Magento Security Patches. Why should you install them?

When Magento releases new security patches, we often get questions from clients like why they should invest money into having those patches applied to their Magento installation. In this blog post we’ll describe the importance of the patches and emphasize their role in having your Magento website functioning properly.

Let’s start with the definition of what Magento security patches are. In simple words, every patch is a package of modified core files that aims at fixing certain security issues that were discovered in Magento. As a rule, the latest Magento versions already include all the security fixes that are available at the date of release. Therefore, if you are currently running the latest version of Magento, most probably your website is not vulnerable and you don’t have to install any patches. However, if it’s not the latest version that you run and you have not applied all of the patches, you are likely having critical security vulnerabilities. Though new vulnerabilities appear all the time and patches are released to help keep your online store secure. For example, there were 3 versions of SUPEE-8788 released in the last couple of weeks.

Why should I always apply the latest patches as soon as they are released?

The primary reason is security. However, it is not just “abstract” security that we’re talking about. For example, if you don’t have a SUPEE-7405 patch installed, it means that your store is open for exploits that would allow potential attackers to gain access to your store’s admin panel and basically hijack your store.

How can I check if my Magento is secure?

Magento community came up with few tools that allow you to check whether all of the patches have been applied and what other common security issues your store might have. The most popular one is Magereport. Some newer ones are Magescan and a tool from Magentary

Existence of those tools is both helpful and harmful. It is very easy to use them, however those tools can be used not just by the store owners. Potential attackers can also easily scan any Magento website for vulnerabilities using those services and gain control of the unprotected Magento stores. Therefore, we can not stress this hard enough – all these security issues should be solved and all the patches should be installed as soon as they are released to keep your Magento store (and your whole business) protected. If you’d like to be confident in the security of your Magento store, feel free to order Magento Security Scan from Atwix.

Where can I get the latest Magento Patches?

You can see available patches for specific Magento versions at the Magento Downloads page.

How to install security patches in Magento?

We would not recommend installing those patches yourself if you’re not a Magento developer. Just contact your development partner and ask them to check if you have all the patches applied. Applying patches is normally a pretty straightforward process that mainly consists of making a backup, installing a patch to the development environment, testing development environment, releasing changes to the live environment and testing again.

What else can I do to keep my store secure?

Those few simple security advices can help you keep your website safe:

  • The best practice is to make a security audit at least every quarter to ensure that the store code is secure, especially if you install new extensions, and make changes to the website. We regularly perform security audits for our clients, and we can do a code audit for you.
  • Reset your admin, SSH or other passwords at least once a quarter and always after you finish working with anyone with whom you have shared access details to your store.

That’s all for today, if you have any additional questions, just add them in the comments below and we will be happy to answer. We wish you and your website to stay safe, have high sales and make profit :).

You may also want to read: