Hacking attacks are still a common case that owners of popular sites have to deal with. Usually the biggest problem is that you may not even know that your e-commerce store has been attacked. If criminals have hit your business, you need to clean the infected Magento website. In addition, you must take care to protect against possible further intrusions. To help you with this, we discuss how to identify, fix and secure the Magento system and include information about the most common types of intrusions and the ways in which criminals use e-commerce stores to their advantage.
First, you can start receiving blacklist alerts from search engines like Google or Bing. Stange behavior of a credit card that is reported by customers indicates that something is wrong. Incorrect shopping cart and payment behavior may be considered as a deliberate trail of criminals. Spam keywords appearing in product listings or SERPs is also not a sign of good news. The same is the case with various malicious activities that often lead to the website freezing. File modifications, Magento core integrity issues, unknown administrators are also known symptoms of a contaminated Magento website.
Every time a store is hacked, stolen customer credit card details are one of the major issues. The problem is especially damaging if you rely on Magento's payment mechanisms. In such a situation, it is necessary to react to a possible data breach on your own. However, most companies choose to make payments outside the company. They rely on secure payment gateways, API integrations, or third-party payment methods. Such tricks keep customer data safe from digital theft.
How to check if your store has been attacked
The more insecure the internet becomes, the more security tools are available for free. And e-commerce, while it involves a lot of money, is no exception. Various web tools allow you to scan your Magento installations for free without third party specialists. This means identifying credit card fraudsters, malicious payloads, unsecured domains, and other thorny issues is no longer such a difficult issue.
You can scan your Magento website for malware and other uncertain points with MageReport, Sucuri SiteCheck or similar software. If your site is infected, the system displays a warning. Pay attention to all reported loads, locations and alerts in the blacklist. Besides, specialists recommend scanning all other websites that use the same server as yours, due to the possibility of contamination transfer between sites.
However, remote scanning is not flawless. The process may be taking place on your site but is not accessing the server. If your store scan does not detect any violations, it doesn't mean your e-commerce business has not been affected. While some problems can be detected in the browser (you can monitor your site for backdoors, phishing, server scripts, etc.), many of the challenges are solely related to the server. Therefore, the most comprehensive remedy combines remote and server-side scanning.
Server-side monitoring typically includes third-party software that verifies files for backdoors, phishing, and other security vulnerabilities that remote scanners cannot see. Some solutions allow you to track file changes, providing a more comprehensive audit. For example, Sucuri offers an extension that is a free addition to the usual platform cleaning and monitoring plans, developed to check website files for problems that the remote scanner cannot distinguish.
SiteCheck offers free website checker and malware monitoring. MageReport is a platform that gives you a quick insight into the security status of your Magento site and provides advice on how to fix any vulnerabilities for free. Magento Security Scan Tool is the official free store website scanner. UnmaskParasites is a solution to find illegal content embedded in your websites. Foregenix is a scanner that delivers threat alerts and educational information related to the health of your website via email. In addition, there is VirusTotal, which provides remote analysis of suspicious files and URLs, which detects various types of scams and shares them with the community.
Scan your server
Let's say a few words about the scanning techniques that include server monitoring. Any new or recently modified files on the server may indicate you have been hacked. Therefore, focus on the Magento file system from time to time detecting malicious attacks. Since all versions of Magento are available on GitHub, it is possible to download the necessary software locally via the SSH terminal and compare it with that from the server.
It's always a good idea to use SFTP, SSH, and FTPS to access the server instead of FTP. The latter is unencrypted what causes additional security breaches. Note that some malware can be detected due to the changed modification date of the file.
You can shorten these steps and use one of the file integrity monitoring solutions. Tripwire is a platform for detecting threats, identifying vulnerabilities and checking file integrity for Magento. MageScan is a tool for monitoring and reporting changes to the integrity of the Magento system and configuration files. OSSEC is an open source intrusion detection system with FIM (file integrity monitoring) functions. SEM is a centralized log management solution that detects unauthorized modifications. Qualys FIM is a web application that centrally records file changes.
Track administrator logs
New and unknown user accounts can also be considered a warning. Hackers often sign up new administrators with compromised e-commerce sites to gain additional access to data storage and take control of storefronts. Neither Magento 2 nor Magento 1 are immune to it. Therefore, verify all administrative accounts.
