How to run a quick security check of your Magento store?
Security of any software system, let alone an eCommerce one, is becoming one of the hottest topics out there. How can you as a store owner do a free and quick security check of your Magento website, even without immediate development assistance? Read on and make sure to stay secure!
Magento has a vibrant ecosystem and a huge community of people mostly willing to help. They often provide quality insights into their own findings by sharing the knowledge, in most cases for free. So, if you are a developer or a Magento store owner, you can find many useful tools out there to help you run your businesses. One such tool allows you to put your site through a quick security check and get some good pointers into how to solve some of the identified issues.
What’s up with security of Magento shops?
Any open source system, especially one of the leading eCommerce software platforms, is open to, among others, persons and organizations that don’t have only good intentions, to put it nicely. To put it accurately, there are a lot of hackers out there who are jumping at opportunities when certain security exploits are found. Some of them are even actively creating such opportunities for themselves.
What is Magento doing?
Magento is among rarely active open source eCommerce platforms when it comes to addressing any potential security exploits. They are releasing frequent security patches that should be applied by store owners or (in most cased) their development partners as soon as possible.
What are the most important patches?
Every security patch is important, however this all started back in 2015 with the infamous Shoplift Bug and SUPEE-5344 patch. This patch came out to help with the issue which saw thousands of websites vulnerable to potential store hijacking.
So, if this patch is not applied to your store, make sure to act swiftly. Additionally, the patches you should be on the lookout are: SUPEE-7405 and SUPEE-8788. There are many more, but these specifically can cause quite a lot of issues for you and your customers.
What can you do?
If you are on the merchant side of the equation (store owner, manager, anyone handling daily operations really), you can do a quick security check of your store by simply running your website through MageReport scan. If you are a developer, well – you can do the same 🙂
What is MageReport and what is it telling me?
Here’s a snippet from their own website:
This free service gives you a quick insight in the security status of your Magento shop(s) and how to fix possible vulnerabilities. MageReport.com is made by the Magento hosting specialists of Dutch provider Byte.
Essentially, the service is looking for proof/indication that you have official Magento patches installed. It also does security check over some other more or less known threats that can be mitigated rather easily.
IMPORTANT: If you are working with the latest versions of Magento 1 and/or Magento 2 – the latest stable releases being 18.104.22.168 (CE), 22.214.171.124 (EE), 2.1.7 (CE and EE) – chances are you are pretty safe, because in the process of upgrading your team have probably patched the site already. And there is also a chance that you can get false positives/negatives from this report in some cases. Still, it doesn’t hurt to check.
What to do next?
First off, if you’re seeing mostly red or orange in your scan results, you know you’re in a bad place. Depending on which patches your store are missing and your Magento version, the security of your store data may have been compromised.
No need to panic right away, though. You should get in touch with your development team and ask them about this. As MageReport says, their report isn’t 100% accurate because they don’t have direct access to your store’s code. So, if you have a development team you trust, you should be in good hands. Simply ask them what’s the status about some of the missing patches (whether those are indeed missing). Then – work out a plan together to improve the security of your overall installation.
If you don’t have anyone actively working on or monitoring your store, you can get in touch with us directly to see how we can help.
If you’re getting mostly green results – well, hats off to you and your development team. You’re keeping the installation mostly safe and up to date with the latest security patches. Keep up the good work and don’t let new patches slide by you 🙂
Also, make sure to bookmark Magento Security center and keep your eye open on the incoming security news.
Thank you for the post. I would like to find out if there is an open source resource like Magescan, but with an in-depth report like magereport. Magereport does not seem to have an API, which makes incorporating it into an application cumbersome. I would like to scan magento websites I currently do not own (passively), and get the results on my console. Cheers
Hey Aron, nicely written post this will surely help magento store owners minimize the risk of getting their stores hacked and ultimately save time.