Is your Magento .git repository exposed and vulnerable?
Git is an amazing platform that allows for version control on many sites, including Magento commerce sites. According to the official Git website, Git is a “free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.” Google, Facebook, Microsoft, LinkedIn, Netflix, Android and Twitter all use Git.
At Customer Paradigm, our team uses it religiously to make sure that nobody overwrites anyone else’s changes. It also helps us understand if there are other people (i.e. clients, third party developers) making changes on a person’s site.
We’ve even used GIT to track down Magento site hacks, because it lets us know what files have been added since the last GIT checkin.
But if you don’t set up GIT on your server properly, it’s easy for someone on the outside to see the contents of your /.git/ directory, which can leave you vulnerable to security problems or site hacks.
Is your site vulnerable? Simply put /.git/ right after your domain name. For example, if you wanted to see the Customer Paradigm .git directory, you’d try to visit this link: http://aws.customerparadigm.com/.git/ (We have a special surprise for curious people.)
If after testing your site, you get an error 404, 403 or “Forbidden” message, your site is likely fine.
But if your site is vulnerable, you’ll see a listing like this:
How to secure your /.git/ directory in Magento:
There are several methods for securing the /.git/ directory for your Magento site, but the easiest way is to use .htaccess:
1. Create a text file called .htaccess and put the following content into it:
Order allow,deny
Deny from all
2. Upload this file into your /.git/ folder via FTP, so that it is located here: /.git/.htaccess
Really important technical notes: DO NOT put this .htaccess file into your main web directory. If you overwrite your existing .htaccess file, you will not only break your site, but probably not allow anyone on the Web to view your site, either.
3. Test this in your browser, by going to www.Your-Domain-Name.com/.git/
(If you see a directory listing, you’ve done it wrong.)
Need help securing your /.git/ directory for your Magento site? Call Customer Paradigm at 303.473.4400 or visit here to have a real person contact you now >>