Magento Security – how many times have you checked whether a security update is available for your online store? Are you confident that you have an online store where your customers can shop without fear of personal data, and especially payment information, going astray. In my job at Session Digital, we have a strong focus on online shopping and Magento security, and we actively search for potential security holes and make sure that software is updated with security updates. Unfortunately, it seems that many online stores in Norway have many large and well-known security holes which means that sensitive data can easily go astray. Most of these online shops are probably unaware that these holes exist and trust that their web agencies, web hosts and developers make sure that the online shop is up-to-date and safe. I have recently used services such as magescan.com and magereport.com to take random samples of many Norwegian Magento online stores. The results are alarming and below are the biggest security holes I found.
Security holes that were found:
- A feed of recent orders is available and I can see customer and order data
- Database dump is freely available and can be easily downloaded
- A CSV with an export of the entire product catalog is freely available and can be downloaded
- Error logs are available
- The PHP version is in some cases as old as 5.3 which has many security holes and is no longer supported by PHP. As of today, you should at least upgrade to 5.6 to get security updates ( PHP 5.5 is still supported until 16. July 2016)
- The Magento version is old, and no longer supported by Magento for security updates
- Critical security updates from Magento have not been installed
These are gross security holes that many Magento online stores should address as soon as possible since they risk sensitive data ending up in the wrong hands. Several of the critical security updates fix security holes that have either already been exploited in some online stores, or where they have been discovered before anyone has exploited them. But now that these updates have been published and made public, it is easy for a hacker to try to exploit this in unknowing online stores.
Magento Security – What You Should Do
If you own or work for a business with a Magento online store then you should check the website with magereport.com and/or magescan.com . If these two services report errors, you should immediately contact your supplier, whether it is an agency, developer or web host. They should be able to help you fix these security holes as soon as possible. It is worth knowing that when I checked the pages, mostly the online stores operated by the larger players / suppliers in Norway were all updated and secured. There were a couple of exceptions, but for the most part it is online stores that have probably been supplied by a smaller player or freelance developer that have the security holes. Earlier this year, Magento wrote a blog post about Magento Security that is worth reading. If there is anyone who is unsure about what should be done, just contact me at paal@thinkcommerce.no Here are some useful links:
- Magento Community – Security Update for Magento 1.X
- Magento Security News – Follow this blog for the latest security news
- Magento Security Best Practice – Useful blog post about securing your Magento online store
- Session Digital Blog – Paal Soberg – These are my blog posts at Session Digital