Both Magento 1 and Magento 2 are bundled with a wide variety of third party extensions. Fully labeled administrative loggers occupy an important place in the ecosystem. These tools not only enable detection of newly created accounts, but also provide the ability to record every step administrators take within the backend. As a result, you can easily find out which users are at risk.
Check the reports
Use Google to improve your Magento site for hacks. It goes without saying that if a search engine blacklisted your store, it's time to act. As for the query chief, his diagnostic tools provide a reliable way to check the security status of your Magento installation. Your customers are another source of information regarding your safety. Always stay in touch with them so that you can spot problems such as fake purchases shortly after placing their orders. This will help you prevent a catastrophe at an early stage.
Pay attention to e-commerce messages
The global e-commerce community dynamically reflects all the significant changes that affect the entire ecosystem. This ensures you are always informed about the latest security vulnerabilities. When it comes to Magento, you can always find the latest information on unfavorable actions on the official blog. If your store hasn't been tampered with, it doesn't mean it's a safe place. Therefore, always check the Magento official website for possible security vulnerabilities and patches to fix them.
How to fix a Magento site after a hack
Whether your Magento site has been hacked or just has a weakness, you need to fix the problem immediately. We show you how to get rid of security gaps in Magento below.
Delete infected files
You just found a malicious domain or payload. However, this is not cause for concern. First, it’s possible that hackers hadn’t started their questionable activities before you have noticed them. Second, they are easy to combat. In the beginning look for contaminated files on the Magento server. Then compare the infected items with known legitimate files. Finally, identify and correct any erroneous changes. Also, make sure the version you are referring to is compatible with editing your core Magento files including patches and extensions.
If you don't know how to cure a malware infection, ask a specialist. If you want to do everything without hiring an outside expert, there are a few things you need to do. First you need to be logged in to your server. Make a backup so that you can restore your Magento site to its current state if anything goes wrong after deleting corrupted files. Check recent changes and confirm if they are legitimate or not. Replace suspicious files with clean versions. Review custom files and remove suspicious or unknown code from them. Verify Site Performance - Your goal is to remove contamination and keep it in good condition after applying new changes.
Besides, you can visit community forums like StackExchange to find help. Chances are your problem isn't alone. Therefore, you can easily find the right topic. If no one is discussing your specific problem, you can ask other community members for help. Some specialists recommend going a step further and reinstalling all extensions, even if you do not detect any bad components in them. Although the procedure is time consuming, you will make sure that all modules are working properly and are malware free.
However, there are a few downsides in doing everything yourself. You can overwrite or delete important files by destroying your store. Ultimately, the desire to limit expenses will increase costs. If the possibility of destroying your Magento website does not scare you, check out the file comparison tools below: DiffNow, which analyzes text files, documents, binaries, and archives, DiffChecker, which checks for text differences between two text files, and the Diff command bash, which checks contrasts two files in two directories.
Keep your databases clean
We show two approaches to keep your database tables clean. First, let's examine the most user-friendly and safe. You can remove the malware infection from the Magento database directly in your admin's Content section. There, you can edit static blocks, CMS pages and other dirty elements of your store's content. However, this approach is not the most efficient.
Alternatively, you can apply changes to the low-level database administration panel. You can use PHPMyAdmin or tools such as Adminer or Search-Replace-DB. However, manually deleting code and files without any prior experience can be extremely dangerous - the impact of incorrect changes can outweigh the destructive consequences of a hack. Therefore, you should always create a backup or seek professional assistance before taking any action.
To remove malware yourself, log into the database administration panel and create a database backup. Then scan and analyze the database to detect suspicious content. When a table with suspicious content is detected, manually delete its items. Also note the need to check if your Magento storefront is still functional after the objectionable content has been removed.
It is also possible to manually dig malicious PHP functions into Magento database. You can look for common examples of saboteurs like eval, gzinflate, base64_decode, str_replace, preg_replace etc. Please note that some Magento malware is listed in the core_config_data table in the footer and header area.
Remove hidden backdoors forever
Any decent hacker leaves a way to return to the site once the original problem is resolved. That is why Magento is always serious about the needs of users and when it comes to potential threats. You probably have tons of emails informing about newly discovered violations and patches. You may have noticed that most of these problems usually don't contain any reports of real hacking. Even if a potential vulnerability has never been exploited, that doesn't mean no one will use it for their malicious intentions. Therefore, it is imperative to remove all hidden backdoors no matter if they were created during previous hacks or provided as a built-in flaw.
