Back to the main menu
Editor’s Note: Having the latest Magento security patches installed is only the first step to keeping your web store secure. If you want to make sure your Magento solution is completely safe, ScienceSoft suggests relying on its comprehensive Magento support services.
The year 2019 was the most unpleasantly eventful for Magento security: as many as 72 vulnerabilities were uncovered during the year, 29 of them being cross-site scripting and 13 – code execution attacks. To address these vulnerabilities, Magento swiftly releases security patches. In this article, ScienceSoft explains how to install or revert the patches, and lists popular Magento scanning tools to help you make sure that you have the latest patches installed.
What are patches?
Magento releases patches for both Magento 2 (called ‘Security Updates’) and Magento 1 (called SUPEE-[Number]). Each patch is posted on Magento’s official website with a precise description of what the patch does and how critical the vulnerability it solves is.
Sometimes – mostly in case of SUPEE patches – the description lists the possible negative consequences of installing the patch as it does here. Such consequences exist because of the outdated nature of Magento 1 and its incompatibility with some of the security upgrades.
How to install Magento security patches
Magento patches aren’t installed automatically after being rolled out by Magento; it’s your own responsibility to install them. Still, whenever a patch is released, you’re notified about it via your Magento Admin Inbox. In case a released patch addresses critical vulnerabilities with high risks, the incoming message is color-coded red and marked as a “Critical Update.”
ScienceSoft recommends you to have your patches installed by the support team in charge of your managed services. For Magento practitioners, we offer detailed instructions’ below
Preparation
To install Magento patches, you need an FTP client for getting access to your web store’s file base. ScienceSoft suggests using free and reliable FTP software available for both Windows and Mac OS, for instance, Cyberduck or FileZilla.
Before you perform patch installation, make sure you back up your Magento. In the Magento Admin panel, choose ‘System’ > ‘Tools’ > ‘Backup’, select ‘System Backup’, and click ‘OK’. If you haven’t migrated to Magento 2 yet and your Magento 1 store uses compilation, you also need to disable compilation for the patching process. Don’t forget to switch it back on once you’re done.
Installation method 1: Using SSH
The SSH protocol (or Secure Shell protocol) is a remote access method that uses strong encryption and thus allows highly secure file transfer. For the SSH method, you need not only FTP but also an SSH client, which lets you manage your file base via a command line. ScienceSoft recommends using PuTTY SSH for Windows users and Terminal – for Mac users.
Once you upload the patch files on your server via FTP, open the SSH console and input the following lines:
.sh extension
sh PATCH_FILE_NAME.sh
.patch extension
patch --p0
And you’re done.
Installation method 2: Running a script
Instead of manually inputting the commands in the SSH console, you can create and run a script containing the necessary installation commands. First, use an FTP client to upload patch files to your server. Then, open any simple text editor app (WordPad, Notepad), enter the text below, and save the file as patch.php.
<?php
print("<PRE>");
passthru("/bin/bash PATCH_FILE_NAME.sh");
print("</PRE>");
echo "Done";
?>
Use FTP again to upload the php file to your core Magento folder and then run the file in your browser by adding /patch.php after your homepage index. After seeing a message that the patch was successfully installed, get back to the FTP client and delete the script file from the server.
Reverting patches
As we’ve mentioned above, some Magento patches can negatively affect your website’s functionality and even disable certain features. ScienceSoft advocates avoiding the reversion of successfully installed security patches as all of them are indispensable for keeping your store secure. In Magento 2, the patches that, for instance, break some of your third-party extensions, often point out that those extensions are sources of some of the Magento security vulnerabilities. In this case, instead of reverting the patch, we strongly recommend uninstalling the extension.
Still, sometimes you need to revert a patch that wasn’t installed properly and resulted in an error. To uninstall such a patch, use the SSH method: open the SSH console and enter the line below.
sh patch_file_name.sh -r
The ‘-r’ part performs the reversion.
How to check installed patches
At ScienceSoft, when we land a new customer, we offer a security audit to check the store for vulnerabilities. Below we’ve compiled a list of tools – from the simplest to more comprehensive ones – that may be useful for keeping track of patches or unpatched vulnerabilities.
SSH-client Command
Open an SSH console and enter the command below. The returned list will comprise all the patches that are currently installed on your Magento solution.
app/etc/applied.patches.list
The downside here, however, is that you have to compare the list you have with the list of all the released patches on your own. We recommend using this method to simply make sure that your recent installation of a patch was successful.
MageReport
This tool searches for vulnerabilities across your Magento web store and any third-party extensions you have installed on it.
Magentary
This tool automatically runs the list of your installed Magento patches against the list of those released officially and shows you the ones that you lack. Upon scanning, Magentary offers the ways of dealing with vulnerabilities and gives you the list of patches that you need to install. Unfortunately, it works for Magento 1 installations only.
Magento Security Scan Tool
An official Magento scanning tool, which is free for Magento Commerce customers. It reveals any existing security risks, points at the uninstalled patches and even reports existing unauthorized access instances.
Just patches aren’t enough
Magento patches are the basic security measure, which eliminates only the largest vulnerability risks. To fully protect your web store, you need established incident prevention processes as well as ongoing and emergency troubleshooting. ScienceSoft offers this rich package of Magento support and maintenance activities and guarantees stability, availability, and security of your Magento store 24/7.
We will not leave you alone with Magento issues. Out team will stand behind your online store and ensure its failure-free operation.
