<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Magento</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/magento.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2025-01-21T00:00:00+11:00</updated><entry><title>Visa's Security Roadmap 2025-2028</title><link href="https://www.peakhour.io/blog/visa-security-roadmap-2025-overview/" rel="alternate"></link><published>2025-01-21T00:00:00+11:00</published><updated>2025-01-21T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-21:/blog/visa-security-roadmap-2025-overview/</id><summary type="html">&lt;p&gt;An analysis of Visa's Security Roadmap 2025-2028 and how Peakhour's solutions help Australian businesses meet these security objectives.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Visa's Security Roadmap 2025-2028 for Australia is not just a payments strategy document. It is a signal about where fraud, application security, authentication, and compliance work are converging for merchants, acquirers, issuers, gateways, and service providers.&lt;/p&gt;
&lt;p&gt;The timing matters. Visa's roadmap cites Australian card fraud rising 32% to A$762 million in 2023, with unauthorised card-not-present fraud increasing 33% to A$688 million. Scam losses reached A$2.7 billion in 2023, and reported data breaches increased 19% in the second half of 2023 compared with the first half. The pressure is not coming from one direction. Payment teams are dealing with automation abuse, social engineering, compromised credentials, weak merchant onboarding, third-party exposure, and new payment experiences at the same time.&lt;/p&gt;
&lt;p&gt;Visa groups its roadmap into six focus areas: preventing enumeration attacks, continued investment in secure technologies, data-driven risk, resilience against fraud and scams in the era of AI, stronger cyber security posture, and secure digital payment experiences. For Australian businesses, the more useful way to read it is as a set of operational themes.&lt;/p&gt;
&lt;h2&gt;Automation Abuse Has Become a Payment Control Issue&lt;/h2&gt;
&lt;p&gt;Enumeration attacks sit first in the roadmap for a reason. Visa defines enumeration and account testing as automation used to test and guess payment credentials that can later be used in fraudulent transactions. The attacks often appear as high-speed card testing against online merchants, with low-value attempts used to validate PAN, expiry, or CVV2 combinations.&lt;/p&gt;
&lt;p&gt;Visa reports a 40% increase in enumeration attacks in the first six months of 2023 compared with the previous period, and more than US$1.1 billion in global fraud losses from enumeration attacks over the year to 30 September 2023. The updated Visa Acquirer Monitoring Program (VAMP), effective 1 April 2025, adds enumeration criteria alongside broader fraud and dispute monitoring.&lt;/p&gt;
&lt;p&gt;The implication is practical: merchants and acquirers need route-level evidence, anomaly monitoring, velocity controls, and a way to identify distributed automation before it becomes payment fraud. IP-only controls are weak when attacks use residential proxies, first-seen devices, and slow distributed attempts. Peakhour's bot management, residential proxy detection, advanced rate limiting, and edge logging can help support that evidence path, but the business still needs payment-flow ownership and acquirer alignment.&lt;/p&gt;
&lt;h2&gt;Authentication and Tokenisation Are Moving Together&lt;/h2&gt;
&lt;p&gt;Visa's secure technology theme is not simply "add more authentication." The roadmap ties tokenisation, EMV 3DS, biometric or in-app authentication, passkeys, and Click to Pay into the same customer and fraud problem: protect credentials while reducing unnecessary friction.&lt;/p&gt;
&lt;p&gt;Tokenisation reduces the value of exposed card data by replacing a card number with a token. Visa notes that the Visa Token Service has passed one billion tokens in Asia Pacific and that merchants adopting VTS for digital payments saw payment fraud rates reduced by more than half in the cited Asia Pacific analysis. But the roadmap also flags token provisioning fraud, where bad actors illegitimately provision tokens and then monetise them quickly.&lt;/p&gt;
&lt;p&gt;That is why authentication quality matters. Visa says issuers are being mandated to move away from SMS OTP as the sole authentication factor by 2026, toward methods such as biometric, in-app, app-to-app, or passkey-based authentication. For merchants, updated Visa Secure minimum data requirements push more complete authentication data into the decision process.&lt;/p&gt;
&lt;p&gt;For application teams, the lesson is that checkout security is not a single login prompt. It includes account creation, saved-card use, card add, token provisioning, checkout, refund, and support paths. A risk-based challenge should appear where the action justifies it, not everywhere by default.&lt;/p&gt;
&lt;h2&gt;Risk Decisions Need Better Data, Not Just More Data&lt;/h2&gt;
&lt;p&gt;The roadmap's data-driven risk theme is about using available payment and authentication data to reduce fraud and false positives. Visa points to EMV 3DS data elements, Visa Secure requirements, risk-based authentication, and issuer decisioning as examples of how better data quality can change outcomes.&lt;/p&gt;
&lt;p&gt;More data is not automatically better. It has to be accurate, relevant, protected, and available at the moment of decision. A fraud team may need account history, device consistency, proxy likelihood, card-attempt cadence, transaction context, and previous response outcomes. A compliance team may need to know why that data is collected, where it is retained, and who can query it.&lt;/p&gt;
&lt;p&gt;This is where contextual security becomes useful. Peakhour's &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual Security&lt;/a&gt; approach combines request, route, account, network, device, and behaviour signals so teams can allow, challenge, rate limit, block, or log based on risk. The control is strongest when the decision record stays attached to the event: signal set, policy version, action, and outcome.&lt;/p&gt;
&lt;h2&gt;AI Raises Scam and Fraud Pressure, But It Is Also Part of Detection&lt;/h2&gt;
&lt;p&gt;Visa frames AI in both directions. Generative AI lowers the barrier for phishing, social engineering, deepfakes, and personalised scam content. At the same time, Visa points to its long history using AI and machine learning in payment fraud detection, including around 150 AI and machine learning models in production.&lt;/p&gt;
&lt;p&gt;For businesses outside the payment network, the message is not "buy AI." It is to prepare for more scalable deception and faster abuse cycles. Fraud controls need to watch for account creation abuse, credential stuffing, payment testing, suspicious onboarding, transaction anomalies, and customer manipulation signals. Human review still matters because authorised scams can look different from unauthorised account compromise.&lt;/p&gt;
&lt;p&gt;Peakhour's role is strongest around the request and account edge: identifying automation, proxy-backed traffic, route abuse, credential risk, and abnormal behaviour before fraud reaches sensitive application paths. Those signals can feed fraud review and incident response, but they should be used with privacy, false-positive, and customer-impact controls.&lt;/p&gt;
&lt;h2&gt;Cyber Posture Is Now Part of Payment Ecosystem Resilience&lt;/h2&gt;
&lt;p&gt;Visa's fifth theme connects payment fraud to cyber security posture. PCI DSS remains mandatory for entities storing, processing, or transmitting Visa cardholder data. Visa also highlights third-party agent (TPA) registration, its Account Information Security program, third-party service provider risk, breach trends, and preparation for broader AES support by 2030.&lt;/p&gt;
&lt;p&gt;For Australian businesses, this is a reminder that payment risk is not limited to the payment processor. A breach of a CMS account, a third-party script, a weak checkout plugin, a vulnerable API, a compromised support tool, or an unmanaged service provider can affect the payment environment. PCI scope and third-party oversight need to include the systems that can change or observe checkout, not only systems that store card numbers.&lt;/p&gt;
&lt;p&gt;Peakhour can help with application-layer controls around WAF, API protection, bot management, rate limiting, DDoS mitigation, and log forwarding. Those controls can support evidence for payment security and cyber posture. They do not replace PCI DSS validation, TPA obligations, acquirer requirements, or legal review.&lt;/p&gt;
&lt;h2&gt;New Payment Experiences Need Security Built Into the Flow&lt;/h2&gt;
&lt;p&gt;Visa's final theme covers digital payment experiences such as Click to Pay, passkeys, Flex Credential, and Tap to Everything. These changes are about reducing manual card entry, password dependence, and fragmented checkout experiences while preserving cardholder verification and transaction security.&lt;/p&gt;
&lt;p&gt;The security work for merchants is to keep pace with those flows. New payment methods bring new integration paths, data elements, redirects, APIs, support workflows, and customer education needs. The right question is not only "does the new payment method work?" It is "which systems can affect it, what data is passed, how is the customer verified, what fraud signals are available, and what evidence remains after a dispute or incident?"&lt;/p&gt;
&lt;h2&gt;What Businesses Should Do Next&lt;/h2&gt;
&lt;p&gt;Read the roadmap as an operating agenda. Map payment and account routes. Identify where automation can test credentials or cards. Review SMS OTP dependence. Check whether tokenisation and 3DS data are being used well. Validate which vendors affect checkout and payment security. Confirm that logs can support fraud review without capturing sensitive card data. Tune rate limits and bot controls by route, not only by IP.&lt;/p&gt;
&lt;p&gt;The next few years of payment security will reward teams that can make proportionate, evidence-backed decisions. That is the thread running through Visa's roadmap and through Peakhour's edge security work: see the request in context, choose the right action, and keep enough evidence for fraud, security, and compliance teams to explain what happened.&lt;/p&gt;</content><category term="Fraud"></category><category term="PCI DSS"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Fraud Prevention"></category><category term="Magento"></category><category term="Application Security"></category></entry><entry><title>Account Protection and User Experience in Web Applications</title><link href="https://www.peakhour.io/blog/frictionless-customer-experiences/" rel="alternate"></link><published>2024-07-17T10:00:00+10:00</published><updated>2024-07-17T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-17:/blog/frictionless-customer-experiences/</id><summary type="html">&lt;p&gt;Explore strategies to enhance web application security without compromising user experience, focusing on contextual security and adaptive authentication measures.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Web applications face a wide range of security threats, but customer accounts are often the target. Our recent survey of
Australian businesses showed a need for stronger
&lt;a href="/solutions/use-case/contextual-security/"&gt;account protection&lt;/a&gt; measures. Those controls can add friction for users if they are applied too broadly. This article
looks at ways to balance security with &lt;a href="/learning/crux-chrome-user-experience/"&gt;user experience&lt;/a&gt; in web applications.&lt;/p&gt;
&lt;h2&gt;The Challenge: Compromised Credentials&lt;/h2&gt;
