Jump to content



  • Content Count

  • Joined

  • Last visited

  • Days Won


 Content Type 



IPS4 Documentation

IPS4 Providers

Release Notes

IPS4 Guides

IPS4 Developer Documentation

Invision Community Blog


Everything posted by Matt

  1. We've proudly used Commerce for close to a decade, managing close to a million support tickets. We decided to switch to a dedicated ticket platform so that we can bring our customer support and enterprise support into a single channel. We *could* spend 6-9 months adding features to Commerce's support desk but really that's not an area we see as growth for us. We want to create the best community platform we can, and creating a product to rival Zendesk isn't a direction we want to take. Commerce is not having its support desk removed. We do want to refine Commerce in a future release to strip out some of the things not often used (like hosting support) and improve areas which get more use (subscriptions, etc). We still stand by Commerce is an excellent community support desk too. The simple truth is that we just needed something a little more powerful to manage our growing base of customers.
  2. Just open a new ticket and I'll make sure all the ticket IDs from Commerce are added. Our staff still have access to the old ticket desk and nothing has been deleted.
  3. We have moved to a new support desk platform to manage client support. If you need any information from an older ticket, let me, or the support team know and we can look it up for you.
  4. Yes, we stated elsewhere in this blog and its comments that we intend to keep developing the PWA functionality. You may not view notifications as "must have" but a good number of people do. 🙂
  5. Yeah, I saw that yesterday. Pretty bad vulnerability for their customers to deal with.
  6. Security should never be an afterthought. Don't wait until an attack has compromised your site before you take action. All too often, site owners consider increasing their security only when it's too late, and their community has already been compromised. Taking some time now to check and improve the security of your community and server will pay dividends. In this blog, we run down 8 ways that you can protect your community with Invision Community. We go through the security features you may not know about to best practices all communities should be following. 1. Set up Two Factor Authentication Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrative staff. 2FA is a system that requires both a user's password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user's password is somehow compromised, a hacker still wouldn't be able to log in to the account without the current code number. You may already be familiar with 2FA from other services you use. Apple's iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses. Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which can send codes to users via text message or phone call. You can also fall back to security questions instead of codes. You can configure which members groups can use 2FA, as well as requiring certain groups to use it. Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA. This will ensure that no damage will occur should their account passwords be discovered. Allow members to use 2FA at their discretion. 2. Configure password requirements The password strength feature displays a strength meter to users as they type a new password. The meter shows them approximately how secure it is, as well as some tips for choosing a good password. While you can leave this feature as a simple recommendation for users, it's also possible to require them to choose a password that reaches a certain strength on the meter. Recommendation: Require users to choose at least a 'Strong' password. 3. Be selective when adding administrators Administrator permissions can be extremely damaging in the wrong hands, and granting administrator powers should only be done with great consideration. Giving access to the AdminCP is like handing someone the keys to your house. Before doing so, be sure you trust the person and that their role requires access to the AdminCP (for example, would moderator permissions be sufficient for the new staff member?). Recommendation: Don't forget to remove administrator access promptly when necessary too, such as the member of staff leaving your organization. Always be aware of exactly who has administrator access at any given time, and review regularly. You can list all accounts that have Administrative access by clicking the Administrators button under staff on the Members tab. 4. Utilize Admin Restrictions In many organizations, staff roles within the community reflect real-world roles - designers need access to templates, accounting needs access to billing, and so forth. Invision Community allows you to limit administrator access to particular areas of the AdminCP with the Admin Restrictions feature, and even limit what can is