You can see image sizes using right click and Properties in both Internet Explorer (Right Click  Properties) and Firefox (Right-click View Image Info).  In Chrome, the easiest way to see an image size is to install an Extension to View Image Properties – there are quite a few options there (I used this one).

The old Windows XP powertoy resizer allowed you to right click on an image and resize it very quickly and easily, if you needed smaller size images for the web. Unfortunately it no longer works on Windows 7. However, the powertoy has been rewritten for Windows 7 and made publicly available.

Resizing the easy way …

To resize images the easy way, you simply:

• Download and install the resizer program first from http://imageresizer.codeplex.com/
• right click the image in your Windows folder,
• choose Resize Image
• select Medium or Small, or choose a specific size if you need one

If you still have XP, you may like the Windows PowerToy which you can find by Googling for "Windows PowerToy Resizer".

More options with the powerful Gimp tool …

Alternatively, you may want to use the much more powerful (and more complex) free software "Gimp" which is described in Haleemon's article at Resizing images for your website.

You can install this very easily using the installation system at www.ninite.com – tick "Gimp" then click the green download button and follow prompts from there!

PayPal

Firstly, no discussion on payment processing could be complete without discussing PayPal; one of the oldest and most well known methods of accepting money on the internet. PayPal can be driven from a website in a number of ways, and accepts payment on your behalf. Originally, payment was taken from a "virtual" balance and credited to your business's balance with PayPal. One of the significant weaknesses of PayPal for many years was that it required your customer to create an account with PayPal and to login to that account to pay subsequently, even if they were trying to use their credit card with your store.

Modern PayPal now allows charges directly to credit cards, without requiring your customer to login to pay. This has greatly increased PayPal's usefulness and removed one of the major obstacles customers faced using PayPal. However, probably the biggest advantage of PayPal is that it is very easy and simple to setup – for sale of one or two items, without a shopping cart, setup takes less than a few hours.

An important point to understand about PayPal is that they only takes payment through their own website. When setting up your website to take payment through PayPal, your developer passes the transaction through to their website which accepts the payment and credits your account, notifying your website of the successful transaction through a mechanism called a "callback" or “IPN”. As the payments come in, Paypal puts them in your account and to get access to the funds you need to make a periodic withdrawal. In the past, PayPal has been vulnerable to locking merchant accounts for little reason (for example, sufficient reason can simply be a sudden large rise in business!), so this may be one reason mature businesses tend to avoid Paypal. To be fair, my impression these days is that well run businesses have few problems with PayPal.

PayPal does offer great eCommerce flexibility, including the ability to have recurring or automated subscription payments, use of their own eCommerce facilities, and a variety of ways of taking payments including through simple links and buttons. It's degree of flexibility

A significant downside of having PayPal as the only means for accepting payment is that it indicates strongly to your users that you are only a small business. However, if users in your target market don't understand that, or don't care, this may not apply to you.

Strengths? Easy, cheap and quick to setup. Relatively secure. Powerful and flexible. Handles credit card security for you.

Weaknesses? PayPal stigma. Receiving payments into their account can be prone to issues, including locking of accounts.

Credit Card payment through a gateway

Generally speaking, most internet businesses tend to prefer to take payment through payment gateway companies, due primarily to the cheap software setup costs (often ready to go).

The use of a payment gateway requires you to setup a specialized “merchant account” allowing you to take payments over the internet – often called something like an “Internet Enabled merchant account” though the exact term varies depending on the bank. A substantial advantage of accepting payments through this method is that the payments are in your account the next day (or the day after).

To pay through a gateway, you’ll need to setup an account with the payment gateway as well as the Internet merchant account. During the process of setting this up the bank will want to know that you have a legitimate website selling real products and that you are an honest and ethical business with such things as delivery and return policies to essentially protect themselves against complaints and chargebacks (refunds from customer complaints) against your business. They will usually want to approve your website first and, frankly, some banks have been very much harder to deal with over the years than others. Unfortunately, already having a normal merchant account (cards processed by a card swiping terminal, helps a little but doesn’t guarantee your application will be successful. The bank may charge you for setup, as well as an annual fee (usually about $300) and may also require you to sign an agreement which includes an exit penalty, so read carefully! You can sometimes negotiate to reduce exit penalties, particularly if you have an existing non-internet merchant account. You should allow at least 2 months for setting up a merchant account – the banks will tell you it’s a few weeks, but every site we’ve been involved with has taken longer!

