All software will inevitably have holes in it, creating opportunities for it to be exposed, and Magento - the e-commerce software and platform - is no different. However, that doesn't mean Magento is a bad platform - if it were, why would more than 1 in 4 e-commerce sites use it?
If anything, its popularity is the reason it was recently attacked by the widely publicised and severe 'Shoplift' security threat. This is similar to WordPress, the dominant blog platform which quickly became a target platform because it was being used by millions of sites around the world. We now see regular updates to WordPress no different to the weekly updates you receive for Microsoft Windows. After all, if you're going to expose a threat or indeed hack into a platform, it’s going to be one that is widely used and better still a platform that contains more juicy information than just blog articles. Which explains the target on Magento's back.
Are site owners taking security threats seriously?
Shoplift was the first major security threat to Magento and, although a patch was released in February, it was not until CheckPoint's public disclosure in April that Magento began to actively notify store owners. This meant that we quickly saw many sites being attacked within hours of the disclosure.
Magento's handling of the situation aside, what amazes me more is the attitude many site owners have taken to the security threat. I can only imagine that they simply don’t understand the implications or severity of the matter.
Some 47% of all UK Magento sites are still in unpatched, equating to 20% of all e-commerce sites in the UK. That means even at the time of writing this post there are still over 70,000 sites vulnerable to the initial Shoplift threat - a number of which will be multimillion-pound turnover organisations.
You can check if your site is secure here.
What are the risks?
I dread to think how many have not yet been patched for the new vulnerability (SUPEE-5994), which was flagged just over a week ago and which exposes the following:
- Admin Path Disclosure
- Customer Address Leak through Checkout
- Customer Information Leak through Recurring Profile
- Local File Path Disclosure Using Media Cache
- Spreadsheet Formula Injection
- Cross-site Scripting Using Authorize.Net Direct Post Module
- Malicious Package Can Overwrite System Files
Do the site owners of the 70,000+ websites with unpatched Magento stores not realise that ignoring these threats or choosing not to patch their site is:
- a direct violation of PCI Compliance?
- negligence towards their responsibility under the Data Protection Act?
- and, if nothing else, showing a complete lack a care for their customer data?
If you the owner of an unpatched Magento store, as a fellow businessperson I implore you to get your act together before you get hacked or exposed on social networks.
8 tips for securing your Magento site
With over 2 million lines of code, almost 12,000 files and hundreds of database tables, this complex beast will always have to fight against security threats. Hopefully Magento will handle the communication around threats better in the future, however, other than patching your Magento store, what can you do today to improve the security of your site?
Here are our top tips for making your Magento site more secure:
- Use a strong password that you change regularly
- Never store this password or re-use this password for other services
- Change the Magento Admin path, ideally restrict the admin path by IP address where possible
- Use a secure connection to access your admin panel
- Be careful which 3rd party modules you install and keep these up to date. Watch out for fake extensions
- Use antivirus and malware scan software on machines you use to access your Magento store
- Forget FTP - always use SFTP and restrict access by IP if possible
- Block traffic from unwanted countries, if you're not shipping worldwide common attacking sources such as China and Russia could be blocked
Magento's next steps
So, what do we think Magento will do next?
What we know for now is that with the coming release of Magento 2 the new version of the platform will be checked against OWASP’s (Open Web Application Security Project) Top 10. For those of us on Magento 1.9 or earlier I am sure that we will see far improved communication of issues before full and public disclosure via security agencies.
We’ll be at the London Magento Conference on June 22nd where we are sure security will be on the high on the agenda. So check back for our take on discussions at the conference and a further security update.
Remember, if would like to explore more advanced options for securing your site speak to both your developer and hosting provider. To get in touch with our Magento experts, call 0161 390 0124 or complete a contact form.