Criminals often mask backdoors with new items that look like official Magento core files. They usually focus on Magento locations like footer or header. You can view them in your admin's Content section when you discover malware. However, some third-party extensions can also modify such locations. So, if you remove a harmless feature, you are likely to break your entire website. Ask specialists with appropriate experience to do it for you.
If you want to remove the backdoors yourself, compare the existing Magento files with a clean reference. Log in to your server first and then back up your existing site files. Compare your store with the free copy to discover new files that look suspicious. Replace them with known good copies, empty your Magento cache and test your changes. Take into account that intruders often use encryption to prevent detection. However, such a practice is quite rare when it comes to the official Magento repository, except for its premium components.
As for the second case, we can only recommend using Magento 2 security patches and updating the software regularly. If you are still using Magento 1, check out Magento 1 End Of Life Ultimate guide or contact support. Unfortunately, there are no official Magento 1 patches to close its potential backdoors and solve other possible problems. You have to rely on third-party solutions that cannot guarantee 100% security. As for Magento 2, you can streamline the official updates while keeping your installation clean and safe.
Reset administrator passwords
What's the most conventional way to block bad guys from accessing your data? It is a solid and unique password. However, it cannot provide invulnerability to all attacks. If you have been hacked, it is imperative to reset all administrator passwords to avoid re-infection.
You can remove admin passwords in Magento 2 very easily. Select the administrator to reset the password in System -> Permissions -> All users in Magento 2 admin panel. In the Account Information section, enter the new password and confirm it. Then enter your password in the Your password field to verify your identity and apply new changes. Now you can save the user and switch to another account.
Professionals recommend reducing the number of administrative accounts. Of course, you can't fire back-end managers just to follow this advice. However, many resellers tend to have unused administrative accounts as well as FTP accounts and system accounts. Don't do this because you increase the possibility of intervention. At the very least, bad guys have additional ways to access your valuable data and gain full control of your website.
Give users access to your Magento admin for as long as necessary. Then you should delete their accounts. While creating a new user role may seem like an unpleasant chore, it is a much less of a chore than dealing with the consequences of an attack.
How to create a credible password? There are three conditions that must be respected. First, your password should be complex. This means it should contain letters, numbers, and symbols. Second, each password should be long enough. While the minimum number of characters required in Magento 2 is seven, that doesn't mean you should create so short passwords. The longer the password, the less vulnerable to hacking. Third, your long and sophisticated password is only reliable if it is unique. Do not use the same combination of letters, numbers and symbols twice.
What else can reduce an administrator's vulnerability to attackers? Magento promotes a multi-faceted approach that combines several techniques available when purchasing an Adobe product. First of all, you can hide the backend section from criminals. It is only necessary to use a custom admin url which is hard to guess. Take "Admin" or "Backend" for granted and much less secure. Your company name is also not the best possible option. Two-factor authentication is another trick that radically reduces the possibility of hacking. The token generated on a separate device provides administrators an exclusive means of verifying their identity.
In addition, the administrator security configuration allows you to add a secret key to URLs, apply case-sensitive passwords and usernames, and use restricted administrator sessions. You can specify the password expiration period and the number of login attempts to lock the account if it is exceeded. Magento 2 can even monitor keyboard inactivity before the current session expires and require CAPTCHA.
Blacklisting by Google or other spam authorities on websites has a long-lasting impact on your e-commerce business. However, you can reduce this by asking for reconsideration when the consequences of the hack are fixed. Unfortunately, there are a few nuances to this process that you should be aware of. Google may reduce the number of requests you can send. To keep the Internet a safe place, they set a repeat limit for criminals who knowingly host or distribute malware through their sites. In fact, any website that requests review but is still sick only receives one review in 30 days. Therefore, you should know for sure that your Magento site does not contain malicious code before you ask for a review!
Typically, the removal of alerts is as follows: request to the hosting company to remove the suspension, provide details of the resolved issue, complete a review request for each blacklisting authority. Then there's time for patience as the checking process usually takes up to several days.
