Last update: Jan 20, 2016
In this article we will accumulate several most important tips, which will help you to keep your Magento installation (and your customers data too) secure and safe from hackers attacks.
How to make sure that your Magento store is secure?
Magento released a set of security patches for both Magento Community and Magento Enterprise editions recently.
The steps below are really easy, any Magento store owner can use it for security diagnostic purposes.
Step 1. Automatic Magento security scanner.
There is a good on-line tool directly from Magento and their partner Byte company, so try it first.
- Open the Magento security scanner at http://magereport.com/
- Enter your store URL in the appropriate field and click GO button.
In the end of the test process you will see the security report. Please note that it is not an universal security detector, it tests your store only for most important set of vulnerabilities (The Remote Code Execution).
In order to make your store really secure and safe, you also need to follow other steps from this article.
Step 2. Make sure that all Magento security patches are applied.
The list of recent security patches for Magento Community are available here. Security patches for Magento Enterprise are available in your Magento Enterprise portal, also it is available for official Magento partners.
Here is a list of all security patches available for Magento Community at the moment:
|Patch||Magento CE 1.4.||Magento CE 1.5.||Magento CE 1.6.||Magento CE 1.7.||Magento CE 1.8.||Magento CE 1.9.||Comment|
(Jan 17, 2014)
|-||-||+||+||+||-||Addresses a security issue and CMS problems when using symlinks (188.8.131.52 - 184.108.40.206.).|
(Oct 3, 2014)
|+||+||+||+||+||+||Addresses two potential remote code execution exploits (220.127.116.11 - 1.9.x).|
(Feb 9, 2015)
|+||+||+||+||+||+||Addresses a potential remote code execution exploit (18.104.22.168 - 1.9.x).|
(May 14, 2015)
|+||+||+||+||+||+||This patch addresses multiple security vulnerabilities in Magento CE, including issues that can put customer information at risk (22.214.171.124 - 126.96.36.199).|
(Jul 7, 2015)
|+||+||+||+||+||+||This patch provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting (188.8.131.52 - 184.108.40.206).|
(Aug 4, 2015)
|+||+||+||+||+||+||This patch addresses two issues related to APIs and two cross-site scripting risks (1.4.0.x - 220.127.116.11).|
(Oct 27, 2015)
|+||+||+||+||+||+||This patch provides protection against several types of security-related issues, including remote code execution, information leaks and cross-site scripting. (1.4.0.x - 18.104.22.168).|
(Jan 20, 2016)
|+||+||+||+||+||+||This patch provides protection against several types of security-related issues, including information leaks and cross-site scripting. (1.4.0.x - 22.214.171.124).|
There is a comprehensive PDF guide about patches applications, you can find it here Installing-a-Patch-for-Magento-Community-Edition.pdf.
Step 3. Make sure that your Magento is upgraded to the latest version.
It is quite important to keep your Magento updated and patched.
Magento 1.3.x: There is no security patches for Magento 1.3.x, it is too old to be supported, and it is highly recommended to upgrade it.
Magento Professional: There is no security patches for Magento Professional, it is highly recommended to upgrade it to Magento Community edition or apply specially prepared patches (patches changed by developers for unsupported versions).
More information about upgrade process is available in our blog, in the Magento Upgrade Guide article.
Step 4. Scan your web server using anti-virus software.
Run a tool to check for viruses and trojans, like ChkRootkit and ClamAV on your server.
Also as a solution you can compare all Magento files of your project with your code SVN repository or staging server, for suspicious files.