done within those areas. This is a great approach for limiting risk to your data; by giving staff members access to only the areas they need to perform their duties, you reduce the potential impact should their account become compromised in future. Recommendation: Review the restrictions your admins currently have. 5. Choose good passwords This seems like an obvious suggestion, but surveys regularly show that people choose passwords that are too easy to guess or brute force. Your password is naturally the most basic protection of your AdminCP there is, so making sure you're using a good password is essential. We recommend using a password manager application, such as 1password or LastPass. These applications generate strong, random passwords for each site you use, and store them so that you don't have to remember them. Even if you don't use a password manager, make sure the passwords you use for your community are unique and never used for other sites too. Recommendation: Reset your password regularly and ensure you do not use the same password elsewhere. 6. Stay up to date It's a fact of software development that from time to time, new security issues are reported and promptly fixed. But if you're running several versions behind, once security issues are made public through responsible disclosure, malicious users can exploit those weaknesses in your community. When we release new updates - especially if they're marked as a security release in our release notes - be sure to update promptly. Invision Community allows you to update to the latest version via the AdminCP. You no longer need to download a thing! Recommendation: Update to the latest version whenever possible. Remember, with Invision Community's theme and hook systems, upgrades to minor point releases should be very straight forward. 7. Restrict your AdminCP to an IP range where possible If your organization has a static IP or requires staff members to use a VPN, you can add an additional layer of security to your community by prohibiting access to the AdminCP unless the user's IP matches your whitelist. This is a server-level feature, so consult your IT team or host to find out how to set it up in your particular environment. Recommendation: Consider IP restriction as an additional security layer when you are not able or willing to use 2FA. 8. Properly secure your PHP installation Many of PHP's built-in functions can leave a server vulnerable to high-impact exploits, and yet many of these functions aren't needed by the vast majority of PHP applications you might run. We, therefore, recommend that you explicitly disable these functions using PHP's disable_functions configuration setting. Here's our recommended configuration, although you or your host may need to tweak the list depending on your exact needs: disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink,system Another critical PHP configuration setting you need to check is that open_basedir is enabled. Especially if you're hosted on a server that also hosts other websites (known as shared hosting), if another account on the server is comprised and open_basedir is disabled, the attacker can potentially gain access to your files too. Naturally, Cloud customers needn't worry about this, we've already ensured our cloud infrastructure is impervious to this kind of attack. Recommendation: Review your PHP version and settings, or choose one of our cloud plans where we take care of this for you. So there we go - a brief overview of 8 common-sense ways you can better protect your community and its users. As software developers, we're constantly working to improve the behind-the-scenes security of our software. As an administrator, there's also a number of steps you should take to keep your community safe on the web. If you have any tips related to security, be sure to share them in the comments!
  7. Indeed @Morgin. There seems to be a circular argument that: - We don't have the resources to make a native app. But - We do have the resources to code around missing functionality in PWA 'support' from Apple. As Apple is still missing basic PWA elements, we'd need to be creative with javascript to plug the gaps which is a serious time investment.
  8. If Apple add full push notifications to web apps before the end of 2020, I'll eat not only my hat, but yours too.* I love your passion, DII but we have given this a LOT of thought. We haven't just gone "OMG lets do an app LOL". It's been something we've been discussing for about 2 years. We've been waiting and waiting and waiting for Apple to take PWA seriously and while they are inching forward with service workers and other things, it's still a long way off. So we've had no choice but to go the native app route. Don't worry about resources though, we're fine. There's like 18 of us now. *If you are showing a screenshot of this in 2020 from your push notification from a PWA on your Apple device, I regret everything.
  9. Matt