Post-hack security strategy
Now that all vulnerabilities are discovered and fixed, you can apply some significant improvements to keep the possibility of future attacks to an absolute minimum.
Update your Magento site regularly
Perhaps this is the most obvious piece of advice that is always underestimated. It's no secret that the number of Magento 1 sites is much higher than the number of Magento 2 store sites. Even the lack of official support does not put off most buyers. The consequences of such neglect can be dramatic due to the fact that outdated software is one of the main causes of infections.
The bad news is that you can no longer update your e-commerce site with the official protection patches. While there are some third party projects developed to maintain Magento 1 after EOL, migrating to Magento 2 is recommended.
The good news is that you can avoid a lot of problems by using our improved Import & Export extension and its migration add-on. These two solutions allow you to transfer all entities between the two platforms, so there is no need to manually recreate them on the new Magento 2 website.
On the other hand, the situation with Magento 2 is partly the same. Older platform versions are no longer supported. As migration is not necessary, you only need to update the software. It is necessary to update not only all Magento components including core files, templates, modules and plugins, but also other outdated software on the server.
Turn on backups
While Magento's backup feature is deprecated in versions 2.1.16, 2.2.7 and 2.3.0, you can still rely on third-party solutions to avoid information loss. For example, you can rely on Percona XtraBackup to work both locally and in the cloud. The tool provides the ability to back up the database during production without affecting the work time. And of course, you can completely automate your backup processes.
Regardless of the third-party backup solution you use, there are a few guidelines to follow. First, you need to store your backups offsite, not on the server. The reason is security. If the backup files are stored on the server, it is easy to steal them to compromise your Magento 2 storefront. Second, it is better to do frequent and automatic copying. This way you will never lose the latest version of your website. Third, make sure all data including all file formats is supported by the selected backup tool. Otherwise, you will have to manually recreate parts of your Magento store after restoring its saved copy.
And don't forget to test your backups from time to time. This way you will confirm that both the selected software and your store are working properly.
Apologize to antiviruses
All users who have access to your Magento admin should regularly scan their computers with a reputable antivirus program. A user with an infected device can compromise Magento's security by accessing the dashboard. Therefore, it is better to overdo your security measures than to disregard good advice and let criminals access your e-commerce site. Take into account that the world of digital threats is so large that it even contains plagues that jump from your computer to your word processor or FTP client, contaminating subsequent instances.
Fortunately, the choice of reliable antivirus software is just as wide. For example, you can streamline commercial options like Kaspersky and F-Secure, or rely on free software like Avast and Microsoft Security Essentials.
Another obvious concept that we cannot overlook is the proper use of malware detection programs. There should be only one application running on the computer that actively protects it from the threat. Otherwise, you will encounter conflicts between several software solutions that will cause a dramatic slowdown in performance.
Use a firewall
Hackers consider Magento a tasty morsel as it gains new users and gathers more customer data across all of the ecosystem's storefronts. Therefore, an additional layer of protection like a firewall is a necessary improvement, even if you rely on third party payment processors to keep sensitive customer data away from your website in a much safer place. By implementing this measure, you eliminate various potential vulnerabilities as well as restrict unauthorized users from accessing your admin area.
Consider a firewall as your immune system that detects and stops all known infections. Of course, this won't protect your Magento site from something completely new and completely unknown, but the Internet is teeming with identified threats of all forms and means. Therefore, it is better to protect yourself from them.
Every disease is tested and compared to known problems right after the first few cases reported. Specialists successfully create vaccines, making your firewall resistant to recently unknown diseases. As protection exists independently of your online store, it is automatically patched, keeping your guarantee mechanisms up to date even if you forget to apply the latest patch on your Magento site.
A firewall eliminates attempts to use brute-force automation to obtain passwords. Besides, it detects and blocks all kinds of DDoS attacks. As a result, criminals cannot get your sensitive data or break your Magento 2 store.
Get in shape. Most firewalls not only save your website but also offer various performance optimizations. For example, you can use advanced caching to increase the speed of an existing page.
Be PCI compliant
We won't waste time describing how much PCI compliance is. However, Magento 1 has recently become a Gordian knot for major credit card companies. Designed to stop credit card theft, these terms can no longer be complied with as Magento 1 is not receiving official updates.
