Please, Please Patch Your Magento Store

Here at LexiConn, we help migrate a number of Magento stores over to us from other hosting providers. We’ve noticed an alarming trend that many of these stores are not fully updated with the latest security patches released by Magento.

More alarmingly is that a good portion of these stores often have hacked files, ranging from remote file upload scripts to malicious code that collects credit card details! Most of the time the merchant is completely unaware that this is happening. We’ve seen hidden backdoor access to the admin panel, rogue admin users, and a variety of ways to scrape and send out credit card details, customer login passwords, admin passwords, and more.

So what’s a Magento merchant to do?

Step 1 – Determine if your store is fully patched

As a Magento merchant, it’s important that you know if your store is fully secure and up to date with the latest security patches. The easiest way to check this is with a handy website:

www.magereport.com

Simply enter your Magento store URL, and this service will scan your site and let you know if you’re missing any critical security patches. It’s a quick way to perform a site check-up.

Another method is to look at a file in your Magento account:

app/etc/applied.patches.list

This file “should” list all of the patches applied to your store. However, sometimes a patch was attempted and then removed, but the patch is still listed in this file.

Step 2 – Apply the patches

You do not have to upgrade your Magento store to the latest version in order to keep your site secure (upgrading Magento can be disruptive, especially for customized stores). Magento provides patches for many older versions of Magento. The patches are normally quite seamless and do not affect the operation of your store. One exception is the recent SUPEE-6788 patch, which did cause some issues after being applied.

Magento patches are easily applied via the command line (ssh access). They can be removed just as easy as they are applied if the patch does cause any issues. The only time patches do not apply cleanly is if you or your developers have modified core Magento files (a big no-no), or if previous patches were not applied. Once a patch is applied, don’t forget to clear the Magento cache for the changes to take effect.

If you have a developer, they can often help you with applying patches. A few web hosts may apply patches for their clients.

If you have your Magento store hosted with us, we automatically apply all Magento security patches proactively once they are released and tested by us to ensure they will not cause any issues. If we find a patch to cause an issue, or not install cleanly, we will reach out to the affected merchants.

How do you know when patches are released? The best way is to sign-up for email alerts from the Magento Security Center.

Step 3 – Perform a core file audit

Even if you patch your store right away after a security patch is released, it’s a good idea to audit the core Magento files in your store. This audit essentially compares your store files to those of a stock Magento store that is fully patched. It can highlight any core files that differ from a clean Magento install.

For any store we migrate to our hosting service, we perform a core file audit (as well as a malware scan of all files) as part of the transition. This is where we often find malicious files from un-patched stores.

There are many tools available to perform an audit such as this. The results can help not only discover malicious code and files, but can help understand what might break if/when you upgrade your Magento store to a newer version.

Along with the audit, a scan of all files for malware is also highly recommended.

I can’t stress it enough just how important it is to keep your Magento store patched with all of the security updates. Timely patching can help avoid any compromise or malicious files being introduced into your website.

 

 

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Connect with me on Google+

Leave a Reply