Magento release regular patches that contain bug fixes, security updates, and other improvements, but what are they, why are they needed and what happens if your site isn’t patched?
In order to be notified about patches, store owners and developers can sign up for email updates from Magento. Magento also provide lots of useful information in their Security Center on the latest patches, security updates and best practices.
Around 65% of Magento 1 stores are currently missing patches and are categorised as High risk.
What are patches?
Patches are official packages of modified core files released by Magento to fix any bugs or security issues recently discovered. The Magento community is great and a wide range of users help find issues which are then fixed by developers and released through patches ready for site owners to deploy to their sites.
When patches are released it's important that they are applied as soon as possible, not only because these patches are important to fix security issues that already exist but also because they are now known to exist. Once a patch is released the good guys know about the issue and how to fix it, however the bad guys also know and can look to exploit any vulnerable stores.
How do I know if my Magento site needs patching?
There are many tools that have been released in the Magento community to help detect missing patches, however the go to tool for most is MageReport. As the name suggests, MageReport will scan your Magento site and report on any potential security issues and missing patches. The report produced will detail what patches are missing, as well as server or Magento configuration issues that should be investigated, and give is a risk status of Low, Medium or High. From our own research using MageReport, we have found that around 65% of Magento 1 stores are currently missing patches and are categorised as High risk.
As well as tools from the community, Magento have official scanning and monitoring tools in their Security Center. Store owners or developers can set up the Magento security scanner to run by itself on a schedule and report its findings by email. With an automated tool like this that just runs in the background there's no excuse for missing patches.
Again like with a patch release providing useful information to the bad guys on what they can exploit, these very useful scanners are also very useful to potential attackers who can easily scan any Magento website for vulnerabilities. This is again why it's really important to take issues seriously and to install patches when they are released.
Where can I get the latest patches and how do I apply them to my site?
The latest patches can be found along with all Magento versions on the Downloads page of the official Magento website.
Patches can be applied in a few different ways however this is really a job for developers who are experienced with the Magento platform. We would not recommend installing these patches yourself if you’re not a Magento developer, however you can use tools like MageReport to check your site and send details of any missing patches or security issues to your development agency.
Installing a patch is pretty straight forward to those who know how, this is usually a case of downloading and applying the patch locally and then testing on a development or staging environment before applying to production. Another way to ensure all patches are installed is to upgrade to the latest Magento version as when patches are released new versions of the platform are also released. At Attach this is our preferred method as we manage the code for all our sites through git repositories and install Magento through composer, a PHP package manager, in order to implement zero downtime deployments.
How else can I keep my Magento store secure?
Aside from Magento patches, it’s also important to make sure the server your site runs on is up to date with security patches. Most servers can update themselves in the background however its best to check this with your host or development agency. Your Magento store may have the best protection including all security patches, however if the server is not secure it can be an easy backdoor into your site.
In addition to the more technical aspects of website security, there's a few things store owners can easily implement themselves. For any admin users it’s important that strong passwords are used, each person has their own separate account and that admin roles are used to restrict access to certain parts of the admin for certain users.
- Check your Magento store on MageReport
- Sign up to receive security updates from Magento
- Read up on security best practices from the Security Center
- Review admin accounts and roles on your Magento store