Unfortunately, PCI incompatibility not only reduces the security of your website, but also prevents credit card processing systems from working together. The consequences are devastating. But you can avoid them by applying technical and operational measures. Keep your Magento site protected by firewalls. Do not use passwords provided by the provider. Use strong, long and unique character combinations. Protect cardholder data stored on your Magento site. Restrict access to it. Encrypt the transmission of cardholder data on public networks. Enjoy the latest versions of Magento 2, third-party extensions, and other solutions you use. Require unique identifiers to access data, keep access logs, and implement physical access restrictions. Track all access paths to network resources and cardholder information, test security systems and processes.
Official Magento Security Practices
Magento offers a wide list of protection practices and defense mechanisms. As we are talking about an effective post-hack security strategy, it is essential to highlight the basic concepts contained in this guide. The multi-faceted viewpoint of improving the reliability of your Magento installation describes the improvements you can apply to make your website less vulnerable to attacks.
Before you start working on your new Magento project, there are two aspects you should consider. You can prevent many possible problems by choosing a reliable hosting provider and solution integrator. Assess their qualifications, read reviews, ask other customers and, of course, discuss their approach to protection. A trustworthy partner should always have a secure software lifecycle that complies with industry standards such as OWASP. In addition, run the entire site over HTTPs. In addition to security, this is a strong ranking factor. If you already have a Magento site, create redirects from HTTP to HTTPs.
Then you should think about a protected environment for your e-commerce website. This part of the guide is especially important because installation is only as secure as its weakest point.
First of all, it is necessary to prepare the server environment. Make sure its operating system is secure and that no unnecessary software is installed on the server. Disable FTP as it is completely dangerous. Use SSH, SFTP and HTTPS due to the highest level of security they provide. Take care of adequate protection of all files and system directories. Magento recommends not only using strong and unique passwords, but also changing them periodically. System updates, patches and monitoring are also best practices. Finally, the guide focuses on user access restrictions.
Besides, there are some advanced safety recommendations that you should follow. Enable automatic deployment and use private keys for data transmission. Install third-party extensions outside of your production server. Besides, use whitelists with IP addresses to restrict administrator access. Enable administrator login with two-factor authentication and delete unnecessary unsecured files from the server. Finally, use the web application firewall.
Be careful with server applications. Make sure they are all secure and updated. As per the guide, it is better to avoid running other software on the same server with Magento installation. For example, criminals can take advantage of potential WordPress blog vulnerabilities to expose private data from Magento.
The admin desktop environment is another area to control and maintain. All devices used to access Magento backend should be secure. You can meet this requirement by updating your antivirus software as well as by using a malware scanner. Besides, avoid unknown programs and questionable links, use strong passwords and password managers, and never save FTP credentials in FTP programs.
The credibility of your e-commerce site starts with its initial setup and covers a wide spectrum of improvements. Enjoy the latest version of Magento with the latest security improvements. Install all patches if you are unable to run the full update. Create a unique, custom URL for your admin area. Carefully review and configure endpoints that may initiate security issues. Restrict external access to development, bridge, and test systems. Use file permissions correctly. Some files should be set to read only. Your Magento admin should be hidden behind strong and unique passwords, two-factor authentication, CAPTCHA, etc. Choose only trusted extension providers. Avoid suspicious links, emails, and files. Develop a disaster recovery plan. Enable automatic server and database backup to an external location.
Common Hacking Methods
This guide will not attain its full value without describing the most common hostile techniques. The following information will help you better understand the security issues to fight criminals more effectively.
Hackers can use vulnerabilities on various websites to install malware. There are many diseases for every possible bottleneck, website section, hostile intent etc. There are also Brute Force attacks. This technique is quite simple. Criminals try different password combinations until they find one that matches the site they are trying to launch. However, there is a simple solution, just limit the number of failed login attempts.
The goal of any distributed denial of service attack is to prevent a specific server with bots and send a huge number of requests that cannot be handled. Such a huge attention to a website causes a crash that usually occurs in a relatively short period of time but requires much more resources to be fixed. There is also a phishing method. This cybercrime is as follows: the criminal contacts the target via e-mail, telephone or text message, pretending to be a legitimate institution. The intruder then prompts the person to provide confidential data such as personal details, bank details and credit card details etc. From an e-commerce perspective, this method involves replicating a website or parts of it for the same purpose. Once the customer enters their credit card details, the hacker gains immediate access to that data.
