Recent Critical Magento Security Patch Warnings (Shoplift SUPEE-5344)
A few of our customers might have received an email last evening (16 Apr 2015) about the latest patches available for your Magneto installation. The subject of the email must have been something by the lines – Critical Reminder: Download and install Magento security patches. You might also have noticed a warning in your Magento dashboard, when you logged in this morning (17 Apr 2015).
There is no reason to panic. Patches are released in periodic intervals whenever a vulnerability is identified in any software application. As you might have already read in the email, the only reason for this sudden notification is that Check Point Software Technologies informed the Magento Team that they plan to send out a press release in the coming days making one of the security issues widely known, possibly alerting hackers who may try to exploit the issue.
The notification was sent out, just to make sure your account is free from any vulnerability and is ready to face any such threats/attacks.
-The first step forward is to make sure your installation/themes/templates/plugins/extensions are all kept updated. If you haven’t already, it’s high time you updated everything.
– Please make sure you backup all your contents – files and databases – before attempting an upgrade. You can take a complete backup of your account from the Backup Wizard in cPanel. The steps are outlined at – https://documentation.cpanel.net/display/ALD/Backup+Wizard . If you have a test/dev instance of your website, I would suggest testing everything there first, before updating your live website.
– You might also want to review your installation’s root directory to make sure there are no unknown/suspicious files in there.
– The next step is applying the patches from the location – https://www.magentocommerce.com/products/downloads/magento/
The following patches are recommended in the recent email, which you can download from the Magento Community Edition Patches section on the page.
SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)
SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)
Installation steps are outlined on the page. Just in case you missed it there, here it is again:-
Please upload the patch into your Magento root directory and run the appropriate SSH** command:
For patch files with the file extension .sh:
sh patch_file_name.sh
(Example: sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh)
For patch files with the file extension .patch:
patch –p0 < patch_file_name.patch
Once that is done, refresh the cache in the Admin under “System > Cache Management” so that the changes will be reflected.
Warning – Please test all patches in a test environment before taking them live. If you are not familiar with the patch installation, you can get your developer do this for you. We take no responsibility if at all the patch breaks your website, so please please make sure you have backed up everything before applying any updates/patches.
** If at all you are on a plan that doesn’t come with SSH, you can open a support ticket, and we can enable SSH for your account for 48-72 hours free of charge.