Magento Security Patches: The Basics You Need to Keep Your Business Safe

February 8, 2016 by Leah Na'aman

Magento may be an eCommerce favorite around the world, but even with its great features and regular updates, Magento security can still find itself vulnerable to ever-evolving cyber-attacks.

Luckily for those that use it, Magento has a great team of technicians and an active community of techies who are constantly on the lookout for the newest developments in malware and other threats to eStore security. In fact, the community is so determined to stay on top of security threats that reporting a new security bug in the Magento system can result in a cash reward.

Protecting your eStore with Magento Security Patches

Magento is regularly looking for ways to improve its platform’s security to keep both retailers and consumers safe. Those familiar with Magento know the company regularly releases new security patches to ensure its stores are up-to-date with the latest protective software by ‘patching’ any holes a hacker could take advantage of.

As well as running your site with the latest version of Magento, you should also install all Magento patches in a timely manner. You can sign up to receive Magento security alerts as they are released to ensure you don’t miss any important updates.

If you’re unsure as to whether your eStore’s security is up-to-date, I recommend using MageReport.com to check if your site is currently protected. All you need to do is enter your store’s URL to see which patches have been implemented; then once you have a list of the patches you’re missing, you should take action immediately.

Where to get Magento Security Patches

Once you know the patches you need, there are two places you can download the updates, depending on the Magento edition used by your site.

For those running Magento Community edition, log in tomagentocommerce.com/download and click My Account. Find the Magento Community Edition Patches section, locate the patch you need to install for your version and hit download.

Anyone running Magento Enterprise Edition should log in tomagentocommerce.com and click My Account. From here, click Downloads in the left pane and then Magento Enterprise Edition in the right. Click Support Patches and download the patch you need for the Magento version your site is running.

Installing Magento Security Patches

We’ll let Magento themselves tell you how this is done:

To apply a Magento patch:

  1. Transfer the patch .sh file to your Magento installation root directory.


Note
: This article assumes your patch file name ends in .sh. If your patch file name ends in .patch or something else, contact Magento Support before proceeding. For example, /var/www/html/magento.

  1. Enter the following command as a user with sufficient privileges to write to Magento files (typically, the web server user or root):

sh patch-file-name.sh

A message such as the following displays to confirm the patch installed successfully:

Patch was applied/reverted successfully.

  1. To reapply ownership to the files changed by the patch:

Find the web server user:  ps -o "user group command" -C https,apache2
The value in the USER column is the web server user name.
Typically, the Apache web server user on CentOS is apache and the Apache web server user on Ubuntu is www-data.

As a user with rootprivileges, enter the following command from the Magento installation directory:

chown -R %Paste_Your_Webserver_Username_Here%

For example, on Ubuntu where Apache usually runs as www-data, enter

chown -R www-data

  1. Perform any other tasks as instructed by Magento Support.
    (For example, some patches require you to stop external services, such as the Solr search engine.)

 

Other Ways to Secure Your eCommerce Store

While installing the latest Security Patches will go a long way in protecting your store, there are still other measures you can take in order to keep your business and customers safe.

  • Change the Default Admin Path

Those default admin paths make it too easy for hackers to unleash a brute-force attack that will soon provide them with your username and password once they apply the right software to run possible combinations.

Replace ‘admin’ with a random collection of letters and numbers by locating “<![CDATA[admin]]>” in your local.xml file at /app/etc/local.xml and changing the word “admin” to your chosen replacement.

Even with this adjustment, you should still ensure your username and password are both a random collection of characters, including upper- and lowercase, punctuation and numbers.

  • HTTPS/SSL for Login Pages

You are at risk from hackers each time you enter your username and password with an encrypted connection – something that HTTPS/SSL requirements will counteract. To do this:

  • Log in to your site, click the System tab and then select Configuration from the drop-down menu.
  • Click the Web tab and then click on Secure.
  • Here, change the Base URL from ‘http://’ to https://’.
  • Click ‘yes’ on ‘Use Secure URLs in Frontend’ and ‘Use Secure URLs in Admin’.
  • Click Save Config.
  • Monitor Regularly

Security Patches are great assets to the Magento community, but if the vulnerability required a patch in the first place, it means there’s a chance your site was already breached before the patch was issued.

With this in mind, you should be carrying out regular security reviews to monitor for anything indicating an attack has been launched.

Check for unauthorized Admin users by analyzing the Admin Actions Log (Magento Enterprise) for unusual activity. You can also implement an Intrusion Detection System (IDS) on your network, as well as utilizing a file and data integrity tool so you’re notified of any potential malware installation.

  • Only Install Trusted Magento Extensions

We love that Magento has such a vibrant and active community of developers, but this often lures people into a false sense of security when it comes to the many extensions created for the platform.

Before installing any new extension, research it well to ensure it’s been painstakingly tested, has positive reviews and a reputation for dependability. It’s also important to update your extensions when new versions come out – as with Magento itself, these extension updates usually contain important patches for security vulnerabilities.

  • Protect Your Store from Threatening PHP Functions

Add a ‘disable_functions = proc_open,phpinfo,show_source,system,shell_exec,passthru,exec,popen’ rule to your php.ini file in order to protect your eStore from PHP function exploitation.

  • Protect your Magento Downloader

The Magento Downloader is where you add Magento extensions to your site and this can pose another vulnerability in your site’s security structure. Unfortunately, you can’t create a unique url for the downloader, so instead, you should adjust your server settings to only provide access to the unique IPs of your choosing. This will prevent access from untrusted sources and add another layer of security to your ecommerce site.

  • Hire a Professional Security Reviewer

We have a lot of respect for web developers, but as great as they are, they’re not trained Magento security experts. Enlisting the help of a professional who spends their days analyzing Magneto security systems is a great way to identify any potential vulnerabilities in your eCommerce store’s set-up. Hire a professional a couple of times a year to give your site a once-over and ensure the eStore is protecting both you and your customers.

  • Change passwords after working with third-parties

As useful as working with outside developers can be, it can increase your store’s vulnerability. Change admin and FTP passwords before and after working with third-parties, regardless of how trustworthy they seem. You can’t guarantee they take all the security precautions that you do.

  • Disable Directory Indexing

This prevents hackers from viewing all the files in a folder on your website, making it more difficult to find vulnerabilities to abuse. To achieve this, simply add ‘Options -Indexes’ to your .htaccess file and tap the Return key so the file finishes with a blank line.

  • Have a back-up plan

Obviously your main aim is to prevent an attack from happening at all, but in case a hacker does break through your security measures, it’s important to have a back-up plan in place.

All eStores should have a disaster recovery plan to get back on track in the event of a breach. Your server and database should be automatically backed up to external location on a regular basis, with a full back-up carried out once a week (minimum). You should also test this system regularly to ensure it can be restored if needed.

So there you have it – a Magento eCommerce Store with top-of-the line security measures.

Facebookgoogle_pluslinkedin

Author

Wladyslaw Brodsky

Wladyslaw is an experienced e-commerce web-developer, with a certification and focus set on Magento development. He was a key developer within the Magento core team and participated in the releases of both Magento 1 and Magento 2. He has also developed for Smile and Ciklum, with a first-hand experience in all parts of e-commerce systems. He has since joined Shoppimon to help both merchants and programmers identify and fix common problems he has experienced within the industry.