The two main payment gateway companies in the Australian context are eWay and SecurePay. We’ve dealt mostly with eWay for 6 years now and can highly recommend their attention to detail and customer service as second to none. eWay in particular have worked hard to have their system well supported by nearly all of the major eCommerce systems out there, so they will just work out of the box. Additionally, eWay provide ready-to-go code fragments in several common languages so implementing payment through them is actually pretty easy.
The payment gateways usually charge a per-transaction fee, which you can negotiate down as your number of transactions increase. Additionally, your merchant facility will subtract a small percentage (usually 1.25% – 2%) of the payment amount, and a little more for Amex and Diners. There is also an annual fee, and possibly a setup fee. Ask carefully what fees apply when talking to the payment gateway companies to ensure you are comparing apples with apples.

Just a small point – the payment gateways all have associated websites, allowing you to login and run reports against the day’s transactions, and to take actions such as refunds, rebills, and searches. A second small point is that many gateways will store credit cards for you, providing you with a secure token for rebilling.

Strengths? Direct card billing (no PayPal); Faster processing into your own account; Easier and cheaper to setup initially; Reporting tools tend to be strong. Lower costs.

Weaknesses? Some fees.

Direct Bank implementations

Most banks will tend to suggest you implement your payment processing through the bank’s own gateway (terminology: a few of the banks call the system they use for this “MIGS”). As each bank tends to have their own code, and little is out there in the public domain, this can require some code to be written. In the early days the banks used to just supply you with a 2-inch thick document to read but my understanding is that some do provide code fragments these days.

You will need to setup a merchant account as you did above, which will also be subject to ongoing fees. The most common pathway for small businesses is that they setup a payment gateway initially and then move to a direct bank implementation as their turnover grows large enough. One of the advantages with the Direct Bank payment processing is that you don't have to pay gateway fees. Check with your bank to ensure there are no other fees involved as charges vary widely.

Depending on the bank and how helpful it is, you're likely to be up for development costs to implement the website code required to send your transactions to the bank. Some banks provide sample code for this, and it seems to be gradually getting easier for developers (and thus cheaper) over time.

A significant cost to this approach is that the bank is likely to require you to prove that your website and transaction processing is secure, and may require you to be certified for “PCI Compliance” – particularly in this era where even large companies such as Sony’s Playstation Network have been compromised with stolen credit card information. As this costs the banks millions (estimated $30 per replaced card) the banks try to ensure you are taking appropriate care with customer card information. Ironically, in my experience, it’s often the older websites that tend to cause many of these problems, as aging code tends to develop security faults over time! PCI Compliance has a number of levels and can impose restrictions and costs, particularly at the higher levels where certification alone costs $20,000 or more. If you have a website compromise that results in card information being exposed, banks will probably require that you be certified before allowing you to process transactions again. As part of getting your website developed, you should talk to your developers and ensure that they actually understand the security issues involved and have taken appropriate measures to keep card information safe, as a failure here can put your business at risk.

Strengths? Less fees and lower costs.

Weaknesses? Bank tools can be inadequate; Costs more to implement; Much stricter security generally required.

Summary

This article has only been a brief introduction to the issues involved;  being only a brief overview of how eCommerce payments work, and we hope we've given you a useful roadmap for choosing a payment solution for your eCommerce site.

Some of the other issues include storing card numbers, security, increasing sales "conversion" rates on your site, finding reliable ecommerce hosting, and developing an actual website;  we'll touch on some of these in future articles.

Please let us know if you’ve found this article helpful, or have any questions you’d like covered, or would like to talk to us about the issues you have in getting your own eCommerce site up and running.

