Part of my proactive approach that I take includes checking the health of development websites set up for clients. This is mainly carried out for security reasons and ensuring that the codebase for both development and production environments are closely in sync.
In previous companies I have worked for, I discovered some fundamental issues with the development sites that had been set up. Therefore, I'm going to share some of my findings and what steps should be taken to avoid common development site problems.
One of the key steps when setting up a Magento (or any application) development website is: make sure that the search engines don't crawl the website!
In Magento 1, this can be achieved by heading to the
System -> Configuration -> General -> Design
section in the admin, expanding the
HTML Head section and changing the
Similarly in Magento 2 (as of version 2.2), within the
Content -> Configuration section,
select a theme to edit, expand the
Search Engine Robots section and set the
This step is surprisingly forgotten or left too late, which has resulted in development sites showing in the search engine results. This effectively means that both production and development websites are competing against each other in terms of SEO. In addition, it might not be immediately obvious to customers that they might be browsing on the wrong website!
If you know the website address of your development site, there is an easy check to find out whether the search engines have crawled the web pages.
In Google, simply type in
site: followed by the domain name of the development site. Google
will then return any pages from that domain which it has indexed.
I actively work on a few internal projects that use the
sussexdev.co.uk domain. Typing in
site:sussexdev.co.uk into Google shows that none of these appear. Hooray!
Remember, after setting up the development site's database and codebase, always make sure that you configure the search engines not to crawl and index the website.
If necessary, you can add password protection to the whole of the website, or only allow IPs from a whitelist to access it. Choose whichever option is best for you but make sure you take action quickly.
This particularly is focused at Magento 1 and in terms of securing the
database configuration file. It seems as though file and folder permissions are commonly forgotten
about when setting up a development site.
Crucially, this can lead the exposure of the database configuration file in the browser. By simply
http://your-development-domain.com/app/etc/local.xml, you may find that your
database connection details are accessible to the public.
If you forget about file permissions, remember that Magento 1 will flag this issue up in the admin area with the following notification.
There are therefore no excuses to skipping over this check. You might be thinking 'well it's just a development website with an old database. It doesn't really matter if anything happens to it'.
Which leads me onto my next point...
When a development site has being set up, the codebase and a database backup from the production
website is taken. There have been a few occassions where customer and order data has not been
cleared from the development website. This, along with an exposed
local.xml file as
seen above means that sensitive data is open to anyone! This can lead to major legal and financial
In both Magento 1 and 2, it is very easy to strip out this data. I would recommend using Sonassi's tools for dumping a Magento database. Simple to use, and truncates any sensitive data from the database dump.
I'm available to help businesses configure development sites.
Development sites do not take long to set up, and are often rushed due to time constraints with other projects. Don't forget to spend a bit of time checking over the site ensuring that no fundamental security issues exist for the benefit of you and your clients.