Magento security – have you checked if is a security update available for your Magento store? Are you confident that you have an online store where your customers can shop without being afraid of personal data, and in particular the payment information, going astray? In my job at the Session we have a big focus on e-commerce and Magento security as we’re continuously checking if our client’s sites have the latest patches applied as well as looking for potential security holes.
I’ve done some research on Magento stores in the UK and sadly many ecommerce stores have large and well known security holes which means sensitive data can easily get astray. Most of these Magento stores have appointed Magento agencies who they trust in ensuring keeping their Magento store being safe and updated with all security patches. I recently used services such as magescan.com and magereport.com to check Magento Security on various well known brands using Magento in the UK. The results are alarming, and below are the biggest security holes I found.
Security issues that were found:
- A feed with the recent orders are available and I can see the customer and order data
- Database dump are freely available and can easily be downloaded
- A CSV with an export of the entire product catalog is freely available and can be downloaded
- Error logs are available
- PHP version is in some cases as old as 5.3 which has many security holes and no longer supported by PHP. As of today, you should at least upgrade to 5.6 to get security updates (PHP 5.5 is still supported up to 16. July 2016)
- Magento version is old and no longer supported by Magento for security updates
- Critical security updates from Magento has not been installed
This is critical security holes that many Magento stores should take action on as possible as they run the risk sensitive data falling into the wrong hands. Several of the critical security patches addresses security holes that have either already been utilised in other stores, or they have been discovered before anyone has taken advantage. However now that these patches have been published and made public it is easy for a hacker to try to exploit unprotected Magento stores.
Magento Security – What You Should Do
If you own or work for a business with a Magento store then you should check your site with magereport.com and/or magescan.com. If these two services reports errors then you should contact your provider, whether it’s an agency, developer or web hosting company. They should be able to help you fix these security issues as soon as possible.
It is worth knowing that when I checked the sites, almost all the Magento stores developed or maintained by the most reputable Magento agencies were all up to date and secure. There were a few exceptions however overall most issues were found with sites developed and maintained by less reputable agencies or non-Magento specialists.
Magento posted a blog post around Magento Security that is worth reading. If any of you are unsure of what needs to be done to secure your store then please either contact me on twitter @wethinkcommerce or on [email protected]
Here are some useful links:
- Magento Community – security update for Magento 1.x
- Magento Security News – follow this blog for the latest news about security
- Magento Security Best Practice – Useful blog post to ensure your Magento online store
- Session Digital Blog-Paal Soberg – this is my blog posts at Session Digital
Paal Soberg is an experienced eCommerce professional who’s specialised in the Magento eCommerce platform. He’s a Magento (1 & 2) Certified Solution Specialist and currently works as a eCommerce Solution Consultant at Inviqa