When we chose to use Fido 6 years ago it was 'state of the art', but slowly over time it has became lacking in several areas some of which are listed below:

1. The authors are not supporting it as much as necessary (in fact, not making new releases at all!)
2. Its functionality is getting quite old and outdated
3. Increasing security issues and regular site hacking, including hacking of many ecommerce sites using it

Because of these issues we have started to move our client base to the widely recognized and  far more stable WordPress  CMS (Content Management System).

WordPress has a customer base of well over 53 million (some estimate 200 million as realistic!), is much more powerful and has a considerably more intuitive and 'easy to use' user interface. When WordPress was developed, it was used mainly as a blogging platform, but over time it has evolved into a complete, powerful and easy to use content management system and can be used for so much more through the thousands of plugins, widgets, and themes.

Along with all this, WordPress has the advantage of being an Open Source project, which means there are many hundreds of developers all over the world working on it, extending it and customizing it – in fact, many more than most commercial platforms.)  WordPress typically release small updates every 2-3 months which means you have access to a technology that is gradually evolving and continually improving.  It also means you are free to use it for anything from your cat’s home page to a Fortune 500 web site without paying anyone a license fee.

Currently you are paying $100 a year for the Fido licence. With WordPress, there is a one off conversion fee (heavily discounted to $400) and no subsequent licence fees, which means you will be saving $100 per year by moving to the new system. Additionally, if you have paid your Fido licence in the last 3 months, we will credit your entire licence fee towards the site conversion.

As site conversions are done with such a huge discount, we hope you’ll understand that they are done on an as-time-permits basis; the turnaround is usually around 3 weeks but can be more. We supply a short "getting started" manual with the sites. One-on-one training or more detailed documentation is also available at additional cost.

If you would like to get started please either call us at 1300 760 850, or email us and we will send you information on how to get started.

Here is a link to articles about WordPress from our blog if you’d like to read up a little.

• credit card numbers stolen – your customer's card details can be stolen and sold to criminals.
• transactions intercepted – silent interception of your customer's details
• transactions completely stolen – you never see the transactions
• site vandalised
• industrial espionage or vandalism
• site used for phishing – google listed
• your site is hacked, and kept for later "use" in crime, bank fraud or illegal file distribution

We've seen most or all of these done to customers over the years – no-one is immune!  The sites involved varied from small sites to huge sites with thousands of products processing millions of dollars per month.

There are three costs that you will face when you do get hacked:

1. lost business while your site is down
2. the cost of repairing and ensuring you can't get hacked again
3. lost reputation and trust

The effort and money you spend on keeping your site secure should align well with the losses you could incur from the above!  One successful model for this is to consider it like insurance – pay a little now, or pay a lot later.

10 tips for keeping your site safe from hackers

All of these could be expanded into complete articles – and we've done so for some – but here are some short-form tips that will introduce the key concepts.

Credit Card Security – don't store credit cards at all, or use methods such as tokenisation (which we'll write about in a coming article).  The amount of effort you expend protecting your card numbers should relate directly to the volume of your transactions.  If you are processing millions, you should be spending regularly on reviewing and updating your security practice.  A major leak of credit card details is not merely embarrassing; it can actually cost your business millions.

SSL encryption to protect from snoopers should be a given.  This ensures critical form data is encrypted as it travels over the internet – a common method for stealing card data is via WiFi sniffing, and encryption protects against this almost completely.  This is an eCommerce basic; many customers will avoid your site if they don't see the comfort of a small padlock on the order screen.  They usually don't realize that the padlock only covers one small area of security!  In fact, most security problems actually occur on the client PC or the server, whilst SSL only protects the connection.

Secure hosting – most people don't realize that many hosts leave mysql open so that it's possible to view mysql databases belonging to other users.  On LAMP servers, this is a side effect of the way PHP is run; it can be run securely so that this isn't possible.  This mistake by your hosts is one reason shared hosting is considered insecure, but it can actually be very close to the security offered by a VPS.  As an example, one organization we rescued got hacked during critical periods every time, via this method.

