Magento Security Patches: A Detailed Guide

When Magento releases new security patches, we often get questions from clients like why they should invest money into having those patches applied to their Magento installation. In this blog post we’ll describe the importance of the patches and emphasize their role in having your Magento website functioning properly.

Let’s begin by defining Magento security patches. In simple words, every patch is a package of modified core files that aims at fixing certain security issues that were discovered in Magento. As a rule, the latest Magento versions already include all the security fixes that are available at the date of release. Therefore, if you are currently running the latest version of Magento, most probably your website is not vulnerable and you don’t have to install any patches. However, if it’s not the latest version that you run and you have not applied all of the patches, you are likely having critical Magento website security vulnerabilities. New vulnerabilities emerge regularly, and patches are released to ensure the security of your online store. For example, there were 3 versions of SUPEE-8788 released in the last couple of weeks.

Difference Between Vulnerability and Patch

A vulnerability in Magento 2 is a security flaw or exposure that could be exploited by attackers to gain unauthorized access or cause harm. A patch, in contrast, is an update or fix released to address and resolve these vulnerabilities. Patches are essential for closing security gaps and protecting your site from potential exploits. Regularly applying these patches is a critical part of maintaining a secure Magento 2 environment.

Why should I always apply the latest patches as soon as they are released?

The primary reason is security. However, it is not just “abstract” security that we’re talking about. For example, if you don’t have a SUPEE-7405 patch installed, it means that your store is open for exploits that would allow potential attackers to gain access to your store’s admin panel and basically hijack your store.

Checking Your Magento’s Security

The Magento community has introduced several tools that enable you to check if all patches have been applied and identify other common security issues your store might face. The most popular one is Magereport. Some newer ones are Magescan and a tool from Magentary

The existence of these tools can be both helpful and harmful. It is very easy to use them, however those tools can be used not just by the store owners. Potential attackers can also easily scan any Magento website for vulnerabilities using those services and gain control of the unprotected Magento stores. Therefore, we can not stress this hard enough – all these security issues should be solved and all the patches should be installed as soon as they are released to keep your Magento store (and your whole business) protected. If you’d like to be confident in the security of your Magento store, feel free to order Magento Security Scan from Atwix.

Where can I get the latest Magento Patches?

You can see available patches for specific Magento versions at the Magento Downloads page.

How to install security patches in Magento?

Installing Magento 2 security patches involves a detailed process to ensure the security and functionality of your website:

Preparation: Begin by backing up your Magento store. This includes your database, files, and configurations. A backup ensures you can restore your site in case of any issues during the patch installation.
Applying Patch in Development Environment: Install the security patch in a development environment first. This allows you to test the patch without affecting your live store.
Testing: Thoroughly test the patched development environment. Check for any issues or conflicts that the patch may cause with your store’s existing setup, extensions, or customizations.
Deployment to Live Environment: Once you are confident that the patch works correctly in the development environment, deploy it to your live store.
Final Testing: After deploying the patch to the live environment, conduct another round of testing to ensure everything is functioning as expected. Pay close attention to the areas affected by the patch.

While installing Magento 2 security patches is a straightforward process, it is recommended for those without Magento development experience to consult a development partner. This process involves creating a backup, applying the patch in a development environment, conducting thorough testing there, and then deploying the changes to the live environment for further testing. Atwix offers specialized services for Magento security patching, ensuring that the process is handled professionally with minimal risk to your online store.

Verifying the Patch Installation in Magento 2

To verify the installation of a security patch in Magento 2, you should first check the version of your Magento to see if it reflects the patch update. Next, examine the affected files and compare them against the patch’s release notes to ensure the necessary changes have been made. It’s also important to conduct a thorough testing of your site, focusing on the areas the patch was meant to address, to confirm that the vulnerability has been effectively resolved.

Additional Steps Keep Your Store Secure

Those few simple security advices can help you keep your website safe:

The best practice is to make a security audit at least every quarter to ensure that the store code is secure, especially if you install new extensions, and make changes to the website. We regularly perform security audits for our clients, and we can do a code audit for you.
Reset your admin, SSH or other passwords at least once a quarter and always after you finish working with anyone with whom you have shared access details to your store.

That’s all for today, if you have any additional questions, about Magento security patches installation just add them in the comments below and we will be happy to answer. We wish you and your website to stay safe, have high sales and make profit :).

FAQ

How do I know which security patches are relevant to my Magento version?
Are there risks associated with applying Magento security patches?
Is it necessary to backup my store before applying Magento security patches?

You may also want to read:

Cookie	Duration	Description
__jid	1 day	Used to add comments to the website and remember the user's Disqus login credentials across websites that use said service.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
li_gc	2 years	Linkeding cookie that stores the user's cookie consent state for the current domain
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics cookie. Used to identify unique users and expires after two years
_gat	1 day	Used by Google Analytics to throttle request rate
_gid	24 hours	Google Analytics cookie. Used to identify user and expires in 24 hours.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar cookie. Used to detect the first pageview session of a user. 30 minutes duration. Boolean true/false data type.
_hjFirstSeen	User session	Hotjar cookie. Identifies a new user’s first session. Used by Recording filters to identify new user sessions. Session duration. Boolean true/false data type.
_hjIncludedInPageviewSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's pageview limit. 30 minutes duration. Boolean true/false data type.
_hjIncludedInSessionSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's daily session limit. 30 minutes duration. Boolean true/false data type.
_hjRecordingLastActivity	User session	Hotjar cookie. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes
_hjSession_2881021	30 minutes	Hotjar cookie. Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration. JSON data type.
_hjSessionRejected	User session	Hotjar cookie. If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Session duration. Boolean true/false data type.
_hjSessionUser_2881021	1 year	Hotjar cookie. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjTLDTest	User session	Hotjar cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory	29 days	Linkedin cookie. Used in connection with data-synchronization with third-party analysis service.
disqus_unique	1 year	Disqus cookie. Collects statistics related to the user's visits to the website, such as number of visits, average time spent on the website and loaded pages.
https://#.#/	User session	leadfeeder.com cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
juggler/event.gif	User session	Disqus cookie. Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.

Cookie	Duration	Description
aet-dismiss	User session	Disqus cookie. Necessary for the functionality of the website's comments system
drafts.queue		Disqus cookie. Necessary for the functionality of the website's comments system
lang		Linkedin cookie. Remembers the user's selected language version of a website
submitted_posts_cache	User session	Disqus cookie. Necessary for the functionality of the website's comments system

Cookie	Duration	Description
_hjRecordingEnabled	User session	Hotjar cookie. This cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.
_lfa	2 years	Leadfeeder cookie. Used to store and track audience reach and expires in 2 years.
_lfa_expiry	persistent	Leadfeeder cookie. : Contains the expiry-date for the cookie with corresponding name
_lfa_test_cookie_stored	1 day	Leadfeeder cookie. Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
ads/ga-audiences	User session	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
badges-message	Persistent	Disqus cookie. Used for comments functionality
bcookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
bscookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
UserMatchHistory	29 days	Linkedin cookie. Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.