&lt;p&gt;Our survey found that 21% of organisations cited reputation loss as their main cybersecurity challenge. That
result points back to a practical security problem: compromised credentials.&lt;/p&gt;
&lt;p&gt;Causes of compromised logins include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Phishing attacks&lt;/li&gt;
&lt;li&gt;Password reuse across multiple sites&lt;/li&gt;
&lt;li&gt;Data breaches exposing user credentials&lt;/li&gt;
&lt;li&gt;Credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Keylogging malware&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These risks make password-only authentication a weak control for customer account protection.&lt;/p&gt;
&lt;h2&gt;Moving Beyond Traditional Multi-Factor Authentication&lt;/h2&gt;
&lt;p&gt;Multi-Factor Authentication (MFA) adds a useful security layer, but it can also add friction. Our survey found that
only 40% of organisations implement bot protection, which leaves a clear gap around automated attacks.&lt;/p&gt;
&lt;p&gt;While 77% of surveyed businesses use MFA, that figure can hide other weaknesses. MFA alone doesn't
protect accounts from every attack path.&lt;/p&gt;
&lt;p&gt;&lt;a href="/blog/why-mfa-is-an-incomplete-defence/"&gt;Learn more about the limitations of traditional MFA&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Contextual Security: A User-Focused Approach&lt;/h2&gt;
&lt;p&gt;Contextual security helps reduce that tradeoff between protection and user experience. It assesses the risk of each
login attempt using factors including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Location of the login attempt&lt;/li&gt;
&lt;li&gt;Time of day&lt;/li&gt;
&lt;li&gt;Device used&lt;/li&gt;
&lt;li&gt;User behaviour patterns&lt;/li&gt;
&lt;li&gt;IP address reputation&lt;/li&gt;
&lt;li&gt;Network characteristics&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;By analysing these contextual factors, web applications can apply adaptive authentication without
asking every user to complete an extra step every time.&lt;/p&gt;
&lt;!-- ![Contextual Security Factors](/api/placeholder/600/400) --&gt;

&lt;p&gt;&lt;em&gt;Figure 1: Key factors considered in contextual security&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Implementing Contextual Security in Web Applications&lt;/h2&gt;
&lt;p&gt;To improve account protection without adding unnecessary friction, consider these controls:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Real-time monitoring&lt;/strong&gt;: Track user activity and detect anomalies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adaptive authentication&lt;/strong&gt;: Adjust security requirements based on the risk level of each login attempt.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural analysis&lt;/strong&gt;: Use machine learning to understand user behaviour and flag suspicious activity.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Transparent security measures&lt;/strong&gt;: Apply checks that don't require additional user actions for low-risk scenarios.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Risk-based access controls&lt;/strong&gt;: Apply stricter security measures for high-risk actions or sensitive data access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot protection&lt;/strong&gt;: Detect and mitigate automated attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API security&lt;/strong&gt;: Protect APIs from abuse and unauthorised access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Residential proxy detection&lt;/strong&gt;: Identify and mitigate threats from residential proxy networks.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;For web applications, the goal is targeted control rather than blanket friction.&lt;/p&gt;
&lt;h2&gt;The Role of User Education&lt;/h2&gt;
&lt;p&gt;User education still has a place in a security strategy. Training and awareness programs can help users understand:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The importance of strong, unique passwords&lt;/li&gt;
&lt;li&gt;How to identify phishing attempts&lt;/li&gt;
&lt;li&gt;The risks of password reuse across multiple sites&lt;/li&gt;
&lt;li&gt;The importance of keeping software and devices updated&lt;/li&gt;
&lt;li&gt;How to recognise and report suspicious activities&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;User education works best when it supports technical controls rather than carrying the whole burden.&lt;/p&gt;
&lt;h2&gt;Addressing Mobile Application Security&lt;/h2&gt;
&lt;p&gt;Our survey indicates a potential gap in mobile security strategies. As mobile apps take on operations like banking and e-commerce, they become part of the application attack surface.&lt;/p&gt;
&lt;p&gt;Only 30% of respondents implement &lt;a href="/solutions/use-case/traffic-control/"&gt;Web Application&lt;/a&gt; and API Protection (WAAP), indicating many businesses may not be ready to protect their mobile assets. That gap leaves mobile applications exposed to attacks, including API abuse and data exfiltration.&lt;/p&gt;
&lt;!-- [Discover best practices for securing mobile applications](/mobile-application-security-best-practices/) --&gt;

&lt;h2&gt;The Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;Our survey found that only 15% of organisations use residential proxy detection. That low adoption rate leaves a weakness in many businesses' security postures.&lt;/p&gt;
&lt;p&gt;Residential proxies can threaten account security by:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Bypassing traditional IP-based rate limiting&lt;/li&gt;
&lt;li&gt;Evading geolocation-based restrictions&lt;/li&gt;
&lt;li&gt;Facilitating large-scale credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Enabling undetected data scraping&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Businesses should consider security providers that can detect and mitigate residential proxy threats.&lt;/p&gt;
&lt;p&gt;Learn more about &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; detection&lt;/p&gt;
&lt;h2&gt;Finding the Balance&lt;/h2&gt;
&lt;p&gt;Balancing account protection and user experience in web applications requires more than a single control. By implementing contextual security measures, organisations can:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Improve security without unnecessary impact on user experience&lt;/li&gt;
&lt;li&gt;Adapt to threats in real-time&lt;/li&gt;
&lt;li&gt;Reduce the risk of compromised credentials and account takeovers&lt;/li&gt;
&lt;li&gt;Protect against threats like residential proxies and mobile application vulnerabilities&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;As threats change, account protection needs to change with them. Contextual security gives organisations a practical way to protect users and their reputation.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Application Security"></category><category term="Fraud Prevention"></category><category term="API Security"></category><category term="Magento"></category></entry><entry><title>The Cost of Credential Stuffing</title><link href="https://www.peakhour.io/blog/credential-stuffing-business-impact/" rel="alternate"></link><published>2024-07-17T00:00:00+10:00</published><updated>2024-07-17T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-17:/blog/credential-stuffing-business-impact/</id><summary type="html">&lt;p&gt;Explore how credential stuffing attacks and account takeovers affect business reputation and customer trust.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In recent months, &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;Australian businesses have faced a wave of credential stuffing attacks&lt;/a&gt;.
These attacks do not require the affected website itself to be breached. They target customer accounts, leading to
fraudulent transactions. The damage is practical as well as reputational: disputed purchases, refunds, locked accounts,
and customers asking how someone else was able to use their account.&lt;/p&gt;
&lt;h2&gt;What is Credential Stuffing?&lt;/h2&gt;
&lt;p&gt;Credential stuffing occurs when attackers use login details obtained from a
data breach to access accounts on other sites. Criminals test millions of credentials against a target
website to identify working combinations. This attack affects users who reuse passwords across multiple services [1].&lt;/p&gt;
&lt;h2&gt;The Scale of the Problem&lt;/h2&gt;
&lt;p&gt;Tens of thousands of Australian online accounts are reported to have been accessed since late November 2023 [2].
The attacks affected major retailers and service providers, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The Iconic&lt;/li&gt;
&lt;li&gt;Guzman y Gomez&lt;/li&gt;
&lt;li&gt;Dan Murphy's&lt;/li&gt;
&lt;li&gt;Event Cinemas&lt;/li&gt;
&lt;li&gt;Stan&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The Impact&lt;/h2&gt;
&lt;p&gt;While reusing passwords between sites has long been considered poor security practice, users still do it. Blaming the customer,
as 23andMe did in its response to an attack, is not a serious account protection strategy. Over 70% of Americans believe that
websites have a responsibility to prevent account takeovers via stuffing attacks. Not doing so can negatively impact a
business in several ways.&lt;/p&gt;
&lt;h3&gt;Financial Impact&lt;/h3&gt;
&lt;p&gt;The cost can fall on either the affected business or the affected customer. Fraudsters made significant purchases using
compromised accounts. One scammer claimed to have spent over $800 on
high-end alcohol at Dan Murphy's [2]. Others bought iPhones and clothing. Either the customer will be out of pocket,
or the business when the customer issues a chargeback on the purchase.&lt;/p&gt;
&lt;h3&gt;Reputation Damage&lt;/h3&gt;
&lt;p&gt;The attacks leave businesses dealing with customer complaints, refunds, and visible questions about account security. The Iconic
pledged to refund affected customers [1]. Dan Murphy's confirmed that a "small number of user accounts were
subject to fraudulent transactions" [3].&lt;/p&gt;
&lt;h3&gt;Customer Trust&lt;/h3&gt;
&lt;p&gt;These incidents erode customer trust. Users expect businesses to make account abuse difficult, even when the original
password leak happened somewhere else. When accounts are taken over, customers question the security practices of the
affected companies.&lt;/p&gt;
&lt;h3&gt;Business Response&lt;/h3&gt;
&lt;p&gt;Companies responded by:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Locking compromised accounts&lt;/li&gt;
&lt;li&gt;Issuing refunds&lt;/li&gt;
&lt;li&gt;Encouraging customers to change passwords&lt;/li&gt;
&lt;li&gt;Implementing stronger security measures&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Dan Murphy's advised customers to "practise good password hygiene, using a strong password and changing it periodically" [3].&lt;/p&gt;
&lt;h2&gt;Prevention Strategies&lt;/h2&gt;
&lt;p&gt;To protect &lt;a href="/learning/security/credential-stuffing-defence/"&gt;against credential&lt;/a&gt; stuffing, businesses should:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Implement multi-factor authentication&lt;/li&gt;
&lt;li&gt;Educate customers about password security&lt;/li&gt;
&lt;li&gt;Monitor login behaviour on their website&lt;/li&gt;
&lt;li&gt;Implement, and regularly update, security measures, including bot management and advanced rate limiting.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Credential stuffing is not just a password reuse problem. It is an account protection problem, and businesses that sell
online need controls that make stolen credentials harder to turn into purchases.&lt;/p&gt;
&lt;p&gt;Sources:&lt;/p&gt;
&lt;p&gt;[^1^] ABC News: "The Iconic was hit by criminals taking money by 'credential stuffing'. How can you stay safe?"
[^2^] Cyber Daily: "Guzman y Gomez, Dan Murphy's customers affected in credential stuffing campaign"
[^3^] The Sydney Morning Herald: "Thousands of Australians hacked in 'credential stuffing' credit card scam"&lt;/p&gt;</content><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="Fraud Prevention"></category><category term="Residential Proxies"></category><category term="DNS"></category><category term="Magento"></category></entry><entry><title>Enterprise-Level Caching for All</title><link href="https://www.peakhour.io/blog/magento-2-plugin/" rel="alternate"></link><published>2023-11-02T13:00:00+11:00</published><updated>2023-11-02T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-11-02:/blog/magento-2-plugin/</id><summary type="html">&lt;p&gt;Elevate your e-commerce with our newly released Magento 2 plugin. Experience enterprise-level caching features accessible to all Peakhour customers.&lt;/p&gt;</summary><content type="html">&lt;p&gt;We've released our Magento 2 plugin for e-commerce stores using Magento. It brings Peakhour's caching features into
Magento, including capabilities that other providers often reserve for enterprise plans. With Peakhour,
'Enterprise for Everyone' means making those features available to all customers, regardless of plan.&lt;/p&gt;
&lt;h2&gt;Why Cache Tags Matter&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/cache-tags/"&gt;Cache tags&lt;/a&gt; solve a practical website management problem: keeping your cache current when content changes.
In Magento 2, a single change, such as updating a product's price, can affect multiple pages. Cache tags ensure that only
the relevant cached content is updated, maintaining cache efficiency and reducing server load. That matters for
website speed and user experience, which directly affect sales and SEO rankings.&lt;/p&gt;
&lt;h2&gt;Enterprise for Everyone&lt;/h2&gt;
&lt;p&gt;While other providers offer cache tags only in expensive enterprise plans, Peakhour makes this feature available
to everyone. Our infrastructure and caching algorithms make that possible. We also offer other
enterprise-level features, including DDoS protection, real-time analytics, and custom caching rules, so
'Enterprise for Everyone' is reflected in the product rather than just the plan names.&lt;/p&gt;
&lt;h2&gt;Peakhour vs. Magento and Varnish Caching&lt;/h2&gt;
&lt;p&gt;Our plugin goes beyond Magento's built-in caching and Varnish cache in several ways:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Custom Cache Tags&lt;/strong&gt;: Unlike Magento's built-in cache, we offer custom cache tags for more granular cache control.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Advanced Algorithms&lt;/strong&gt;: Our caching algorithms go beyond Varnish, helping improve cache hit rates and lower server load.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Additional Features&lt;/strong&gt;: With Peakhour, caching sits alongside real-time analytics, DDoS protection, and custom caching rules, features often missing in standard Magento or Varnish setups.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Expected Performance Improvements&lt;/h2&gt;
&lt;p&gt;By using Peakhour's Magento 2 plugin, you can expect performance improvements:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Faster Page Loads&lt;/strong&gt;: Our caching can reduce page load times by up to 50%, giving users a smoother experience.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Reduced Server Load&lt;/strong&gt;: Efficient caching means fewer requests to your origin server, reducing server load by as much as 70%.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Improved SEO&lt;/strong&gt;: Faster websites are favoured by search engines, which can improve SEO rankings.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Higher Conversion Rates&lt;/strong&gt;: A faster website gives users a better experience, which can lead to higher conversion rates and increased sales.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Installation Options&lt;/h2&gt;
&lt;p&gt;You can install the Magento 2 plugin through Magento Connect, Composer, or a ZIP file. For
more detail, see our &lt;a href="/docs/how-to-guides/integrations/magento-2/"&gt;plugin page&lt;/a&gt;.&lt;/p&gt;</content><category term="CMS"></category><category term="Caching"></category><category term="Magento"></category><category term="CDN"></category><category term="Drupal"></category><category term="WordPress"></category><category term="Web Performance"></category></entry><entry><title>Useful tips to accelerate your Magento store</title><link href="https://www.peakhour.io/blog/accelerate-magento/" rel="alternate"></link><published>2023-11-01T13:00:00+11:00</published><updated>2023-11-01T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-11-01:/blog/accelerate-magento/</id><summary type="html">&lt;p&gt;There are many things you can do to speed up your Magento store, here are just a few.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Out of the box, Magento is not the fastest ecommerce platform. Magento 2 is built with Full Page Cache in mind, so repeat page requests do not always have to hit the application. A slow Magento store can frustrate customers, increase bounce rates, and cost sales. There are several practical ways to accelerate &lt;a href="/learning/ecommerce-security/securing-magento-shopify/"&gt;your Magento&lt;/a&gt; store and improve the user experience. These are good places to start.&lt;/p&gt;
&lt;h2&gt;Caching is King&lt;/h2&gt;
&lt;p&gt;Caching is usually the biggest performance lever for a Magento store. By storing pre-generated versions of pages, you reduce server response times and avoid asking Magento to rebuild the same page for every request.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Full Page Caching (FPC)&lt;/strong&gt;: Magento includes built-in FPC, but it can be extended. Varnish is a common choice for this role. Magento 2 has native support for Varnish, which acts as a web application accelerator.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Redis&lt;/strong&gt;: Use Redis for session and cache storage. It is an in-memory data structure store that can speed up backend operations by reducing database load.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Edge Caching&lt;/strong&gt;: Use Peakhour Edge to cache your dynamic pages close to users. This serves content from a nearby delivery path and reduces latency. Peakhour's &lt;a href="/docs/how-to-guides/integrations/magento-1/"&gt;Magento 1&lt;/a&gt; and &lt;a href="/docs/how-to-guides/integrations/magento-2/"&gt;Magento 2&lt;/a&gt; plugins make this straightforward to set up.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Optimise Your Images&lt;/h2&gt;
&lt;p&gt;Images often make up the bulk of a page's weight. Optimising them is one of the simplest ways to improve load times.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Compression&lt;/strong&gt;: Use image compression tools to reduce file sizes without a noticeable loss in quality.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Next-Gen Formats&lt;/strong&gt;: Serve images in modern formats like WebP or AVIF, which offer better compression. A CDN can often handle this conversion automatically.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lazy Loading&lt;/strong&gt;: Implement lazy loading for images that are "below the fold" (not immediately visible). This means they only load when they are about to enter the user's viewport.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Minify and Merge CSS/JavaScript&lt;/h2&gt;
&lt;p&gt;Magento has built-in features for merging and minifying CSS and JavaScript files.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Minification&lt;/strong&gt;: Removes unnecessary characters (like whitespace and comments) from code to reduce file size.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Merging&lt;/strong&gt;: Combines multiple CSS or JavaScript files into a single file to reduce the number of HTTP requests.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Note&lt;/strong&gt;: Always test thoroughly after enabling merging, as it can sometimes cause issues with certain themes or extensions.&lt;/p&gt;
&lt;h2&gt;Keep Your Environment Updated&lt;/h2&gt;
&lt;p&gt;The environment your Magento store runs in has a direct effect on performance.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Latest PHP Version&lt;/strong&gt;: Use the latest stable version of PHP supported by your Magento version. Each new release brings performance and security improvements.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Server Resources&lt;/strong&gt;: Ensure your server has adequate RAM and CPU power to handle your traffic, especially during peak times.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Web Server&lt;/strong&gt;: Use a high-performance web server like Nginx, which is known for its speed and efficiency.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Use Edge Caching and Delivery&lt;/h2&gt;
&lt;p&gt;An edge delivery layer is a practical requirement for many ecommerce stores. It caches your static assets (images, CSS, JavaScript) close to users.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Reduced Latency&lt;/strong&gt;: Users receive content from the server geographically closest to them, which speeds up load times.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced Origin Load&lt;/strong&gt;: By serving cached content, an edge cache reduces the number of requests that hit your origin server, improving its performance and stability.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Security&lt;/strong&gt;: Peakhour also offers security features like a Web Application Firewall (WAF) and DDoS protection.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Database Optimisation&lt;/h2&gt;