Update your website software regularly or you will eventually get hacked.  You might like to consider the value of getting your website done using a technology that is regularly updated by competent developers.  Open Source products such as Magento and WordPress offer this advantage at very reasonable cost.  The key here is to choose a platform that will be around, and actively updated, for the foreseeable future – otherwise you can be left holding the proverbial baby when the updates stop and the hacking attempts continue!

Do regular backups using at least two separate methods, preferably complementing what your host does. Remember not all hosts do backups. Most don't guarantee your data.  At least some of your backups should be "offline", some should be off the server, and some on server.  Talk to your host about this.

Use a predictive firewall that blocks hackers.  Ensure your host's firewall is capable of detecting hacking attempts and banning perpetrators so they don't get a free run – which will often yield access as they work through their extensive libraries of techniques.  Your host might also virus/exploit scan uploads and prevent bad code being uploads, which helps delay or prevent many automated attacks.  Remember, most attacks these days are automated – when they succeed in getting into your site the hacker is alerted and then can "use" your site for mischief.

Ensure your website is well documented.  The more you have invested in developing it, the more you should expect to see documentation – one effective model adopted by many is the use of a "Wiki", the example everyone is familiar with is Wikipedia.  The searchability of a Wiki, plus the fact that it is always available online, add up to a good long term tool.  Often printed hardcopy documentation is just not read by anyone!

Keep your system software updated.  It's an illusion if you beleive that VPS is more secure.  It can actually be less secure than an actively maintained shared hosting environment.  Actively maintained usually costs more – skilled system admins aren't cheap.  These system updates are naturally done for you if you have quality shared hosting.  Even if you keep your site secure, if your server gets hacked at operating system level (kernel/commands/services) your site is completely open.

Keep up to date with security practices – in a year or two, this article will be out of date; similarly, what is adequate now will not be enough to keep you safe in only a few years.  As just one example, it's become best practice not to store unencrypted user passwords – yet many websites still store easily viewable passwords, which can be easily stolen. Without a built-in practice of reviewing security regularly, you'll find current practices will become insufficient over time,  And of course, if you have a small site, many of the things listed here can be done by yourself – and you may already have them if you host with us!

Remember to upgrade your hosting as your business grows - it's not uncommon to find people relying heavily on budget hosting for a business that has outgrown that hosting years later.  The budget hosting goes down and the business then loses a lot of money by being offline – hardly the fault of a budget provider who simply can't provide a cast iron guarantee at budget prices.

Summary – keep your perspective

It's important to understand that "preventing" hacking effectively means reducing your chances of being hacked.  No single practice by itself can completely stop your chances of getting hacked.  The trick is to combine the best practice common- sense methodologies listed above to get synergistic protection that means you are safe from all but the most skilled and determined hackers and luckily there are very few of those!

Luke approached us some months ago, as he has an active and interesting health business in a number of areas and wanted a site to allow him to write about that, and to attract new business while keeping existing clients informed. 

We thought we’d share the site with you as an example of one of the sites we do and also as an example of a very interesting health practitioner working in an unusual area – that of staying healthy over the long haul!

So Firebug doesn't actually implement the change but rather will display what it would look like. Let's check out an example, shall we?

Start off with a website, we'll use the White Dog site as an example. We want to see what it would look like to change the heading (H2) tags from green to fuchsia, so let's begin.

Highlight the section that you want to modify (in this case, I'm highlighting the text "Choose from a variety of affordable…"), right click the text and then select "Inspect Element". Firebug will launch in the lower section of the screen.

(NOTE: click the image to enlarge)

Let's change the color for the H2 tags from green (HTML color code #109410) to fuchsia (#FF00FF) in the right hand section of Firebug, the page instantly refreshes to show the change, see below.

Now that we see what the change looks like,  we can either go into the CSS file and make the edit if we like the change; or we can refresh the page and the changes made in Firebug are reset so it's like the color change never happened, heading tags are green again. 

Firebug saves you a lot of time when you're experimenting with changes and works especially well when modifying a live site.

Over the last 4-5 years a number of frameworks have matured and grown to be more suited to the development of large projects – some notable examples being Drupal and Magento, in particular, and these frameworks are being used in an increasing number of enterprise environments (some quick well-known examples – Fox, Breville, Samsung, Olympus, Ford etc).

