Blog

How good are you at securing your Magento website?

Sep 28 2018
Arun
0 Comments

 

 

Disclaimer: Reading this article provides you answer for the below questions.

 

  • How secure is your Magento site?
  • How to patch your magenta website?
  • Detailed step by step guideline to know how to patch Magento?
  • The benefit of upgrading Magneto 2.0.
  • How to restore a specific Magento patch?

 

Obviously, you have invested enough money in building your Magento website and ensured that it has the best security features so that your customers could enjoy a better experience.

But, the worst thing you want to see is a security breach in spite of taking immense measures to avert such incidents.

You can ultimately avert those security issues and prevent such vulnerabilities from happening by the following methods found below:

  • Installing the latest Magento patches
  • Upgrading Magento to the latest version.

Let’s know about installing Magento patches.

For instance, the customers were facing numerous issues while trying to register and also to complete the purchase at the checkout.

This issue was fixed immediately in the version SUPEE-10570v2-1.9.3.8

Analogous to the above issue, there might be various issues which allow hackers to penetrate pretty easily into any of the vulnerable websites.

In order to avert this from happening, these patches when applied will leave your website secured.

Below is the list of 8 latest patches for the Magento website.

 

Magento 1.14.3.10

Magento 1.9.3.8 Magento 1.9.3.7 Magento 1.9.3.1
SUPEE-10888-1.14.3.10 SUPEE-10570v2-1.9.3.8 SUPEE-10570v2-1.9.3.7

SUPEE-10570v2-1.9.3.1

 

Magento 1.9.2.4

Magento 1.9.2.3 Magento 1.9.2.2 Magento 1.9.1.1
SUPEE-10570v2-1.9.2.4 SUPEE-10570v2-1.9.2.3 SUPEE-10570v2-1.9.2.2

SUPEE-10570v2-1.9.1.1

 

Another alternative for the patch is to upgrade your Magento to the latest version.

 

Latest Magento version

ver 2.2.6 (released on Sept 10,2018)

 

Quote from Official Magento Site

“We are pleased to present Magento Open Source 2.2.4. This release includes significant new bundled extensions (Amazon Pay, Vertex, Klarna), multiple enhancements to Magento Shipping and dotmailer, and performance improvements that enable faster shopping with image loading and optimized search performance. The 200+ community contributions include many functional fixes and performance-tuning enhancements, too”.

 

Install Patch/Upgrade version?

You could go ahead choosing either of the two options for securing your website from the risks.

When it comes to version update, most of the existing features might contradict with the new one. Hence, we usually won’t recommend version update unless it is mandatory.

Still, we would analyze the website completely and provide our clients with the easiest solution. You can also check with us for any assistance.

Avoiding such vulnerabilities depends on patch available for your version/version update which differs from case to case.

But, what really matters is that you take this timely measure systematically.

 

Phishing Emails?

I’ve heard web-owners saying that they used to get phishing emails with the patch note.

The worst part is that the email does have the content and link which sounds even more authentic.

A strong suggestion would be not opening those kinda emails, as they are the pathway of the hackers to your website.

You will be done with your website if you attempt to click on that attachment.

Always do delete those emails types, especially when you receive it with any attachments in it.

 

why does your website need patching?

 

Heck Yes.

For example, just imagine that your website is undergoing a security breach.

I really don’t think that anyone can handle the situation to watch over their website when being used by a hacker.

You can avoid the vulnerabilities very easily by doing an immediate quick check on the below points:

  • Check for the latest patch availability and release date
  • Applying the recommended patch in accordance with the risk ratings
  • Periodical update on the subsequent release date of the patch
  • Check for the current Magento version and upgrade it

 

How to apply Magento patches?

Let me explain how to install the patch for SUPEE 10570 with and without SSH.

Follow these simpler steps and make your website risk free:

With SSH

  • At first, you need to check if the Magento Compiler is disabled. (System > Configuration > Tool > Magento Compiler).
  • Verify the current Magento version and then download the corresponding patch available for it from https://magento.com/tech-resources/download#download2164
  • The next step would be placing the patch into the Magento Root directory. It is highly important that you upload the patch files directly into the Magento Root directory and also execute it directly from the same location. ( kindly refer the below sample)

  • Now run the patches. (SH patch file name) or (Bash patch file name)

  • Once the patched are run, you need to verify and flush of Magento PHP opcode cache.
  • Flushing Magento caches should be done in the backend (System > Cache Management) and most importantly clear the Magento cache and CSS/JS caches. As said above, flush the PHP opcode cache and even if you don’t see any changes, kindly restart the web server.
  • Once all the above-mentioned steps are done, do a test, especially in the store and the checkout process for its functionality.

 

Without SSH

There are two ways to apply a patch without SSH (Secure Shell)

  • Via Browser
  • Manual Patching

 

Via Browser:

Once you download the recommended patch, insert the patch files into the Root directory at first.

Then insert the respective PHP file into the Root directory.

Once it is done, execute the same in the directory itself.

exec (SH patch file name) or exec (Bash patch file name)

 

Manual patching:

This process is pretty simple and more or less identical to the above process.

  • Verify the current version of the Magento website
  • Scan your website to check for any security risks here, https://www.magereport.com
  • Download the concerned patch file.
  • Now, upload the zip file of the patch in the Root directory and execute it via FTP.
  • Flush the cache.
  • Do a test on the respective section where you were facing issues/risks.

 

How to restore or revert a Magento Patch?

Now that you have applied a patch, have you thought of reverting the patch?

Yes, we can surely revert the patch.

If you find any types of errors while uploading patches, contact Magento support  (https://account.magento.com/customer/account/login/ – If you are advised on reverting the patch in particular, please go ahead and revert the file.

Here’s how you would do that.

  • All you have to do is to run “sh patch-file-name.sh – R” command as found below in the root of the Magento site.

 

Here is where you could scan your website for vulnerabilities and patch:

There are many Magento security scanners to identify the vulnerability:

1) Mage Report – give the link (https://www.magereport.com/)

2) Foregenix – give the link (https://www.foregenix.com/scan)

3) Security Patch tester – give the link (https://magentary.com/magento-security-patch-tester/)

4) Sucuri – give the link (https://sitecheck.sucuri.net/?clickid=3CPXjGwLLVwc3A-Sgi2j8TjiUkjUpoTdqX7t080)

But, one of the most popular security scanners is Mage Report.

You could scan your website here, https://www.magereport.com/ and obtain a detailed report to know the following details:

  • Current patches available for your website.
  • Risk ratings of your website.
  • Recommended upgraded patches for 0% vulnerability.
  • It also lists all the patches which are being installed currently on your website.

 

Summary:

We should never underestimate the security loopholes. To save your Magento site, It is our call to prevent this from happening as it is now or never.

Timely patch and timely up gradation of Magento website is the recommended solution.

You could do the patching works all by yourselves by following the easy steps explained above.

Or

If you would like the patch works to be handled by a tech-professional, kindly contact us.

Many have been a fan of our work and gave us repeated patch works as we are a leading pioneer in patching Magento websites for the past five years.

If you desire to see our workflow, kindly check this Magento Patch Installation Service