&lt;p&gt;A slow database can slow the whole store.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Clean Logs&lt;/strong&gt;: Regularly clean out Magento's log tables (e.g., &lt;code&gt;log_customer&lt;/code&gt;, &lt;code&gt;log_visitor&lt;/code&gt;). These can grow very large and slow down database queries.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Enable Flat Catalog&lt;/strong&gt;: For Magento 1 and older versions of Magento 2, enabling the Flat Catalog for products and categories can improve performance by reducing the complexity of database queries.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Re-index Regularly&lt;/strong&gt;: Keep your Magento indexes up to date. A cron job should be set up to handle this automatically.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Audit Third-Party Extensions&lt;/h2&gt;
&lt;p&gt;Poorly coded or unnecessary third-party extensions are a common cause of Magento performance issues.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Review Extensions&lt;/strong&gt;: Audit your installed extensions regularly. If you're not using one, disable or uninstall it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Use a Profiler&lt;/strong&gt;: Use Magento's built-in profiler or a tool like New Relic to identify slow-running code, which can often be traced back to a specific extension.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These changes will not fix every Magento performance problem, but they cover the areas that usually matter first: cache behaviour, asset weight, the hosting environment, database maintenance, and extension overhead.&lt;/p&gt;</content><category term="CMS"></category><category term="Magento"></category><category term="Web Performance"></category><category term="Drupal"></category><category term="WordPress"></category><category term="Caching"></category><category term="CDN"></category></entry><entry><title>Navigating CDN Consolidation</title><link href="https://www.peakhour.io/blog/navigating-cdn-consolidation/" rel="alternate"></link><published>2023-11-01T00:00:00+11:00</published><updated>2023-11-01T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-01:/blog/navigating-cdn-consolidation/</id><summary type="html">&lt;p&gt;Explore the complexities of switching CDN providers amid industry consolidation and how Peakhour can assist in the transition&lt;/p&gt;</summary><content type="html">&lt;p&gt;The &lt;a href="/learning/cdn/"&gt;CDN&lt;/a&gt; industry is moving quickly, with major providers such as Akamai and Cloudflare consolidating their positions. For businesses caught in that movement, changing CDN providers is rarely a simple swap. Your CDN sits in front of your website or application, so migration decisions touch performance, security, routing, caching, and operational risk.&lt;/p&gt;
&lt;h2&gt;Market Shifts in the CDN Industry&lt;/h2&gt;
&lt;p&gt;The CDN market is being reshaped by large providers and newer entrants. Akamai's acquisition of Linode is one example, expanding its cloud services and strengthening its position beyond CDN. Cloudflare is moving in a similar direction, adding cloud-based services around its CDN platform.&lt;/p&gt;
&lt;h2&gt;Akamai's Strategic Moves&lt;/h2&gt;
&lt;p&gt;Akamai has recently bought customer contracts from both Lumen and StackPath. This is likely to lift its 2024 revenue by tens of millions of dollars. The transferred customers will also benefit from Akamai’s wider cloud and security services.&lt;/p&gt;
&lt;p&gt;Azure CDN Standard from Akamai, StackPath CDN, and Lumen CDN are all going offline soon. Clients have received only 2-3 months' notice to migrate, which is a tight window for a service that usually has routing, security, caching, and origin dependencies. Vendors should avoid putting customers in this position. A multi-CDN strategy can reduce that exposure.&lt;/p&gt;
&lt;h2&gt;What Happened to Section.io?&lt;/h2&gt;
&lt;p&gt;Section.io, once a CDN, shifted to edge computing before being sold to Webscale. That leaves approximately 300 Australian websites looking for new service providers. If you are one of them, now is the time to act.&lt;/p&gt;
&lt;p&gt;These moves make the decision to switch or stay with a CDN provider more complex, especially for smaller businesses that need flexible and reliable local alternatives such as Peakhour. Switching your CDN is not as straightforward as changing a DNS record. Your CDN acts as the gateway to your website or application, so a move can involve reconfiguring a large part of the delivery stack.&lt;/p&gt;
&lt;h2&gt;Why Peakhour Is the Right Choice&lt;/h2&gt;
&lt;p&gt;Peakhour is a local, reliable alternative in an industry changing quickly. We offer the flexibility needed for customisation and a full suite of services.&lt;/p&gt;
&lt;p&gt;If you are considering a CDN switch, treat it as a technical migration rather than a procurement task. Peakhour can help make that transition smoother.&lt;/p&gt;
&lt;h2&gt;Peakhour's Top 10 Things to Consider When Changing Providers&lt;/h2&gt;
&lt;p&gt;Switching CDNs? Work through these ten factors before you move:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Caching Rules&lt;/strong&gt;: Use the migration to review and optimise your caching settings.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;POP Distribution&lt;/strong&gt;: Understand how the new CDN's points of presence may affect your traffic.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Security Gaps&lt;/strong&gt;: Evaluate how the new CDN's security measures compare to your current provider.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Access Lists&lt;/strong&gt;: Make sure IP whitelists and blacklists are carried over cleanly.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Origin Security&lt;/strong&gt;: Update IP addresses to ensure your origin server recognises the new CDN.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;SSL/TLS Certificates&lt;/strong&gt;: Confirm the new CDN supports your existing SSL/TLS settings and can carry over the certificates you need.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;API Compatibility&lt;/strong&gt;: Ensure the new CDN offers APIs that match or exceed your current usage.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Analytics and Monitoring&lt;/strong&gt;: Assess if the new CDN's analytics tools meet your needs.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Rate Limiting&lt;/strong&gt;: Review the new CDN's rate limiting options, especially if your site experiences traffic bursts.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Costs&lt;/strong&gt;: Account for migration work, potential downtime, and any hidden fees.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Additional Considerations for a Seamless Transition&lt;/h2&gt;
&lt;p&gt;Beyond the top ten, also consider:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bot Protection&lt;/strong&gt;: Evaluate how the new CDN manages automated traffic.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;User Agent Validation&lt;/strong&gt;: Make sure the new CDN effectively screens search engine bots.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;IP Reputation Lists&lt;/strong&gt;: Know how your new CDN updates and uses IP reputation lists.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;API Protection&lt;/strong&gt;: Confirm that the new CDN provides strong API security controls.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Dynamic Page Caching&lt;/strong&gt;: Check how the new CDN handles caching for dynamic content.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Query String Handling&lt;/strong&gt;: Understand how your new CDN treats query strings, as this can affect cache performance after migration.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Special Concerns for E-commerce Sites&lt;/h2&gt;
&lt;p&gt;For e-commerce, also think about:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Site Integrations&lt;/strong&gt;: Does the new CDN support plugins for your platform, such as Magento?&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Custom WAF Rules and Exceptions&lt;/strong&gt;: Ensure these can be moved to the new CDN.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Image Optimisation&lt;/strong&gt;: Update Image APIs if your CDN handles image transformations.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Advanced Configurations&lt;/h2&gt;
&lt;p&gt;Advanced setups need closer review:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Origin Mounting&lt;/strong&gt;: Confirm your multiple origins will work as needed with the new CDN.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Request Routing&lt;/strong&gt;: Make sure you can replicate your existing routing configurations with the new provider.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Edge Redirects&lt;/strong&gt;: Ensure the new CDN can handle any redirects you’ve configured at the edge.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;</content><category term="Interest"></category><category term="CDN"></category><category term="Magento"></category><category term="Account Protection"></category><category term="DDoS"></category></entry><entry><title>Headless Commerce Security</title><link href="https://www.peakhour.io/blog/headless-commerce-security-api-protection/" rel="alternate"></link><published>2023-06-28T00:00:00+10:00</published><updated>2023-06-28T00:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-06-28:/blog/headless-commerce-security-api-protection/</id><summary type="html">&lt;p&gt;Comprehensive analysis of security challenges in headless commerce and Single Page Applications. Learn how to protect modern e-commerce APIs and microservices architectures from scraping, fraud, and automated attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;At Peakhour, we spend a lot of time looking at e-commerce architecture trends. Single Page Applications (SPAs) and
headless commerce keep coming up, with tools such as Nuxt.js, Strapi, Hydrogen, and Gatsby leading many builds. These
tools can make frontend work faster and more flexible, but they also put more e-commerce data behind APIs that scrapers
can target.&lt;/p&gt;
&lt;p&gt;Single Page Applications (SPAs) and headless e-commerce have changed how many retailers build their storefronts.