We beleive some additional factors further contribute to the 

Open Source code allows faster turnaround with framework problems  - as your team has direct access to the framework core itself.  This removes many time consuming and expensive holdups as small framework problems can be resolved by your team; while the larger problems can be handled as support requests as you would for a commercial framework.

Because of the prevalence of Open Source, skilled programmers are obviously readily available.  A problem to be aware of is that there is a wide variety of skill level in the marketplace and assessing programmer skill before hire is crucial.  In particular it’s important that your architects be proficient to ensure that correct architectural decisions are made in early stages of the project and expensive mistakes are avoided.  This is where hiring a ready-made team with experience can actually be cost-effective in the long term.

An additional crucial factor that has changed is the creation of long term funding models for new frameworks. Prior to this change, users were at the mercy of often-slow part-time development teams – for instance, Joomla has only released 1.6 fairly recently after some years delay.  An example of this new funding model is the Magento e-Commerce system project, which provides a full featured eCommerce system.  Magento has Magento Community, Professional and Enterprise versions ranging from free to $13k per year.  This allows commercial-grade support to be available while retaining the open source advantages of exposure to a large community and thus having many contributing authors submitting code for filtering and inclusion.  The Open Source model has shown itself to be capable to producing quality systems that are widely in use – GNU/Linux being just one example of many.  The Magento funding model allows Magento to retain open source advantages yet to be responsive to enterprise needs.

An interesting and important market trend is that surprisingly, PHP work, including on PHP frameworks such as Magento and Drupal, is emerging as more profitable for developers – and this will become a driving force as time proceeds.  When producing a product is more profitable, the market will inevitably respond by producing more of that product and thus refining what is available.  Over the short to the medium term this can be expected to yield increasing and inevitable changes in the development market.

Empirical figures and conversations with developers suggest that the larger frameworks can significantly reduce costs, or allow greater implementation scope, for midrange projects.  Some developers have estimated that the savings on some Magento developments was around 40-50% over a well-known commercial framework.  The cutoff point at this stage appears to be around 1000 hours – there are large scale efficiencies and savings inherent in large-scale commercial development platforms that start to kick in and make those more effective for these larger projects.

It’s important to understand that there are course for horses – Open Source is not appropriate for every enterprise development project and it’s vital that your developers be able to tell the difference.   In the meantime, there’s a lot to be saved on appropriate projects!

Perhaps we'll see you at The Internet Show on May 4th and 5th!

[Ed note: Brian is speaking on this topic at the Internet Show, on May 4th at 11:00 and May 5th at 12:35   - details at http://www.terrapinn.com/exhibition/the-internet-show-melbourne/seminars.stm]

• Wednesday, May 4th, at 11 am and
• Thursday, May 5th, at 12:35 pm

The discussion topic will be, "Halving your development costs with New Generation Open Source." 

If anyone would like an invitation to the event, let us know!!

Here's a digest of a few simple (but non-obvious) thoughts re web design, with some more reading for those interested.

Utility vs Beauty

Just a thought – would you rather have a website that is beautiful, or a website that makes you money?

Interestingly, research has shown that simpler websites are often more effective at generating income – particularly when menus and links are in places that users would expect.  Simple to use means easier for them to buy (or whatever you want them to do).

In web terminology, the process of "buying" from a website is called "conversion" and a website's effectiveness in selling product is called "conversion effectiveness".

Despite the fact that Flash is pretty but just doesn't work well in many areas (Google often can't index it, and it doesn't work on iPads/iPhones/mobile devices), we still see it being used for many sites.  While one can understand this for movie sites (where "look" is vital), it's harder to understand why it is used on small business sites surprisingly often.

This is not at all to suggest that a website needs to be ugly – not at all.  However there's a fine line to walk, and it's surprising how some simple additions can improve the look of a website withuot damaging it's ease-of-use.

