From all of the above opinions and suggestions, it is clear that the first priority of Magento administrators is to keep the Magento store safe from all suspicious activities and follow the essential security measures that experts recommend for securing online stores. In addition, do keep yourself updated with the recent Magento releases and always host your application on secure managed Magento server for enhanced security.
When there is a zero-day published or any unauthorized SQL injection or RCE comes out with Proof of Concept, it becomes very hard for the merchants to patch their store as soon as possible, because patching the Magento sites is not easy. It takes a lot of efforts and requires experienced Magento developers to do it and ensure nothing else gets broken. However, recently Magento is doing a great job in providing hotfixes which only includes code changes to fix the critical vulnerabilities only, like PRODSECBUG-2198.
– Utilize a third party such as Foregenix as soon as you think you have an issue.”
The Solution From Experts
Team Magento has come up with the patch ‘PRODSECBUG-2198’ that they recommend should be used in combination with other standard Magento security best practices.
Immediately after the issue surfaced, the Magneto team came up with a solution, but that does not mean that your Magento 2 store is still completely secure.
“It’s common to leave behind security vulnerabilities when you are rolling out new features and bug fixes in an open source code, which is easily accessible to everyone. Anyone can go through the code to sniff out the security bug. However, the more you vet the code for security issues, the less you launch a product with vulnerabilities. Also, there are many code contributions that the community is making which make it even more difficult to review them and eliminate security bugs entirely.
– Sign up to Magento’s security emails, follow hashtags on Twitter, and hang out in the #security channel of MagComEng on Slack.
- “First, ensure that you are on par with all security patches.
- Second, even if you already have patched: change all of your staff’s admin passwords right away, as they were likely stolen before you patched. Use computer-generated passwords of at least 10 characters. This will significantly extend the time required to break the hashes.
- Third, inspect your site for malicious code or unauthorized access. Our eComscan forensic scanner can be valuable here (it was developed to aid in our own investigations).
- Fourth, as long as Magento has not published a patch to hide the secret backend panel, you should implement extra protection. An IP restriction is recommended, use for example this plugin. If your staff uses dynamic IPs, it is recommended to have them use a VPN. This will not only guarantee a static IP but also enforce encryption.
- Finally, install a malware & vulnerability monitor so you will be alerted immediately when something is amiss.”
Subscribe to get latest Magento news
Migrate Free to a Secure Managed Magento Hosting and Update to the Latest Magento Version 2.3.1 with just a few clicks.
– Keep an eye on http://magento.stackexchange.com in case known issues with any patches arise.
Let’s also take the opinion of Magento experts about this and what they have to say about all of this
– Apply patches to all stores/instances as quickly as possible whilst robustly testing your solution.
– Actively monitor the server logs to look out for any suspicious activities. Block the offending IPs and maybe prevent the hack or at least reduce the risk.”
We went to others to discover what they have in mind for securing Magento stores from similar attacks.
Syed Muneeb Ul Hasan is an expert in PHP and Magento, he prefers to educate users in implementing and learning Magento. When not working, he loves to watch cricket.
It seems that Magento 2 stores were the targets of a hack attempt in which the hackers exploited the “tried-and-tested” SQL injection vulnerability in Magento CMS. This gave them access to take over unpatched vulnerable sites.
As a merchant, when something like this comes out it is extremely important to patch the stores as soon as possible without any delay. Magecart and other Magento hacker groups actively scan most of the Magento websites to find the unpatched stores to enter their malicious scripts to steal customer credit card information. Once you are hacked, there is no going back. Your reputation gets harmed, and there could also be legal issues due to negligence if you do not act fast on these issues. Also, it’s an embarrassment to email all your customers about the security incident on your site, which is unfortunately common nowadays.
“The sharp rise has been heavily linked to the release of a POC around PRODSECBUG-2198 within a few days of the patch release. The only real way to make sure that exploits aren’t exploited on your site would be to ensure you have a robust patching policy in place that is able to turn around UAT and production deployments within a very short timescale.
Magento powers a significant chunk of the ecommerce industry and thus when something happens to the Magento platform, the entire ecommerce industry takes notice. Thus, when the news of the attacks on the Magento stores surfaced earlier, everyone connected to ecommerce took notice.
– Use automated testing to ensure that the core areas of your site aren’t affected by patches.