Frontend development tools like Nuxt.js and headless CMSs like Strapi are now common parts of that stack.&lt;/p&gt;
&lt;p&gt;The trade-off is exposure. Product information is often available as JSON data, which makes it easier for scrapers to
collect at scale. That raises a practical question: how do you secure data while still making it available through APIs?&lt;/p&gt;
&lt;h2&gt;Strategies for Data Protection&lt;/h2&gt;
&lt;p&gt;Data protection matters, but it is not a single control. These are the usual layers:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Rate Limiting&lt;/strong&gt;: Controls the number of client requests to your API within a set time frame.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot Detection&lt;/strong&gt;: Distinguishes between humans and bots based on behavioural patterns.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Page Load Authentication&lt;/strong&gt;: Secures the page load through bot detection and authenticates subsequent API calls.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IP Threat Intelligence&lt;/strong&gt;: Blocks suspicious IP addresses from accessing your API.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GeoIP Filtering&lt;/strong&gt;: Regulates requests based on geographical origin.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;As bots change, those controls need to change as well.&lt;/p&gt;
&lt;h2&gt;Facing the Challenge of Headless Scraping&lt;/h2&gt;
&lt;p&gt;Headless scraping uses browsers without a user interface to imitate normal browsing. It is difficult to detect, but
&lt;strong&gt;network fingerprinting&lt;/strong&gt; can help.&lt;/p&gt;
&lt;p&gt;Network fingerprinting examines network features like Transport Layer Security (TLS) settings and HTTP/2 (H2)
parameters. By analysing these, companies can detect and block bots, adding another security layer.&lt;/p&gt;
&lt;h2&gt;Client-side Security in SPAs&lt;/h2&gt;
&lt;p&gt;In SPAs, where much of the processing happens in the user's browser, the security concerns shift:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Data Exposure&lt;/strong&gt;: Protecting sensitive data from leakage or manipulation is critical.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Injection Attacks&lt;/strong&gt;: SPAs must guard against attacks like Cross-Site Scripting (XSS).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Authentication and Session Management&lt;/strong&gt;: Properly handled, these prevent unauthorised access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Insecure Direct Object References (IDORs)&lt;/strong&gt;: Proper authorisation stops attackers from accessing others' data.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Risks in JavaScript Packages&lt;/h2&gt;
&lt;p&gt;SPAs usually depend on JavaScript libraries and packages. They are useful, but they also add supply chain risk. Using
only essential packages, keeping them updated, and sourcing them from trusted providers reduces that risk. Supply chain
audit tools can help automate the work:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;a href="https://owasp.org/www-project-dependency-check/"&gt;OWASP Dependency-Check&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://securestack.com/"&gt;SecureStack&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Security audits need to be frequent because vulnerabilities can appear quickly. Tools like npm's npm audit or GitHub's
Dependabot, along with regular penetration testing, can help uncover potential weaknesses.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;The move toward SPAs and headless commerce is a trade-off between development flexibility and security exposure. These
architectures can improve user experience and speed up delivery, but they also introduce new security issues.&lt;/p&gt;
&lt;p&gt;Client-side security in SPAs needs deliberate attention. Data exposure, injection attacks, and insecure direct object
references all need to be managed, and the convenience of JavaScript libraries brings its own vulnerabilities.&lt;/p&gt;
&lt;p&gt;Peakhour addresses these problems with rate limiting that manages request traffic and helps prevent attacks without
harming customer experience. Our Web &lt;a href="/learning/cloud-security/cloud-waf-vs-native-waf/"&gt;Application Firewall&lt;/a&gt; (WAF)
examines all payload data, adding another layer of protection.&lt;/p&gt;
&lt;p&gt;Frequent security audits still matter. They help e-commerce managers keep SPAs and headless commerce operations secure
without giving up the efficiency these architectures can provide.&lt;/p&gt;</content><category term="Security"></category><category term="API Security"></category><category term="Magento"></category><category term="Account Protection"></category><category term="Drupal"></category><category term="Application Security"></category><category term="Bot Management"></category></entry><entry><title>Maximising Website Speed</title><link href="https://www.peakhour.io/blog/maximising-website-speed-an-essential-strategy/" rel="alternate"></link><published>2023-06-07T12:31:00+10:00</published><updated>2023-10-12T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-06-07:/blog/maximising-website-speed-an-essential-strategy/</id><summary type="html">&lt;p&gt;How can maximising website speed boost your company's revenue, especially during an impending economic recession?&lt;/p&gt;</summary><content type="html">&lt;p&gt;As businesses prepare for a global economic downturn, every source of friction matters. One of the most controllable is
&lt;a href="/blog/wordpress-plugin/"&gt;website speed&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;For many customers, the website is where they first test whether a business is worth their time. They learn about the
company, compare products, read content, and, if the experience holds up, buy. Loading time shapes that first
impression, affects engagement, and can change whether a visitor becomes a customer.&lt;/p&gt;
&lt;p&gt;This article looks at why speed deserves attention when trading conditions tighten. It covers search rankings,
conversion impact, and published case studies where faster sites produced measurable gains.&lt;/p&gt;
&lt;h2&gt;The Need for Speed&lt;/h2&gt;
&lt;p&gt;Website speed is not an abstract technical score. It is how quickly users can see and interact with content. A delay
measured in milliseconds can affect engagement, conversion rates, and customer retention.&lt;/p&gt;
&lt;p&gt;Speed matters because user expectations are set by fast services and fast networks. When a page feels slow, people leave
and are less likely to return.&lt;/p&gt;
&lt;p&gt;Speed also affects how search engines, including Google, rank
&lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;your website&lt;/a&gt;. For businesses trying to remain visible in a crowded market, especially
during an economic downturn, performance is a practical lever.&lt;/p&gt;
&lt;h2&gt;Correlation with Search Rankings&lt;/h2&gt;
&lt;p&gt;The relationship between website speed and search rankings is supported by research and by statements from Google. A few
years ago, Google announced that page speed would be a ranking factor. The change reflected Google's focus on relevant,
usable pages.&lt;/p&gt;
&lt;p&gt;Websites that meet all of Google's requirements receive a slight advantage, ranking
&lt;a href="https://www.sistrix.com/support/sistrix-visibility-index-explanation-background-and-calculation/" title="Visibility Index"&gt;one percentage point higher than the average&lt;/a&gt;. These requirements cover several areas, from content relevance and
quality to mobile-friendliness and &lt;a href="/solutions/use-case/improve-web-vitals/"&gt;page speed&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;By contrast, websites that fail to meet at least one of Google's requirements can sit at a measurable disadvantage,
&lt;a href="https://www.sistrix.com/support/sistrix-visibility-index-explanation-background-and-calculation/" title="Visibility Index"&gt;ranking 3.7 percentage points lower&lt;/a&gt;. That matters when search visibility is already under pressure.&lt;/p&gt;
&lt;p&gt;Google's Core Web Vitals have also become a measurable factor in search rankings. These vitals measure aspects of page
speed and user experience, showing how speed and SEO (Search Engine Optimisation) now overlap.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://crystallize.com/blog/this-is-how-much-site-speed-affects-google-seo-ranking-with-data" title="How Site Speed Affects SEO &amp;amp; Google Rankings (With Data)?"&gt;A study by Crystallize&lt;/a&gt; also found a correlation between speed and SEO. In their page speed score experiment, a page
with a high score ranked #1 in Google with a featured snippet for the optimised item. Unoptimised pages with lower speed
scores did not appear in search results.&lt;/p&gt;
&lt;p&gt;The practical point is straightforward: website speed can improve search visibility. In an economic downturn, that extra
visibility can matter.&lt;/p&gt;
&lt;h2&gt;Conversion Impact of Speed&lt;/h2&gt;
&lt;p&gt;Speed also affects conversion rates. Deloitte's 'Milliseconds Make Millions' report shows how small improvements in
loading time can change commercial outcomes.&lt;/p&gt;
&lt;p&gt;The study examined a 0.1 second decrease in loading time across different market sectors. In retail, &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;a quicker page
loading time led to an 8.4% rise in conversion rates&lt;/a&gt; and a &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;9.2% improvement in average shopping basket size&lt;/a&gt;. The
travel sector saw a &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;10.1% increase in conversion rates&lt;/a&gt; and a &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;1.9% rise in average basket size&lt;/a&gt;. For luxury
brands, faster loading times resulted in an &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;8.6% increase in page views per session&lt;/a&gt; and an &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;8.3% decrease in form
bounce rates&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Peakhour clients have seen the same pattern. Pharmacy Direct reported a 30% increase in conversions and order value
after reducing page load time by 90%. Kitchen Warehouse saw a 150% increase in revenue after decreasing page load times
by 70%.&lt;/p&gt;
&lt;p&gt;These numbers show that page speed is tied to business metrics, not just technical scores. The scale varies by site and
sector, but the direction is consistent across the cited examples.&lt;/p&gt;
&lt;h2&gt;Real-Life Success Stories&lt;/h2&gt;
&lt;p&gt;The effects of website speed optimisation are visible in published case studies:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;French linen brand Carré Blanc saw a &lt;a href="https://info.fasterize.com/etude-de-cas-carre-blanc" title="[Success Story] Carré Blanc : des conversions et un CA boostés par un site rapide"&gt;25% increase in conversion rates&lt;/a&gt; after improving web page loading
   speed.&lt;/li&gt;
&lt;li&gt;Renault optimised the Largest Contentful Paint (LCP), leading to a 14 percentage point decrease in bounce
   rate and a &lt;a href="https://web.dev/renault/" title="How Renault improved its bounce and conversion rates by measuring and optimizing Largest Contentful Paint"&gt;13% rise in conversions&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;E-commerce platform eBay found that every 100ms improvement in search page loading time resulted in a &lt;a href="https://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Milliseconds_Make_Millions_report.pdf" title="Milliseconds Make Millions"&gt;0.5% increase
   in additions to the shopping cart&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;SnipesUSA.com &lt;a href="https://www.digitalcommerce360.com/2020/10/07/snipesusa-invests-in-site-speed-now-and-for-the-future/" title="Snipes invests in site speed now and for the future"&gt;doubled their average conversion rate&lt;/a&gt; from about 1% to about 2% by decreasing load times by
   30%.&lt;/li&gt;
&lt;li&gt;French toy retailer King Jouet enjoyed a &lt;a href="https://www.fasterize.com/fr/blog/king-jouet-soulage-ses-serveurs-et-maintient-la-fluidite-de-la-navigation-pendant-les-pics-de-charge-grace-a-fasterize/" title="Soldes : comment King Jouet maintient une navigation fluide pendant les pics de charge "&gt;5% increase in conversion rates&lt;/a&gt; within a month through page speed
   optimisation.&lt;/li&gt;
&lt;li&gt;AliExpress, a global online retail marketplace, experienced a 10.5% increase in orders and a 27% increase in
   conversions for new customers by reducing loading time by 36%.&lt;/li&gt;
&lt;li&gt;Boutique designer brand Revelry saw 43% faster page loading, an 8% decrease in bounce rates, and a &lt;a href="https://www.digitalcommerce360.com/2020/09/22/revelrys-bounce-rate-plummets-with-faster-site/" title="Revelry’s bounce rate plummets with faster site"&gt;30% increase in
   conversions&lt;/a&gt; after optimising images on their eCommerce site.&lt;/li&gt;
&lt;li&gt;Zalando, an online fashion platform, reported a &lt;a href="https://engineering.zalando.com/posts/2018/06/loading-time-matters.html" title="Loading Time Matters"&gt;revenue increase of 0.7% per session&lt;/a&gt; by reducing web page loading
   time by 100ms.&lt;/li&gt;
&lt;li&gt;Pinterest observed a &lt;a href="https://medium.com/pinterest-engineering/driving-user-growth-with-performance-improvements-cfc50dafadd7" title="Driving user growth with performance improvements"&gt;15% increase in platform registrations&lt;/a&gt; following an improvement in loading speed.&lt;/li&gt;
&lt;li&gt;Telecommunications company Vodafone saw an &lt;a href="https://web.dev/vodafone/" title="Vodafone: A 31% improvement in LCP increased sales by 8%"&gt;8% sales increase&lt;/a&gt; with a 31% improvement in Largest Contentful Paint (
    LCP).&lt;/li&gt;
&lt;li&gt;Mobile marketplace Swappie achieved a &lt;a href="https://web.dev/swappie/" title="How Swappie increased mobile revenue by 42% by focusing on Core Web Vitals"&gt;42% increase in mobile revenue&lt;/a&gt; by focusing on Core Web Vitals.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These examples show how improving loading speed can lift conversion rates and revenue.&lt;/p&gt;
&lt;h2&gt;Optimising for Search Performance&lt;/h2&gt;
&lt;p&gt;Speed also affects search performance beyond organic ranking. Several examples point to paid search impact:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Lever Interactive Agency reported that one of their clients improved their Quality Score, resulting in a &lt;a href="https://leverinteractive.com/blog/why-page-speed-is-more-than-just-seo/" title="Why Page Speed is More Than Just SEO"&gt;17% decrease
   in Cost Per Click&lt;/a&gt; (CPC), a &lt;a href="https://leverinteractive.com/blog/why-page-speed-is-more-than-just-seo/" title="Why Page Speed is More Than Just SEO"&gt;31% decrease in Cost Per Acquisition&lt;/a&gt; (CPA), and a &lt;a href="https://leverinteractive.com/blog/why-page-speed-is-more-than-just-seo/" title="Why Page Speed is More Than Just SEO"&gt;20% increase in conversion rate&lt;/a&gt; on
   faster landing pages.&lt;/li&gt;
&lt;li&gt;Crystallize Headless Commerce noted that scoring high in the Quality Score can lead to significant benefits,
   including up to a &lt;a href="https://crystallize.com/blog/site-speed-affects-adwords-pricing" title="Site Speed Affects Adwords Pricing"&gt;50% discount on CPC prices&lt;/a&gt;. Conversely, a low Quality Score can result in paying up to 400% extra,
   severely impacting your marketing budget.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Core Web Vitals have also become a priority for eCommerce platform Shopify. The company continues to optimise speed
performance to improve search rankings.&lt;/p&gt;
&lt;p&gt;These cases show why performance work needs to be ongoing, especially where search traffic and paid acquisition costs
are material to the business.&lt;/p&gt;
&lt;h2&gt;Enhancing Engagement&lt;/h2&gt;
&lt;p&gt;Engagement is not separate from speed. A fast, well-optimised site gives users less reason to leave and more opportunity
to browse, compare, and interact. The data supports this in several ways.&lt;/p&gt;
&lt;p&gt;Take eCommerce for instance. Customers are 10% more likely to recommend an eCommerce website when pages load in 10
seconds instead of 13 seconds. The likelihood of recommendation rises to 26% if loading time is reduced to 3 seconds.
