Maropost Dao Maropost Dao

Fixing a fatal flaw in Maropost's security - don't let your competitors see your data!

Maropost: it is bloody fantastic, as any Maropost (formerly Neto) user will tell you. One thing is, it is bloody complex. Not complicated, but definitely complex. Today I’m gonna help you fix one security issue that has plagued Maropost for so long, and no-one even really knows it is an issue!

Now: we all know the importance of having your products pushed to Google Shopping. Your Google Shopping feed is single-handedly the most important thing for your site’s SEO (I’ll cover this more in a separate post). Maropost is fantastic at facilitating this, the native Google Shopping export plug-in makes short work of the process.

The native plug-in is awesome: add it to your Maropost back-end, get the feed URL, and plop it into Google Merchant. So easy!

The ease with which this is set up though, is one of it’s biggest issues.

This feed contains a lot of important info about every single one of your products, including:

MPN of each one of your products
Title of each one of your products
Description of each one of your products
A link to each item in your store
The price you are currently selling each product at
A link to the main image of every product in your store
And, possibly the most crucial part that you’d like to keep secret: THE EXACT QUANTITY OF EVERY SINGLE ITEM THAT YOU HAVE IN STOCK!

Yep, it isn’t great. You sure as heck wouldn’t want any of your competitors to know how many of each product you have, would you? And you wouldn’t want competitors to be able to set up a scrape of your site with the exact pricing you sell your products at, so they can discount by a few bucks automatically and be cheaper than you? Your data being out there in the open is quite sucky, to be honest.

Now you might be sceptical and think ‘Dao, how could anyone out there even SEE this feed unless they know the URL?’ and you would be right, but here is the kicker:

The generic URL suffix for Maropost’s Google Shopping export file is www.yoururlhere.com/export/cs/google.txt so if you append /export/cs/google.txt to the end of your domain name in a browser, it’ll show your ENTIRE catalogue of products.

Using my good friends at Garage Eleven as an example, you can see if you go to the browser address bar:

…and simply paste the suffix of /export/cs/google.txt after the domain name and hit Enter, you’ll see an output of his ENTIRE catalogue. Try this on your own site, and you’ll be shocked!

The red arrows are pointing to:

SKU
Link to the main image of the SKU
Quantity in stock

You can also see the pricing, and a few other parameters in there such as Category, Condition and whatnot.

I told you it’s pretty sucky! The best thing is, it is quite easy to fix.

Open up your Maropost back-end, navigate to ‘Settings and Tools’ and click on ‘Export Data’.

Then at the Export Data screen, click the Perform Complex Export button and select ‘Use Existing Custom Export Templates’.

The next screen will bring up a list of all your recurring exports. You’ll see ‘Google Shopping Data Feed’ and the output file’s name of ‘google.txt’.

Click on the blue writing that says ‘Google Shopping Data Feed’, this will take you into the setup for the export for Google Shopping. Important: DO NOT MESS WITH ANYTHING IN HERE EXCEPT FOR WHAT I WILL TELL YOU TO MESS WITH! If you stuff any of this up, your Google Shopping feed may be broken and will not update. Simply scroll down to the section marked ‘File Name’, and change ‘google.txt’ to something else.

Now, DO NOT TELL ME WHAT THIS FILENAME NOW IS! Keep it to yourself. I am changing Garage Eleven’s filename output right now, so I’ll just put a picture of Spongebob over the filename from now on.

Once you’ve done this, scroll to the top of the page and click ‘Generate Data File’.

This pushes a fresh feed of all your product data to your new SECRET filename.

You will now need to update the feed within Google Shopping’s ‘Merchant Centre’. Go to https://merchants.google.com and log in, and update your feed URL to the new appended one. You may need to remove the existing feed and simply re-add your new one, which is not a big job.

Voila! You can now pat yourself on the back for taking a huge step toward protecting your information!

If you struggled with any of this, or it is a bit outside your levels of expertise, we here at Thinkerous are happy to help you. Reach out to us and we can give you a quote!

Read More