Deanta
Solving API Spikes, Checkout Errors, and Potential Vulnerabilities on an OpenCart-Powered E-commerce System
Project Brief
Deanta, a client managing a high-traffic OpenCart store hosted on SiteGround, reached out to us at Smart Web Agency with urgent concerns regarding performance anomalies, checkout disruptions, and suspicious backend activity. Their system was encountering unusual server spikes, random login slowdowns, and checkout errors linked to invalid payment methods—along with a deeper concern of potential malicious code in the live environment.
We were engaged to investigate, stabilize, and recommend long-term security and performance solutions.
The Challenge
Our audit highlighted a series of critical but distinct issues:
Unexplained API Spikes:
- An alarming surge of ~8000 API requests in under a minute was observed via Wireshark logs, impacting login performance and server stability.
Checkout Failures:
- Customers were intermittently receiving “Invalid Merlin account ID” errors during the checkout process, leading to cart abandonment.
Suspicious Code Detected:
- A non-standard rand(1,2) function was discovered in the payment() method of the live site’s journal3/checkout.php, raising flags about a possible unauthorized code injection.
The client’s server environment limited visibility into low-level request logs and user activity, complicating root cause identification.
Our Approach
We conducted a comprehensive code audit, session analysis, and server behavior review to isolate each issue.
Server Spikes & Login Delays
We thoroughly reviewed all cron jobs and login scripts. Nothing in the scheduled tasks or login flow could justify the burst in API traffic. We concluded the spike likely originated from an external source or triggered by bulk product uploads (SKUs) via admin or automated integrations.
Proposed solution: Break SKU uploads into smaller batches (e.g., 20 at a time) to reduce system stress and monitor resulting performance. We also requested sudo-level access to dig deeper into request patterns at the server level.
Fixing the Invalid Merlin ID Error
The root cause of checkout errors was traced to session inconsistencies—where the payment method was intermittently and silently switching to authorizenet_sim, a gateway incompatible with the client’s Merlin setup.
We resolved this by explicitly locking the payment method to Bank Transfer, ensuring consistent compatibility with the backend integration.
Suspicious Code & Security Audit
Upon noticing abnormal behavior and being alerted by the client, we:
- Immediately rotated all FTP credentials.
- Identified a rogue rand(1,2) call in the live version of a payment model file, which was absent in the staging environment.
- Flagged this as potentially malicious or at the very least unauthorized code modification.
- Advised the client to audit SiteGround user access to revoke leftover accounts from former teams.
While the FTP protocol used does not log file-level changes, tightening access control now positions the system in a more secure state.
Technology & Stack
- OpenCart (Journal3 Theme) – Custom checkout flow and product catalog.
- PHP/MySQL – Core platform logic and database operations.
- SiteGround Hosting – Web hosting environment with limited server access.
- Wireshark – Network packet analysis used to identify traffic anomalies.
- Stripe & Merlin Integrations – Custom payment and order routing setup.
Core Features of the Platform
- Clear Event Schedule and Details: Detailed sections on speakers, topics, and venue, with up-to-date event changes.
- Registration System: Easy online registration form integrated with the event API for seamless attendee management.
- Awards and Recognition Highlights: Spotlighting outstanding contributions in organ donation and transplantation.
- Speaker Profiles: Detailed bios of key speakers and industry leaders to attract and inform attendees.
- SEO Optimization: Content structured and optimized to attract and inform the target audience.
Results
Thanks to the fast and structured response, Deanta experienced immediate improvement in system behavior:
- Checkout process stabilized with zero recurrence of the invalid ID errors post-fix.
- Security posture improved via credential rotation and code patching.
- Performance insight unlocked by breaking bulk SKU uploads, helping the client better understand their API limits.
Our intervention not only solved the immediate issues but also gave the client a clear roadmap for preventing future disruptions.
Core Features of the Platform
- Clear Event Schedule and Details: Detailed sections on speakers, topics, and venue, with up-to-date event changes.
- Registration System: Easy online registration form integrated with the event API for seamless attendee management.
- Awards and Recognition Highlights: Spotlighting outstanding contributions in organ donation and transplantation.
- Speaker Profiles: Detailed bios of key speakers and industry leaders to attract and inform attendees.
- SEO Optimization: Content structured and optimized to attract and inform the target audience.
Results
Thanks to the fast and structured response, Deanta experienced immediate improvement in system behavior:
- Checkout process stabilized with zero recurrence of the invalid ID errors post-fix.
- Security posture improved via credential rotation and code patching.
- Performance insight unlocked by breaking bulk SKU uploads, helping the client better understand their API limits.
Our intervention not only solved the immediate issues but also gave the client a clear roadmap for preventing future disruptions.
Conclusion
At Smart Web Agency, we specialize in untangling complex web platform issues—whether performance bottlenecks, third-party integration conflicts, or suspicious backend activity. Our collaboration with Deanta is a strong example of how thoughtful code audits, proactive fixes, and transparent communication can bring immediate value and long-term stability to digital commerce platforms.