Installing Magento Security Patches
A Guide to Installing Magento Security Patches
By the way, we recommend picking a hosting provider that offers a managed hosting solution (like Web 2 Market!) that will automatically apply patches. Don’t assume a host will, even if they say they specialize in hosting Magento. Some of the largest names in the industry offer only bare metal hosting, they provide no security updates, admin support or email hosting.
When a security issue is identified by Magento , they’ll release a patch to secure the system. Magento sends notification via your store (see below) to install the new patch and make your Magento store secure. The recently reported Hijack code vulnerability was originally found by Check Point, and they reported the issue to Magento.
Here is the download link :
Magento released this patch on May 14, 2015. This patch covers several vulnerabilities, one of which is the ability to download all customer data.
Magento released this patch on July 7, 2015.
This patch addresses the following security issues:
- It prevents attackers from posing as an administrators to gain access to the last orders feed, which contains personally identifiable information whichthat can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.
- It closes a number of security gaps, including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.
There are two ways to install patches: either by using SSH or by using FTP/cpanel. Some hosting providers don’t provide the SSH access for your plan. If not, you can FTP the files up to the site.
Make sure all caches are disabled from Cache Management in your store before installing patches.
Make sure compilation has been disabled in your store before installing patches. If you haven’t disabled the compiler and installed the patch, test everything and run the compiler to again. The compiler must be run in order for the patches to take effect.
1. Verify your Magento version:
- There are two ways to determine which version of Magento you are currently using:
- Go to Admin Panel and check the footer of Magento backend:
- Enter the shell command to find out which Magento version you have (when under the Magento root directory):
2. Download the patch according to your Magento version:
3. Upload the patch file to the root of your Magento site.
4. Make one file with the name of patch.php, and write the following code in it:
The name should be PATCH_SUPEE-5344.sh
You should see the screen below once you run patch.php from the browser. If you get an error like this:
5. When the process is complete, then remove the security patches from your store.
6. Look for Unauthorized Access:
.Check that there is no unauthorized account access in the list.
.If you find the unauthorized account in the list, click the Delete User button.
7. Clear the Magento Cache:
8. Recompile the Magento Store:
Click the Run Compilation Process button.
9. Restart the server.
1. Upload the patch files in the root:
2. In the SSH console, run the command as follows.
Then enter: Sh PATCH_SUPEE-5344.sh
3. Clear the Cache:
Refresh your cache from the Magento admin. Don’t forget to refresh your OPcode or APC cache as well! (If not done, this can create issues later.)
4. Go to the Admin Panel and look for unauthorized access:
Click onto System->Users
Verify that there are no unauthorized user accounts in the list.
If you find an unknown user account in the list, click to open the account. Then, click the Delete User button.
5. Enter Cache Management and click the button to flush the Magento cache.
6. After that, recompile your Magento store:
And run the compilation process.
7. After that, go to your SSH connection window and gracefully restart the your server.
Type the following command to restart your server:
8. Close your SSH connection session.
Taking the steps necessary to update and maintain your Magento CMS is important to maintain the security of your store. If you need help with installing these patches, or any other development services, contact our Web2Market specialists today through the Contact Us page on our website. We’d be glad to help.