That shows how quickly performance changes user perception.&lt;/p&gt;
&lt;p&gt;Other companies have also seen measurable effects from speed optimisation. Netflix implemented Gzip compression for
resource optimisation, resulting in a 43% reduction in outbound traffic. Yahoo Japan News saw &lt;a href="https://web.dev/yahoo-japan-news/" title="How CLS optimizations increased Yahoo! JAPAN News's page views per session by 15%"&gt;increases in both page
views per session and session times (15% and 13% respectively)&lt;/a&gt;, as well as a 1.72% decrease in bounce rate, by
improving their Cumulative Layout Shift (CLS) by 0.2 points.&lt;/p&gt;
&lt;p&gt;Google has also published data linking Core Web Vitals to engagement. Their data showed that favourable Core Web Vitals
scores can &lt;a href="https://blog.chromium.org/2020/05/the-science-behind-web-vitals.html" title="The Science Behind Web Vitals"&gt;reduce the likelihood of users abandoning a page&lt;/a&gt; before it loads by up to 24%. Meeting Core Web Vitals
thresholds also led to an overall &lt;a href="https://web.dev/economic-times-cwv/" title="How The Economic Times passed Core Web Vitals thresholds and achieved an overall 43% better bounce rate"&gt;43% improvement in bounce rate&lt;/a&gt; for The Economic Times.&lt;/p&gt;
&lt;p&gt;The agriculture e-commerce platform, Agrofy, improved their Core Web Vitals scores by 70% for LCP and 72% for CLS,
resulting in a &lt;a href="https://web.dev/agrofy/" title="Agrofy: A 70% improvement in LCP correlated to a 76% reduction in load abandonment"&gt;76% reduction in abandonment rate&lt;/a&gt;. Again, the useful lesson is not just that the site became faster.
It is that users behaved differently once it did.&lt;/p&gt;
&lt;h2&gt;Key Speed Metrics&lt;/h2&gt;
&lt;p&gt;Website speed is about more than full-page load time. Several metrics help assess how fast and stable a page feels to a
user. Google's &lt;a href="https://developers.google.com/speed/docs/insights/v5/about" title="About PageSpeed Insights"&gt;Pagespeed Insights&lt;/a&gt; lists the following important metrics:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Largest Contentful Paint (LCP)&lt;/strong&gt; measures the time taken to load the largest visible content on the page. The ideal
   target for this is less than 2.5 seconds. This metric matters because it provides a clear indicator of perceived
   load speed for the user.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Cumulative Layout Shift (CLS)&lt;/strong&gt; evaluates the visual stability of a page during loading. The target here is less
   than 0.1. This helps limit content jumping or shifting while the page loads, providing a smoother user experience.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;First Input Delay&lt;/strong&gt; determines how quickly a page responds to user input, with the target being less than 0.1
   seconds. This metric measures the interactivity and responsiveness of a website.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Together, these metrics show whether a website delivers a fast, smooth user experience.&lt;/p&gt;
&lt;h2&gt;User Expectations and Impact on Business&lt;/h2&gt;
&lt;p&gt;Users expect pages to respond quickly. When they do not, speed becomes a business issue rather than only an engineering
issue.&lt;/p&gt;
&lt;p&gt;According to Think with Google, slow-loading pages can affect user experience, resulting in higher bounce rates,
negative brand perception, and an impact on conversions and revenue. When users have to wait too long for a webpage to
load, they are likely to leave and look for a faster experience elsewhere.&lt;/p&gt;
&lt;p&gt;Digital marketing expert Neil Patel highlights that a 1-second delay in page response can lead to a &lt;a href="https://neilpatel.com/blog/loading-time/" title="How Loading Time Effects Your Bottom Line"&gt;7% reduction in
conversions&lt;/a&gt;. To put that into perspective, if an e-commerce site is making $100,000 per day, a 1-second page delay
could cost $2.5 million in lost sales every year.&lt;/p&gt;
&lt;p&gt;Akamai also found that &lt;a href="https://www.akamai.com/newsroom/press-release/akamai-releases-spring-2017-state-of-online-retail-performance-report" title="Akamai Online Retail Performance Report"&gt;53% of mobile site visitors will leave a page&lt;/a&gt; that takes longer than three seconds to load.
