How do you know when your Magento site is vulnerable?
Previously, I’ve discussed the need for keeping your website up-to-date with a website maintenance package to prevent breaches as hackers find new and innovative ways to challenge security systems. The more outdated your website, the greater the odds of potential threats to your system. I’m sure, by now, you’ve done what you can to address those issues. It may be you consulted me or it may be you looked for other options. Whatever the path you chose, you’re on the right track to keeping you, your customers and your website safe.
Don’t make the mistake of getting too comfortable though, as I’m finding there are always new warnings and issues that pop up within the industry as you should always take a pro-active approach to keeping your site secure. Why wait for a threat to become an actual problem? If you left your car on the driveway for 6 months, do you think it would still run smoothly? The odds are it wouldn’t. You should give your website the same consideration as leaving it untouched for just 6 months could well be the equivalent to leaving your front door unlocked. It may be that many people pass by and don’t realise, but it just takes one to give that handle a jiggle…
Magento recently flagged up a problem with software that some Magento customers have been experiencing. Byte.nl reported that Magmi Data Import Tool and Nginx can cause security problems, if they are not configured correctly, and may allow outsiders to access sensitive data held on a customer’s website such as passwords, directories, and files. If you are using either Magmi or an Nginx server, you will need to check that the configuration provides adequate protection and Mage Report offers a resource to check for vulnerabilities on your site: http://magereport.com
Don’t forget that a compromised site isn’t always obvious. You won’t receive a notification from the Powers That Be to inform you that some sneaky little ninja has infiltrated your inner sanctum and are now slipping your valuable assets into a concealed pocket or planting discreet ‘traps’ to exploit the visitors to your site. A hacker’s motivation(s) aren’t always known, but what is important is that they found a way in. Let that sit there for a moment. They found a way in. Do you feel that shot of adrenaline? What would that mean to you if someone gained access to your data? I certainly don’t want it to be you!
It’s always best (and more cost effective) to keep updating as you go along rather than doing a mass-update and amending any potential errors when problems have already appeared. One client had come to me after leaving their Magento 1.4 site untouched and it became so difficult to run without it failing on them. I was asked to bring it up-to-date which meant spending a significant amount of time installing everything up to Magento 1.9.2, costing the client quite a bit of money! Now they have new payment gateways, are PCI compliant, and their workflow is much more efficient. I know for a fact that they feel much happier about it all.
If you do have any concerns, you should check in with a developer. Feel free to send me a message or call me on 01782 954282 for further advice and I’ll be happy to have an informal chat about your options.
Written by Steve Perry