Cookie Theft is browser data theft that attracts digital hackers. They can use various programs to access passwords and other credentials necessary to log into the Magento admin. Fortunately, two-factor authentication blocks this attack on privacy and security. DNS Spoofing are transgressors that streamline old cache data that you may have forgotten along with vulnerabilities in the domain name system to implement DNS cache poisoning. In doing so, they redirect traffic from your online store to a malicious site, programming the attack so that the infected server affects other DNS, spreading the disease throughout the network.
SQL injection is a method where hackers love vulnerabilities in SQL databases and libraries. Such bottlenecks allow access to confidential information by tricking the system. Simply put, it is putting code in SQL statements using input on a web page when the data is either incorrectly filtered or not typed securely. Attackers use this method to manipulate existing information, spoof identities, cause denial issues, or fully disclose privacy.
Keylogger Injection is a computer user's keystrokes malware, designed to steal passwords and other sensitive information. Criminals can use this to gain access to Magento administrators credentials. That is why it is so important to have the latest anti-virus protection installed on employees' computers.
Remember that most strikes are pointless. They are like a natural disaster. Malefactors quickly detects websites with similar weaknesses by using Google's hacking database or other sources. For example, stores that have a vulnerable plug-in installed often become the target of hackers. However, there are always exceptions and some of them concern Magento which suffers from Magecart attacks frequently.
The Magecart threat
A syndicate of hacker groups usually attacks online shopping cart systems, especially Magento, to steal customers' payment card information. Criminals infringe third party software or infect insecure industrial processes.
The first Magecart attacks took place in 2014, when a group of criminals cashed the details of stolen credit cards for the first time. Since then, the Magecart victim count has dramatically increased to over 110,000 online stores. While Magento is not the only target of the group, its greatest impact is due to the platform's popularity among the top market players. However, small shops are also in the spotlight.
Professionals divide the Magecart environment into 6-7 different groups that receive unique infrastructure, have specific goals and use special techniques, but share the same common goal of downloading credit card data and selling them on the black market. Groups 1 and 2 are aimed at a wide variety of online stores. Members of both groups rely on Magento's automated compromising and browsing tools. Group 3's game is to dig out vulnerable websites and visit them in bulk. Such attacks can reach an unexpected colossal scale. Group 4 is exceptionally advanced in using various sophisticated hacking techniques. The criminal blends in with the target website, avoiding detection for as long as possible. Group 5 is usually based on third party solutions. The code snippets are installed into the vendor's product that contains the target websites. Group 6 is the most selective in its goals, among the other Magecart factions. Its members are targeting only the best companies, using a variety of tools and methods. British Airways and Newegg are among the group's most important victims.
Vulnerable scripts and viruses allow burglars to sneak into the control panel of your Magento store. Apply the latest patches and update your software to limit access to your website files, database or administration panel to an absolute minimum. The sooner you do this, the more chances you have of keeping your online business without compromise. Thieves quickly master and take advantage of new weaknesses, so it is not worth delaying.
The vulnerable plugs and templates are another source of trouble. By using free solutions or downloading commercial extensions and themes on torrenting sites, you are taking a serious risk. In the first case, the software is usually clean, but it can contain many vulnerabilities that hackers can potentially exploit. In the latter case, you may receive tools that already contain malicious scripts. Buy templates and modules only on official trading platforms or directly from trusted vendors.
Unsecured communication is just as dangerous. If you connect via FTP, criminals can easily steal your login and password. Use only safe connections to avoid unpleasant situations. Hacking into servers or hosting often also exposes e-commerce sites to considerable risk. Regardless of whether you are a neighbor of a contaminated site or your server has other violations, it is imperative to fix the existing problems as soon as possible.
Regular employees and occasional contractors compromise your security by using weak passwords, accessing the administrator from infected devices, and even creating code on the site to use later. Therefore, only use strong and unique passwords and protect the people who have access to your Magento admin and watch out for hiring specialists.
Running an e-commerce website is associated with risk. However, you can mitigate its impact on your business by addressing existing security concerns. Follow the tips in this guide to turn your Magento site into a safe place for shopping where buyers have nothing to worry about except making better purchasing decisions.