This shows the standards modern users have for &lt;a href="/blog/testing-sitespeed-lighthouse/"&gt;website performance&lt;/a&gt; and the revenue
risk for businesses that fail to meet them.&lt;/p&gt;
&lt;h2&gt;Common Culprits&lt;/h2&gt;
&lt;p&gt;If your website is running slowly, a few common issues could be to blame. The usual causes are technical and operational:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Time to First Byte (TTFB)&lt;/strong&gt; is the time it takes for the first byte of data to be received from the server. High
   TTFB can affect loading times and should be minimised.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Large Page Size and Resources&lt;/strong&gt; can also contribute to slow loading times. This includes heavy content, such as
   images, videos, or large files. Optimising these resources can materially improve loading speed.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Third-Party Resources&lt;/strong&gt; like ads, plugins, or widgets can require additional loading time. While these are often
   necessary, they need to be managed carefully to avoid excessive loading delays.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;JavaScript&lt;/strong&gt; can be a double-edged sword. While it enables advanced functionality, complex or poorly optimised
   JavaScript code can also hinder performance.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Single-Page Applications (SPAs)&lt;/strong&gt; may experience slower initial loading due to their extensive scripting
   requirements, but they often offer faster navigation once loaded.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Busy Servers Handling Bot Traffic&lt;/strong&gt; can also cause slowdowns. Bot traffic, in some instances, can account for over
   40% of server load. Managing this effectively can help improve website speed.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Understanding which of these factors applies to your site helps you focus performance work where it will matter.&lt;/p&gt;
&lt;h2&gt;Continuous Monitoring and Performance Optimisation&lt;/h2&gt;
&lt;p&gt;Getting a site fast once is not enough. Speed can regress as content, third-party tags, releases, and traffic patterns
change, so monitoring and performance optimisation need to be continuous.&lt;/p&gt;
&lt;p&gt;Tools such as Google's Pagespeed Insights can help track website performance. Regular checks of key metrics can show
which issues are slowing the site down and which changes need attention.&lt;/p&gt;
&lt;p&gt;It is also important to test improvements on a staging website before deploying them to production. That reduces the
risk of disrupting live performance or user experience. Regular diagnostic testing and iterative improvements help keep
the site aligned with current performance expectations.&lt;/p&gt;
&lt;p&gt;As SEO consulting company Moz highlights, &lt;a href="https://moz.com/"&gt;focusing on continuous performance optimisation can have significant benefits.&lt;/a&gt;
It can help maintain a fast, usable site and support higher search rankings, better engagement, and increased
conversions and revenue.&lt;/p&gt;
&lt;h2&gt;Preparing for the Coming Recession&lt;/h2&gt;
&lt;p&gt;With an economic downturn on the horizon, a fast, well-optimised website becomes more important. Consumers are likely to
be more selective with their spending, and businesses will need to compete harder for each sale.&lt;/p&gt;
&lt;p&gt;A fast website can be a useful differentiator in this environment. It can &lt;a href="/blog/magento-1-plugin/"&gt;boost your&lt;/a&gt; search
rankings, making the site more visible to potential customers. It can improve engagement by giving visitors fewer
reasons to leave. It can also increase conversion rates, which has a direct effect on sales.&lt;/p&gt;
&lt;p&gt;In this context, website speed is not cosmetic. It is an operating requirement. The work is to measure the current
experience, fix the main bottlenecks, and keep monitoring performance as the site changes.&lt;/p&gt;
&lt;p&gt;The data and case studies point in the same direction: speed optimisation is a practical investment. It helps align the
website with user expectations and makes the site a more effective part of the business.&lt;/p&gt;
&lt;p&gt;Website speed is measurable, improvable, and commercially relevant. For businesses preparing for tighter conditions, it
deserves active management rather than occasional clean-up.&lt;/p&gt;</content><category term="Performance"></category><category term="Web Performance"></category><category term="SEO"></category><category term="Analytics"></category><category term="Magento"></category><category term="Core Web Vitals"></category><category term="CDN"></category></entry><entry><title>Opencart 3 Full Page Caching Plugin Released</title><link href="https://www.peakhour.io/blog/opencart-3-plugin/" rel="alternate"></link><published>2022-03-25T13:00:00+11:00</published><updated>2022-03-25T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2022-03-25:/blog/opencart-3-plugin/</id><summary type="html">&lt;p&gt;Elevate your Opencart 3 store's performance with Peakhour's full page caching plugin. Learn how our features outperform LiteSpeed and Varnish Cache.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Peakhour's Opencart plugin includes features that are usually reserved for enterprise plans with other providers. It follows our 'Enterprise for Everyone' approach in a practical way:&lt;/p&gt;
&lt;h3&gt;Tag-Based Flushing&lt;/h3&gt;
&lt;p&gt;Peakhour's plugin records metadata for each Opencart page in the cache. When you update a product or category, only the relevant pages are refreshed. That keeps cache flushing targeted instead of clearing more content than necessary.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/opencart-3-full-page-caching-headers.jpg" width="100%" alt="Opencart 3 [full page](/blog/drupal/drupal-purge-module/) caching headers"/&gt;
&lt;em&gt;Headers returned by caching plugin.&lt;/em&gt;
&lt;/div&gt;

&lt;h3&gt;Custom TTL&lt;/h3&gt;
&lt;p&gt;Control how long a resource stays in the cache before it checks for a new version. This gives you a direct way to manage cache freshness.&lt;/p&gt;
&lt;h3&gt;Ajax Mini Cart and Wishlist&lt;/h3&gt;
&lt;p&gt;Dynamic sections like mini carts and wishlists usually prevent caching. The plugin loads these sections via Ajax, which makes more pages cacheable.&lt;/p&gt;
&lt;h3&gt;Cache Vary&lt;/h3&gt;
&lt;p&gt;The plugin adapts to different user states, currencies, and languages. It changes a cookie value to create separate cache regions for these variables.&lt;/p&gt;
&lt;h2&gt;Peakhour vs. LiteSpeed and Varnish Cache&lt;/h2&gt;
&lt;p&gt;LiteSpeed and Varnish Cache are good options, but Peakhour offers a more flexible and efficient caching solution for Opencart. The plugin makes Opencart as cache-friendly as Magento 2 or Drupal 8, if not more so.&lt;/p&gt;
&lt;h2&gt;The Results Speak for Themselves&lt;/h2&gt;
&lt;p&gt;Our client saw a clear improvement in their web vitals scores and website scalability. Full &lt;a href="/blog/prestashop-plugin/"&gt;page caching&lt;/a&gt; was enabled in October, with the gains shown below.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/opencart-3-web-vitals-lcp-improvement.jpg" width="100%" alt="Opencart 3 web vitals improvement"/&gt;
&lt;em&gt;Full page caching was enabled in October. Note a significant amount of pages, eg checkout, admin etc cannot be cached which affects these stats&lt;/em&gt;
&lt;/div&gt;

&lt;p&gt;&lt;em&gt;For more information, visit our &lt;a href="/docs/how-to-guides/integrations/opencart-3/"&gt;plugin page&lt;/a&gt; or &lt;a href="/contact-us/"&gt;contact us&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;</content><category term="CMS"></category><category term="Caching"></category><category term="CDN"></category><category term="Drupal"></category><category term="Web Performance"></category><category term="WordPress"></category><category term="Magento"></category></entry><entry><title>What is the Google Chrome UX (CrUX) report, and why you should care.</title><link href="https://www.peakhour.io/blog/what-is-the-chrome-ux-report-crux/" rel="alternate"></link><published>2021-02-26T13:00:00+11:00</published><updated>2021-02-26T13:00:00+11:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2021-02-26:/blog/what-is-the-chrome-ux-report-crux/</id><summary type="html">&lt;p&gt;Learn where Google gets the performance data it uses when ranking your website.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A faster website is better for clients: they buy more, and they engage more with your content.
However &lt;strong&gt;there's someone else that rewards fast websites: Google.
Fast websites rank higher in organic search results than slower websites. They will also achieve higher quality scores in Google Ads,
resulting in lower ad spend.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;We've previously written about &lt;a href="/blog/web-vitals/"&gt;Google's Web Vitals&lt;/a&gt;, and how Google will be using them as
search signals from May 2021. You might have wondered how these Web Vitals will be
determined. Will they be gathered by the Google Bot? No. Google has another method, which it has been
working on for several years.&lt;/p&gt;
&lt;h2&gt;Introducing the Chrome UX Report (CRuX)&lt;/h2&gt;
&lt;p&gt;The CRuX report is a public data set of real-user measurements (RUM) of &lt;a href="/blog/testing-sitespeed-lighthouse/"&gt;website performance&lt;/a&gt; across millions
of sites. The report has been around since 2017 and is updated daily, but until recently the data was difficult
to access.&lt;/p&gt;
&lt;p&gt;The data is collected from real Chrome browser users who have opted in to send browsing information back to Google.
This opt-in requires that the user has:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Opted in to syncing browser history&lt;/li&gt;
&lt;li&gt;Not set up a sync passphrase&lt;/li&gt;
&lt;li&gt;Usage statistic reporting enabled&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Despite these conditions, millions of Chrome users still report statistics back to Google. A given website still needs
to be fairly busy before there are useful statistics in the report.&lt;/p&gt;
&lt;h3&gt;Gathered Metrics&lt;/h3&gt;
&lt;p&gt;Apart from the &lt;a href="/blog/web-vitals/"&gt;Web Vitals&lt;/a&gt;, the report also gathers the following event timings:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;DOMContentLoaded&lt;/strong&gt;: when the main document has loaded&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;onload&lt;/strong&gt;: when a page and all its associated resources have been downloaded and parsed;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Dimensions&lt;/h3&gt;
&lt;p&gt;Because performance can vary widely, the metrics are divided into the following dimensions to help segment and understand the user experience.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Country&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Device Type&lt;/strong&gt;: Tablet, Phone, Desktop&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Connection Speed&lt;/strong&gt;: slow 2g, 2g, 3g, 4g, or offline&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Viewing data in the report&lt;/h2&gt;
&lt;p&gt;There are several ways to see how &lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;your website&lt;/a&gt; performs in the report. These include:&lt;/p&gt;
&lt;h4&gt;Pagespeed insights&lt;/h4&gt;
&lt;p&gt;Google's website analysis tool provides summary CRuX data for the analysed URL and, if data is available, for the entire site.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/page-speed-insights-field-data.jpg" alt="&lt;a href="/solutions/use-case/improve-web-vitals/"&gt;Page Speed&lt;/a&gt; Insights Field Data" style="max-width: 100%;margin-bottom: 20px"/&gt;&lt;/p&gt;
&lt;h4&gt;Google BigQuery&lt;/h4&gt;
&lt;p&gt;The most flexible option is to access it directly via &lt;a href="https://console.cloud.google.com/bigquery?project=chrome-ux-report"&gt;BigQuery&lt;/a&gt;.
You query it with SQL (database query language).&lt;/p&gt;
&lt;p&gt;The downside is that you need to understand SQL and have a Google account.&lt;/p&gt;
&lt;h4&gt;Google's Search Console (formerly Webmaster Tools)&lt;/h4&gt;
&lt;p&gt;The search console now has a section 'Core Web Vitals' that shows whether URLs pass the Core Web Vitals,
as well as a historical graph of performance for both mobile and desktop.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/search-console.jpg" alt="Google Search Console Web Vitals" style="max-width: 100%;margin-bottom: 20px"/&gt;&lt;/p&gt;
&lt;h4&gt;Google's Data Studio&lt;/h4&gt;
&lt;p&gt;&lt;a href="https://web.dev/chrome-ux-report-data-studio-dashboard/"&gt;Data Studio&lt;/a&gt; is a data visualisation tool that lets you build dashboards on
top of the CrUX report (amongst other big data sources).
It lets you create a useful visualisation of the performance of your (or someone else's) website over time.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/data-studio.jpg" alt="Google data studio" style="max-width: 100%;margin-bottom: 20px"/&gt;&lt;/p&gt;
&lt;h4&gt;Third party tools&lt;/h4&gt;
&lt;p&gt;Like our own &lt;a href="/pages/website-competitor-speed-test/"&gt;competitor speed report&lt;/a&gt;. It uses the
&lt;a href="https://developers.google.com/web/tools/chrome-user-experience-report/api/reference"&gt;Chrome UX API&lt;/a&gt; to retrieve the
information.&lt;/p&gt;
&lt;h2&gt;Conclusion - Why you should care&lt;/h2&gt;
&lt;p&gt;The data in the Chrome UX Report is how Google sees the performance of your website. It is also a free source of
real-world user measurements of your website performance, which helps you gauge how users see your website.