Small business web design trends

Mashable.com, a popular internet news and blog aggregator, recently published a useful and enlightening note on some small business web design trends. In a very brief summary the article makes the following points:

1. Minimalism – keep websites simple and uncluttered
2. Photography – custom and imaginative photography/imagery works better than stock images
3. Big Bold Typography – used to grab a user's attention
4. Clear Calls to Action – what do you want the user to do, by when
5. A/B split testing – testing multiple versions of your website can yield huge improvement on conversion effectiveness

Click here to read the whole article at mashable.com While none of these come as complete surprises, we thought the overview might be helpful to you when considering what your website should look like – simplicity can work!

How websites get hacked:

There are fourmain ways that websites get hacked:

1. Exploited scripts – outdated scripts with security holes get exploited through the web by baddies.  They send special codes to your website that allow them to take over the website.

2. Stolen passwords – virus and trojan infections on your computer can steal passwords as they are typed, or from saved password files.  Once the virus has your passwords, they are sent up to a central repository and gradually exploited.  One of our web developer friends had this happen to him and they took almost 18 months to gradually work through and hack 3-4 of his sites – each with bank phishing sites.  Passwords can also be stolen by using them over public WiFi – both POP and FTP send passwords in the clear and shouldn't be used on public (unsecured) WiFi for that reason.
    
3. (2b) Stolen passwords on the server – some webhosts run accounts in such a way that they can see each other's database passwords, and thus each other's databases.  Yes, we think this is strange too.
    
4. Root compromise on the server – it is possible to take over a server completely, and hack the web server component so it occasionally sends viruses out to people looking at websites.  This is often done randomly, and sometimes only once per computer viewing the site, so it can be very hard to track down.  This is relatively rare as thankfully most hosts are able to protect themselves against this.  There were some recent examples of this in Australia over the last few years, though I'll refrain from mentioning the companies!
    

What we do to keep you safe

As we're in a unique position as a webhost as well as a web developer handling a lot of sites, we get to see more than a few sites hacked and we've worked out a methodology that successfully stops most hacking.  While we won't mention all our goodies here, some of the things we do are:

1. Block known attack signatures – when baddies attack scripts, they often use recognizable attack signatures.  Where possible we detect these and prevent them from getting through to your website, giving what's called a "406" error.
    
2. Firewall blocking of security scanners – a common hacker attack method is to "scan" a website by checking a list of vulnerabilities, or trying to guess a password by working through a list of common passwords, amongst other things.  If we see an IP doing things like these, we block them in the firewall and that's the last we ever hear of them.  While they can change IPs, only a few go that far, so this does cut down attacks.
    
3. Ensure user accounts can't see each other's databases – that way if one account gets hacked, it doesn't spread to others.  We hosted a small political organization for a few years that had been hacked around election time via this mechanism prior to moving to us, so it does happen!
    
4. Scan uploaded files – we scan all uploaded files for known virus and other related patterns, rather like an anti-virus on a PC.  We don't think many hosts do this yet.
    
5. Do server-based backups – these allow us to recover the unhacked versions of files, if we find out quickly that the site has been hacked.

One of the problems with a server that regularly hosts attacked sites is that it can start to affect things like email (listed in blocking lists) and of course, a server under attack often gets very slow.

What you can do to keep your site safe

There are two things that you can do that will help you keep yourself safe from a hacking attack:

1. Do regular backups of your site through cPanel – pop into cPanel regularly and download a backup.  You only need to do it every now and then unless you change your site a lot.  If you use WordPress, you can automate this with the WP-DB-Backup plugin, which can be asked to email you a backup on a weekly (or even daily) basis.  See our Backup article here for more information.
    
2. Keep your website's software up to date – if you use WordPress, for instance, it's merely a matter of logging into your dashboard regularly and running an update if there is a new version available.  If you run WordPress and don't have the time to log in regularly and want to ensure you are kept safe, there's a plugin called WP-Update-Notifier that will send you email when a new update is available.  See our article on updating web software here.

How we can help if you do get hacked

At the end of the day, any website can get hacked, even though you may have taken precautions, and we fully understand the distress that it can cause.

If you don't have your own developer, or if they would like a specialist to look at it, we are usually able to repair a website within a day, and do our best to diagnose for you how the site got hacked.  Contact us if you'd like to discuss this service.