    Version 4.4.7 is a maintenance update to fix critical issues reported since 4.4.6.
  10. I'm not sure how we could find out a monthly average. We could for our cloud packages, but it's more complex for downloaded versions without adding what some may consider spyware and call backs. I can tell you we manage several enterprise communities that have more than 150k monthly users on a single site.
  11. We use Slack internally. We also use a custom Invision Community installation (not on this domain, so don't waste time guessing. 😝) for project management.
  12. Yes, Google waits until Invision Community installations get indexed and then immediately changes its algorithm just to spite us.
  13. I really don't agree that it's late and out of touch. Ultimately our customers tell us they want a way to improve the mobile experience and have push notifications on all devices. Apple don't want to flood the store with copy and paste apps so a multi-community approach is the only solution.
  14. I think that it's also important to note that we're not simply opening WebView windows to the responsive theme on your site, we're actually building a new modern interface from scratch to improve engagement and content discoverability.
  15. Would you be impressed if we went in that same direction, but while I was juggling 7 iPhones? Our motivation for build native apps is solely out of frustration waiting for PWA to implement critical features, such as push notifications on Apple devices. As far as we can tell, Apple have zero interest in allowing PWA to push notifications to devices. I'm sure the reasons are numerous and good ones for them. In the mean time, we don't want those who trust their community with us to be left behind. We still intend to develop the PWA integration and we're not going to force anyone to be listed in the app.
  16. Hello! Please contact support and we'll take a look at your account for you.
  17. Yes. I firmly believe that our strong categorisation and organisation of content does make us more permanent than Twitter. Twitter like most “feed” style apps are very much in the now. Conversations come and go. Subjects trend and then fade. is it trivial to reply to a twitter thread from 2 weeks ago? Not without a lot of scrolling or using the search tools. There is no organisation or segmentation of conversation. I don’t think it’s fair to position us as the “Model T” as you assume we are stuck in our ways and refuse to change the format blindly. (I’m replying to you on our mobile app) We we have launched many high end communities for global brands and they come to us because they don’t want a chat style community. So, I’m not telling you to do anything. I’m just saying that if you want a chat style community then this isn’t the product that suits your needs.
  18. Our absolute number one aim with Invision Community is to provide a platform that enables rich discussion of a topic with permanence. There are a hundred directions we could take our software, so we have to choose wisely. Before we add major new functionality, we ask ourselves "does this enhance multi-person rich discussion of a topic or does it detract from it?" I can see the value for a strong chat/instant messaging app for some communities. But for others it'll just cannibalise those rich discussions into instant chats which are then disposed. You will move your community from a state of permanence into social media where conversations are lost after a few hours. Please do not assume that just because we do not do a thing, it means we don't care, or we haven't discussed it at length internally. If you are screaming at us because our software doesn't provide the functionality you require, then perhaps you are trying to fit a square peg into a round hole, and you are now just hitting us with a hammer and demanding we make it fit. If you need instant discussion and accept that discussion will become disposable, then you are probably better off with a Facebook Group.
  19. It's now a deprecated feature. Procrastination wins again.
  20. Without paying for white label, which means setting up your own Apple and Google Play accounts, and getting the app through the approval process, a multi-community app is the only solution. There absolutely will be the possibility to adjust some things in the app via your own ACP for how it looks. Again, it's not feasible for a free app to have it customisable completely as you're not building simple HTML and CSS pages, it's much more complex than that. For the same reason, extensions and plugins that alter the front end cannot work. It's not a simple case of injecting some HTML into an existing template. The app is a completely different mindset to desktop/mobile browser apps.
  21. Honestly, and this is my personal feeling rather than a group decision, is that isn't something I want to do. You're limiting the potential growth of your community to give a perk to a small percentage of your user base. Why not use the app to encourage rapid growth and then offer options (such as subscriptions) to a wider base?
  22. You already own our own data. Our app uses native APIs built into Invision Community. So "we" (as Invision Community) do not take, permanently copy or mine your data in any way. The mobile app will connect to your community which returns the data. Rikki mentioned monetisation in the blog. Honestly, it's early days so we have no firm plans. We're keen to make sure it's free to the end-user though. Monetisation will most likely come from optional things like promotion in the directory and possibly more theme options for the admin. Nothing is set in stone, but I wanted to be transparent about the direction we've talked about internally. As said, we want to ensure your users have a great experience with the app and there is no pay barrier for them.
  23. Sure. It's balance. You don't want people to get so frustrated with the pings they turn them off, but a gentle "Hey here's what you've missed" can be a friendly nudge to revisit.
  24. Yep, it's not a terrible strategy.
  • Create New...