If you want your site to rank well and to lower your ad costs, your website
must pass the Web Vitals. The Chrome UX Report is the source of truth.&lt;/p&gt;</content><category term="Learning"></category><category term="Web Performance"></category><category term="SEO"></category><category term="Core Web Vitals"></category><category term="Analytics"></category><category term="Browser Fingerprinting"></category><category term="Magento"></category></entry><entry><title>Are Australian Magento Stores Ready For Web Vitals?</title><link href="https://www.peakhour.io/blog/web-vitals-magento-australia/" rel="alternate"></link><published>2020-11-19T13:00:00+11:00</published><updated>2020-11-19T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2020-11-19:/blog/web-vitals-magento-australia/</id><summary type="html">&lt;p&gt;Are Australian Magento stores prepared for the introduction of Core Web Vitals as a search signal? Read on to find out.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Google recently confirmed that the &lt;a href="/blog/web-vitals/"&gt;Core Web Vitals&lt;/a&gt; will be included as search signals from May 2021. This
means that, all else being equal, sites that score well on the Core Web Vitals are likely to rank ahead of those that don&amp;apos;t.&lt;/p&gt;
&lt;h2&gt;A quick refresher of Web Vitals&lt;/h2&gt;
&lt;p&gt;The Core Web Vitals consist of three metrics, chosen to measure the experience of browsing a website. Here they are, along
with the current thresholds for a 'Good', 'Needs Improvement', or 'Poor' rating:&lt;/p&gt;
&lt;div class="row" style="margin-bottom: 30px"&gt;
    &lt;div class="col-sm-4 text-center"&gt;
        &lt;img src="/static/images/blog/lcp.svg" alt="Largest Contenful Paint" style="max-width: 300px"/&gt;
    &lt;/div&gt;
    &lt;div class="col-sm-4 text-center"&gt;
        &lt;img src="/static/images/blog/fid.svg" alt="[First Input Delay](/solutions/use-case/improve-web-vitals/)" style="max-width: 300px"/&gt;
    &lt;/div&gt;
    &lt;div class="col-sm-4 text-center"&gt;
        &lt;img src="/static/images/blog/cls.svg" alt="Cumulative Layout Shift" style="max-width: 300px"/&gt;
    &lt;/div&gt;
&lt;/div&gt;

&lt;p&gt;Web Vitals also defines several other metrics, including Time to First Byte (TTFB), and First Contentful Paint (FCP). While these
aren't 'core' metrics, they are useful for diagnosing where performance problems come from. The target TTFB
in the current version of &lt;a href="/blog/testing-sitespeed-lighthouse/"&gt;Google Lighthouse&lt;/a&gt; is listed as 100ms, while poor is 600ms.
FCP is good under 2s and poor over 4s.&lt;/p&gt;
&lt;h2&gt;How will Australian sites fare?&lt;/h2&gt;
&lt;p&gt;We asked a simple question: what percentage of Australian websites are ready for
Web Vitals as a search signal, and what percentage could lose ground? To answer it, we ran them through
our recently released &lt;a href="/pages/website-competitor-speed-test/"&gt;Website Speed Comparison&lt;/a&gt; tool, which gathers Web Vitals metrics
as part of its report.&lt;/p&gt;
&lt;h2&gt;Methodology&lt;/h2&gt;
&lt;p&gt;There are a lot of Australian websites, so we broke the analysis down by technology platform. We started with
online stores running Magento.&lt;/p&gt;
&lt;p&gt;We started with an initial list from BuiltWith of around 4000 domains. We then trimmed it down by removing development
and demo sites, and sites returning an error, leaving a total of 2998. The list includes some of the largest retailers in Australia,
including Harvey Norman, Sportsgirl, Philips and Dyson.&lt;/p&gt;
&lt;p&gt;We then ran our competitor report for &lt;strong&gt;&lt;em&gt;every one of them&lt;/em&gt;&lt;/strong&gt;. The report was run from our Sydney office over a business-class
internet connection. The test throttles the connection to simulate typical 4G mobile phone
speeds, and uses a mobile phone user agent/screen size to view the mobile version of the site. We did not throttle
CPU performance like Lighthouse does.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;NOTE&lt;/strong&gt; We're excluding First Input Delay in our results as Google defines First Input Delay (FID)
as a real user measurement (RUM). FID measures the time taken for the website to respond to the first
user interaction, such as clicking a link or button. Technically this interaction can happen any time after the first content
appears in the browser; in practice, most people won't click something until after a page is visually complete,
and this timing is highly variable. We do measure First Input Delay by simulating a click, but our interaction
happens soon after the FCP, while content is still loading. That would cause more sites to fail the metric
than would fail in real life, so we're excluding it from our calculations.&lt;/p&gt;
&lt;p&gt;On to the results. We did not expect strong numbers, but the results were still worse than expected.&lt;/p&gt;
&lt;h2&gt;The results&lt;/h2&gt;
&lt;p&gt;The first check was for the number of websites that achieve a good rating in any of the Web Vitals metrics.&lt;/p&gt;
&lt;table class="table"&gt;
    &lt;td colspan="5" style="text-align: center"&gt;
        &lt;em&gt;Percentage of sites that are 'Good'&lt;/em&gt;
    &lt;/td&gt;
&lt;tr&gt;
    &lt;th&gt;&lt;/th&gt;
    &lt;th&gt;TTFB (&lt; 0.1s)&lt;/th&gt;
    &lt;th&gt;FCP (&lt; 1s)&lt;/th&gt;
    &lt;th&gt;LCP (&lt; 2.5s)&lt;/th&gt;
    &lt;th&gt;CLS (&lt;.1)&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
    &lt;th&gt;Result&lt;/th&gt;
    &lt;td&gt;99 (3.3%)&lt;/td&gt;
    &lt;td&gt;71 (2.37%)&lt;/td&gt;
    &lt;td&gt;254 (8.47%)&lt;/td&gt;
    &lt;td&gt;1074 (35.8%)&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;

&lt;p&gt;CLS was the strongest result, which isn't a surprise. The remaining results are not encouraging: only 8.5% pass LCP. Let's
see how many need improvement.&lt;/p&gt;
&lt;table class="table"&gt;
&lt;tr&gt;
    &lt;td colspan="5" style="text-align: center;"&gt;
        &lt;em&gt;Percentage of sites that 'Needs Improvement'&lt;/em&gt;
    &lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
    &lt;th&gt;&lt;/th&gt;
    &lt;th&gt;TTFB (&lt; 0.6s)&lt;/th&gt;
    &lt;th&gt;FCP (&lt; 2s)&lt;/th&gt;
    &lt;th&gt;LCP (&lt; 4s)&lt;/th&gt;
    &lt;th&gt;CLS (&lt; .25)&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
    &lt;th&gt;Result&lt;/th&gt;
    &lt;td&gt;383 (12.7%)&lt;/td&gt;
    &lt;td&gt;728 (24.3%)&lt;/td&gt;
    &lt;td&gt;470 (15.7%)&lt;/td&gt;
    &lt;td&gt;625 (20.8%)&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;

&lt;p&gt;An additional 15.7% beat the 4s cut-off for LCP. That still means that 3/4 of Australian Magento
stores take longer than 4s to visually load on a mobile device. Visualised, the numbers are not pretty.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/magento-web-vitals.svg" style="width: 100%"/&gt;&lt;/p&gt;
&lt;p&gt;Australian Magento sites are likely missing potential sales. Recent performance studies show:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The probability of a customer bouncing increases 90% if the page load time increases from 1s to 5s. &lt;em&gt;(source Google)&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;A 100 millisecond delay in load time can hurt conversion rates by 7%. &lt;em&gt;(source Akamai)&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The experience of our own &lt;a href="/case-studies/ecsso/"&gt;Magento 1 clients&lt;/a&gt; and &lt;a href="/case-studies/savvysupporter/"&gt;Magento 2 clients&lt;/a&gt;
backs this up: improving website speed affects conversions and revenue.&lt;/p&gt;
&lt;h2&gt;Sites that pass all criteria&lt;/h2&gt;
&lt;p&gt;Of our 2998 websites, we only found &lt;strong&gt;163&lt;/strong&gt; that &lt;a href="/learning/performance/how-to-pass-core-web-vitals/"&gt;pass Core&lt;/a&gt; Web Vital &lt;em&gt;'good'&lt;/em&gt; criteria. That's only &lt;strong&gt;5.5%&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;If we again relax to include &lt;em&gt;'needs improvement'&lt;/em&gt; that list grows to &lt;strong&gt;520&lt;/strong&gt;, or &lt;strong&gt;17.3%&lt;/strong&gt; of sites tested.&lt;/p&gt;
&lt;h2&gt;How you can test your site&lt;/h2&gt;
&lt;p&gt;Google provides online analytics that you can query via BigQuery. If you want to reproduce the report this analysis
is based on and compare your website to your competitors, you can use the Peakhour.IO &lt;a href="/pages/website-competitor-speed-test/"&gt;Website Speed Comparison report&lt;/a&gt;.
We automatically discover your competitors, run them through Web Vitals, and graph the results.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;If nothing changes, quite a few Australian Magento stores could lose search visibility in May 2021. The majority of sites don't
use Magento 2's ability to &lt;a href="/dynamic-content-caching/"&gt;cache dynamic pages&lt;/a&gt;, and if they do, they're often not
&lt;a href="/image-optimisation/"&gt;serving optimal images&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Core Web Vitals becomes a search signal next year. For Magento teams, it is time to get ready.&lt;/p&gt;</content><category term="Performance"></category><category term="Core Web Vitals"></category><category term="Magento"></category><category term="Web Performance"></category><category term="CDN"></category><category term="Drupal"></category></entry></feed>