Open source software is a great way to quickly build complex solutions for your business; however, security issues can be easily discovered. When security patches for open source systems are released, it’s critical to apply patches as soon as possible to prevent vulnerabilities from being exploited.
Magento is an eCommerce application loaded with state-of-the-art functionality and coupled with the flexibility of open source software. This means that you get all that power with the ability to customize your site to fit your company’s needs.
One drawback to open source solutions is that not only your developers, but a legion of hackers also know the internals of the application. With any application where money is involved, there are those that want to take advantage of you and your customers.
When a security weakness in Magento’s application is discovered, their programmers step into action to create updates that will block the hackers from abusing the weakness and stealing information. As soon as the update is written and tested, the fix is announced and released as a “patch.”
When a new patch comes out, some of our clients ask if this is strictly necessary to take the time, money and disruption to apply the patch. We always recommend that for the security of your website, your customer’s financial data and overall privacy that you apply the update as quickly as possible.
The main reason for this is that hackers are also watching for these patch announcements. When they are announced and released, they know exactly what vulnerabilities to target on a Magento site. These hackers will immediately start looking for unpatched installations to exploit them.
In addition, PCI compliance requirements state that there is a 30-day patch rule:
- “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”
History of Magento Patches
In the early days of Magento, its parent organization was less focused on releasing patches and more intent on improving the application and adding features. This meant that official updates for security issues often required an upgrade of the main application rather than a fix to the current software.
Stating in 2015, Magento started to release security patches to quickly address security issues discovered by analysts and the community. Some of the problems found have been relatively minor, but others prevent hackers from breaking into your admin system.
What is a Patch?
When a fix for a security issue is developed, the code that provides this update needs to be provided in a way that can be applied to existing Magento sites. In most cases, these fixes come in the form of small changes to the code commonly referred to as “patches.” Magento supplies these patches in the form of a self-installing patch script that contains all the updates to fix the security issue(s) being addressed. The patch script locates existing code in the Magento code files and applies updates to those files and saves the result.
Note: Since the patch relies on the core files to have a specific set of code, changes to the core files may cause security patches to fail. This is one of the main reasons for never modifying the core code in your Magento application.
When a security patch is released, Magento will also release a new version of the application that includes the patch and all previous security patches. You will only need to apply the new patch to previous versions of Magento.
Official patches are released on Magento’s security page and can be downloaded from the Technical Resources page. Availability of the patch is announced by a message pop-up and in the top of Magento’s admin section and via email to all customers and partners.
Magento’s security page will detail each patch, describing the vulnerability and the risk severity associated with it. Using this information, you can be aware of the impact of the security issue and the fix. It is important for your software developers to know the extent of the patch so that they can test to make sure it was properly installed and that there are no side effects on other parts of your site.
Since the update in the patch may differ from version to version of Magento, patches are released for very specific versions of the application. Some patches target a range of versions and others just a single version. Your site’s Magento version is shown in the footer of the admin area. Use this information to make sure you are getting the correct patch.
Note: Only download patches from Magento’s website. Hackers are pretty smart and there have been fake patches released on the internet. In some cases, these fake patches have installed malware code far worse than the patch was created to fix. Here is a particularly devious example.
How to Apply Security Patches
To apply a patch script, you will need access to your server’s command line. However, applying patches can break a Magento site and is best left to developers or systems administrators who are knowledgeable about Magento development.
The best practices route for applying a patch is to run the patch script on a non-production version of your website. Then test to see if the updates have been successfully applied before moving the code to your production server. However, if you only have a production system, it is highly recommended to make a backup of your files and database before applying the patch.
Sometimes a patch will fail because it can not find where the update should go. This could be caused by missing previous patches. Magento’s patch strategy is that each patch relies on previous security patches being installed. Your developer can find out what patches have been installed by looking in the app/etc/applied.patches.list file on the site, which lists all patches that were installed, the date they were applied and the files that were modified. If a security patch is missing, it must be installed first, then try applying the most recent patch again.
To test your site to see what security patches are in place you can also use Mage Report. This helpful utility will test your site and list any patches that need to be added. If you want to see what patches are installed from Magento’s admin, have your developer install the Applied Patches module from Gitbub.
What else can I do to keep my Magento store secure?
Check back often, as we will publish more articles covering in-depth Magento Security topics, but for now keep these items in mind:
- Change your admin password every 90 days. If you are using Magento Enterprise edition, you can set this automatically in System > Configuration > Advanced > Admin > Security (Set the Password Lifetime to 90 days and Password Change to Forced).
- Remove or disable any admin users that are not currently needed.
- Update your passwords after working with any outside consultants or contractors.
- Never share your ftp or shell login details with people outside of your organization.
- Keep any extensions patched and up to date.
- Remove any unused extensions.
- Use dedicated servers. On shared servers, you are at risk from security breaches on other sites.
- Avoid using WordPress on the same server account as Magento. WordPress is easily hacked and puts your Magento site at risk.
- Do regular backups of the website and database. If possible, keep these on separate servers.
- Keep your site’s code in a remote code repository like GitHub or BitBucket so that you can easily track changes and see if code has been modified unexpectedly, indicating a possible hack.
Tools & Utilities Mentioned
- Magento’s Security Page: https://magento.com/security
- Magento Technical Resources Page: https://magento.com/tech-resources/downloads/magento
- Mage Report: https://www.magereport.com
- Applied Patches module: https://github.com/philwinkle/Philwinkle_AppliedPatches
- Patch List by Version: http://fabrizioballiano.net/magento-patches
- PCI DSS: The 30-Day Patch Rule (Optiv blog): https://www.optiv.com/blog/pci-dss-the-30-day-patch-rule