset your password regularly and ensure you do not use the same password elsewhere. 6. Stay up to date It's a fact of software development that from time to time, new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community. When we release new updates - especially if they're marked as a security release in our release notes - be sure to update promptly. Invision Community allows you to update to the latest version via the AdminCP. You no longer need to download a thing! Recommendation: Update to the latest version whenever possible. Remember, with Invision Community's theme and hook systems, upgrades to minor point releases should be very straight forward. 7. Restrict your AdminCP to an IP range where possible If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. Recommendation: Consider IP restriction as an additional security layer when you are not able or willing to use 2FA. 8. Properly secure your PHP installation Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We, therefore, recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs: disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled. Especially if you're hosted on a server that also hosts other websites (known as shared hosting), if another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too. Naturally, Cloud customers needn't worry about this, we've already ensured our cloud infrastructure is impervious to this kind of attack. Recommendation: Review your PHP version and settings, or choose one of our cloud plans where we take care of this for you. So there we go - a brief overview of 8 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software. As an administrator, there's also a number of steps you should take to keep your community safe on the web. If you have any tips related to security, be sure to share them in the comments!
  7. Indeed @Morgin. There seems to be a circular argument that: - We don't have the resources to make a native app. But - We do have the resources to code around missing functionality in PWA 'support' from Apple. As Apple is still missing basic PWA elements, we'd need to be creative with javascript to plug the gaps which is a serious time investment.
  8. If Apple add full push notifications to web apps before the end of 2020, I'll eat not only my hat, but yours too.* I love your passion, DII but we have given this a LOT of thought. We haven't just gone "OMG lets do an app LOL". It's been something we've been discussing for about 2 years. We've been waiting and waiting and waiting for Apple to take PWA seriously and while they are inching forward with service workers and other things, it's still a long way off. So we've had no choice but to go the native app route. Don't worry about resources though, we're fine. There's like 18 of us now. *If you are showing a screenshot of this in 2020 from your push notification from a PWA on your Apple device, I regret everything.
  9. Matt


    Version 4.4.7 is a maintenance update to fix critical issues reported since 4.4.6.
  10. I'm not sure how we could find out a monthly average. We could for our cloud packages, but it's more complex for downloaded versions without adding what some may consider spyware and call backs. I can tell you we manage several enterprise communities that have more than 150k monthly users on a single site.
  11. We use Slack internally. We also use a custom Invision Community installation (not on this domain, so don't waste time guessing. 😝) for project management.
  12. Yes, Google waits until Invision Community installations get indexed and then immediately changes its algorithm just to spite us.
  13. I really don't agree that it's late and out of touch. Ultimately our customers tell us they want a way to improve the mobile experience and have push notifications on all devices. Apple don't want to flood the store with copy and paste apps so a multi-community approach is the only solution.
  14. I think that it's also important to note that we're not simply opening WebView windows to the responsive theme on your site, we're actually building a new modern interface from scratch to improve engagement and content discoverability.
  • Create New...