Being robust, functional and highly customizable, Magento deserves its leading position amongst the most powerful eCommerce platforms. According to BuiltWith over 20% of TOP 10K eCommerce stores are running on Magento(Community and Enterprise Editions). But same as any other platform it has to be frequently scanned for vulnerability issues. Your store can suffer heavy security attacks any moment, so you have to be on the watch and protect your customers from sensitive data loss.
1 Uninstalled Security Patches
Magento team is constantly discovering all possible security issues and launches security patches that prevent Magento store owners from the unnecessary stress. To be alerted about the latest patches, sign up to a newsletter at the Magento security center. Magento Enterprise Edition has a higher priority, so patches for it are updated in the first place and some time later patches for Community Edition appear. New Magento versions generally contain all prior patches as well.
- Security patch 5994 (admin disclosure)
- Security patch 5344 (Shoplift)
- Security patch 6285 (XSS, RSS)
- Security patch 6482 (XSS)
- Security patch 6788 (secrets leak)
- Security patch 7405 (admin takeover)
All you need to do is just download Release for your version in time and install it in 6 steps:
- Make a backup
- Log on to SSH (shell)
- Download the patch
- Apply the patch
- Clear your cache
- Check your shop
2 Unprotected Magmi
Magmi is a Magento mass importer. It is used to empower the performance of importing products, which is quite low in Magento by default. But this effective tool has one major weakness - it doesn’t have authentication of its own, so it opens access to your Magento web store database. Malefactors can add Admin users and change products, as well as upload insecure files or steal credit card data from your store, so you need to make 100% sure that this module is secured against hacker attacks. You can fix this problem via SSH, but if you don’t know how to use it, contact us.
3 Unprotected development files
In Magento versions 184.108.40.206 till 220.127.116.11 several development files were included in the standard installation package. It was later discovered that these files may reveal your passwords and other sensitive data. To secure your Magento development files configure your webserver to block requests to ‘/dev’ folder, but please note that it doesn’t mean simply to delete the ‘/dev’ directory because this brutal method will just break future patches. You need to block these files at the web server level. Note that it works differently for Apache and Nginx.
4 Exposed Magento 2 API
The API in Magento 2 can be accessed without providing credentials. Such information as storefront and (hidden) products (including prices) is exposed through API.
5 Admin/downloader unprotected
By default, back-end or Admin pane are placed at ‘/admin’ and ‘/downloader’. It is a well known fact, so hackers can easily take advantage of this vulnerability by launching a brute-force attack, which generates random passwords until the suitable one is found. That should stop you from using simple passwords like ‘123456789’, since they are crushed within a minute or less.
If it will make you happy, it’s a quite common mistake of careless Magento users. Hypernode team detects around 1M of such vulnerabilities weekly!
This is not the whole story though! Unfortunately, simply using a strong password with capital letters, numbers and signs won’t protect your store. Hackers can continue crushing your password and this additive load can waste valuable capacity of your server, so keep the name of the admin panel in a secret as well.
Of course, there are some other ways you can secure admin/downloader:
First of all, change the name of the back-end panel at app/etc/local.xml under admin -> routers -> adminhml -> args -> frontName. It has to be something easy to remember for you but not clear or easy-to-guess for others.
Flush your cache in the back end at System → Cache Management or run in SSH: magerun cache:flush.
In Magento 2 a secret back-end name is created during installation.
Secure/downloader. /downloader is a standard link to install programs via the Magento Connect Manager. As you may have noticed, all standard ways are easy preys for intruders. But in this case renaming won’t be enough, so it is better to install IP access control (an “IP whitelist”).
Install adaptive filtering or Intrusion Prevention System (IPS). It’d better to prevent attacks by blocking hacker sources.
6 Unprotected version control
Magento version control systems/platforms such as Git and Subversion store their metadata in hidden folders. But they could reveal sensitive information such as passwords if they are left open via the web. If the database passwords are also present somewhere in this repository, this may lead to hackers using their own username and password combination to add admin users to your Magento webshop.
7 Credit Card Hijack
The fraud was detected on May 12th, so the malpractice was unnoticed for months and is still active, so if you still haven’t scanned your Magento store for vulnerabilities you have to make this ASAP!!!
If Credit Card Hijack is detected, contact a Magento developer or Magento security expert, because trust us that fixing this crack isn’t easy cheese.