Installing Magento Security Patches

A Guide to Installing Magento Security Patches

We’ve seen many Magento sites get hacked, with dire consequences. Aside from angry customers, merchants are faced with the difficult and expensive task of removing all the malicious code. It’s much easier to apply patches as they are released than to clean up the mess afterwards.

By the way, we recommend picking a hosting provider that offers a managed hosting solution (like Web 2 Market!) that will automatically apply patches. Don’t assume a host will, even if they say they specialize in hosting Magento. Some of the largest names in the industry offer only bare metal hosting, they provide no security updates, admin support or email hosting.

When a security issue is identified by Magento , they’ll release a patch to secure the system. Magento sends notification via your store (see below) to install the new patch and make your Magento store secure. The recently reported Hijack code vulnerability was originally found by Check Point, and they reported the issue to Magento.

Here we will provide descriptions of the following patches:

SUPEE 5344
SUPEE 1533
SUPEE 5944
SUPEE 6285

PATCH_SUPEE-5344.sh or PATCH_SUPEE-1533.sh: Magento released the SUPEE-5344 security patch on February 9, 2015, and asked Magento store owners to download and implement it first on a test or demo environment, and then apply on live store.

Here is the download link :
www.magentocommerce.com/products/downloads/magento/

SUPEE 5994:

Magento released this patch on May 14, 2015. This patch covers several vulnerabilities, one of which is the ability to download all customer data.

SUPEE 6285:

Magento released this patch on July 7, 2015.

This patch addresses the following security issues:

  • It prevents attackers from posing as an administrators to gain access to the last orders feed, which contains personally identifiable information whichthat can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.
  • It closes a number of security gaps, including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.
Installation Steps for these Patches:
Time is of the essence, so we suggest you install these patches immediately.

There are two ways to install patches: either by using SSH or by using FTP/cpanel. Some hosting providers don’t provide the SSH access for your plan. If not, you can FTP the files up to the site.

Cache Management:

Make sure all caches are disabled from Cache Management in your store before installing patches.

Compilation:

Make sure compilation has been disabled in your store before installing patches. If you haven’t disabled the compiler and installed the patch, test everything and run the compiler to again. The compiler must be run in order for the patches to take effect.

1. Verify your Magento version:

    There are two ways to determine which version of Magento you are currently using:

  • Go to Admin Panel and check the footer of Magento backend:
  • Enter the shell command to find out which Magento version you have (when under the Magento root directory):

2. Download the patch according to your Magento version:

When you receive the notification in your Magento store, click to readthe Details link to open the Magento Community Edition Download page.

Scroll down to download tab, go to Magento Ccommunity Eedition patches section, then find the patches that need to installed. For example:
SUPEE-5344
SUPEE-1533

Select the patch you want to install and download.

3. Upload the patch file to the root of your Magento site.

4. Make one file with the name of patch.php, and write the following code in it:

Replace the file name in it, upload it in the root and run the file from the browser:

The name should be PATCH_SUPEE-5344.sh

You should see the screen below once you run patch.php from the browser. If you get an error like this:

“Error! Some required system tools, that are utilized in this sh script, are not installed; Tool(s) “patch” is (are) missed, please install it(them).”
… that means system tools aren’t installed in your server to run the SH script. You should contact your hosting provider, or use the FTP method.

5. When the process is complete, then remove the security patches from your store.

6. Look for Unauthorized Access:

Go to Admin Panel and click on System->Users, then do the following steps:

.Check that there is no unauthorized account access in the list.
.If you find the unauthorized account in the list, click the Delete User button.

7. Clear the Magento Cache:

Select System->Cache Management, then click to flush cache storage button

8. Recompile the Magento Store:

Select System->Tools->Compilation
Click the Run Compilation Process button.

9. Restart the server.

Using SSH:

You can install the patch with SSH as well. If you don’t know how to set up SSH, contact your hosting provider.

1. Upload the patch files in the root:

2. In the SSH console, run the command as follows.

Enter: For .sh file extension

Then enter: Sh PATCH_SUPEE-5344.sh

3. Clear the Cache:
Refresh your cache from the Magento admin. Don’t forget to refresh your OPcode or APC cache as well! (If not done, this can create issues later.)

4. Go to the Admin Panel and look for unauthorized access:
Click onto System->Users

Verify that there are no unauthorized user accounts in the list.
If you find an unknown user account in the list, click to open the account. Then, click the Delete User button.

5. Enter Cache Management and click the button to flush the Magento cache.

6. After that, recompile your Magento store:

Go to System->Tools->Compilation
And run the compilation process.

7. After that, go to your SSH connection window and gracefully restart the your server.

Using Debian / Ubuntu Linux command:
Type the following command to restart your server:
apache2ct1 graceful
OR
sudo apache2ct1 graceful
If you’re using CentOs /RedHat /RHEL/Fedora Linux:
apachect1 –k graceful
OR
sudo apachet1 –k graceful

8. Close your SSH connection session.

Testing your Site After Install
Make sure to check your store for vulnerabilities after the patch installation process is completed. Magento’s Security Patch Page provides a list of signs to look for to determine whether or not your store is comprised.

magento.com/security-patch

Enter your store’s URL, click ‘TEST’ and confirm your patch installation was successful.
Taking the steps necessary to update and maintain your Magento CMS is important to maintain the security of your store. If you need help with installing these patches, or any other development services, contact our Web2Market specialists today through the Contact Us page on our website. We’d be glad to help.
Get expert Magento development from a company with a team of U.S. based developers with 18 years of development experience. Our work on hundreds of complex e-commerce projects includes:

m-logo
  • New Site Development
  • Magento Upgrades
  • 3rd Party Web Services Integrations
  • Mobile-friendly Designs

Contact UsSupport

Name*

Phone Number*

Email Address*

Project Description*

Input this code:*

captcha

Support

For 24 x 7 support on your current project or hosted website, visit our help desk. Our knowledgeable staff is ready to assist you with any issue or question. We also offer an ever-expanding knowledge base with helpful tools and how-to information.

Visit the Help Desk

logo

Areas of Service

Insightful Strategies

  • Business strategy
  • Ecommerce tactics

Beautiful Designs

  • Responsive design
  • HTML 5
  • CSS 3

Skilled Development

  • Data migrations
  • Custom extensions
  • Integrating ERP, order
    management, accounting
    and other systems

Managed Services

  • Magento Hosting
  • SEO & advertising
  • Training & support

Testimonials

“Web2Market has surpassed our expectations. Everyone on staff is very knowledgeable, always available and willing to do what it takes to meet our needs. Our confidence in Web2Market’s design, programming and management abilities allows us to relax and focus on other projects, knowing the job will be done right, on time and within budget.”
– Greg Owens, Webmaster, BBB Industries
Read more testimonials

Magento Case Study

img_cont

[mp_code]

Portfolio

[/mp_code] View more designs