The Reports of the Magento Core Being Vulnerable are Greatly Exaggerated

To borrow from Mark Twain’s famous quote “Reports of my death have been greatly exaggerated”

Sucuri, the security company, recently published a blog post, Magento Platform Targeted By Credit Card Scrapers. In this post, the author seemed to indicate that hacks were happening in the wild, and it was unknown how the hackers were getting into Magento stores. The implication was some sort of “zero day” exploit in the Magento code (known as “the core”).

This little blog post got picked up by major websites like PC Magazine, The Guardian, and many other blogs and news sites. Twitter became flooded with doom and gloom posts about EBay/Magento being targeted, hackers having a backdoor into every Magento store, etc…

All the while, there was no proof this was the case….

Magento IS Secure

The latest version of Magento is secure (with latest patches applied). Older versions of Magento are secure if they are fully patched. We host hundreds of Magento stores, and we have not seen a fully updated/patched store become hacked in the manner which is described in the Sucuri blog post.

However, if a merchant is running a version of Magento that is not patched (recent Shoplift vulnerability [SUPEE-5344], XSS patches [SUPEE-5994]), it is possible (and likely) that their Magento store could be hacked.

Additionally, if they are using a third party extension that is not fully secure or patched, this can be another vector for hackers to exploit. One of the largest sources of hacks came from older versions of Magmi (product upload utility) that were not password protected.

Magento stores hosted with us are secure

If you host your Magento store with us, we proactively apply all security related patches to all stores as soon as they are released and tested on this end. In the case of the Shoplift vulnerability (the one where the most hacks are occurring still), we had this patched back in February a day after the patch was released. The same applies to the XSS SUPEE-5994 patch.

….

The key with Magento is to make sure your store is patched soon after a security patch is released by Magento.

Not sure if a patch exists? Check the Magento Download Page to see the dates of the latest patches.

Not sure if your store is patched? View the file “app/etc/applied.patches.list” in your Magento files via FTP or ssh.

Don’t believe the hype this time with regards to Magento being vulnerable with no ability to stop the hackers. A properly patched store that is kept up to date and uses responsible, updated third party extensions, is quite a secure platform for conducting online sales.

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Leave a Reply