In addition to building Magento sites for eCommerce merchants, we also help fix sites that have been hacked or attacked and can help you apply security patches and updates to stay secure. Most of the time hackers are able to get in through a security vulnerability on your site – specifically, if you have not applied one or more of the latest security patches.
This week, Magento has released a new security patch – SUPEE-10415. This patch contains multiple security changes to the system, including the ability to prevent cross-site scripting (where malicious code from another site could harmfully interact with your eCommerce system). It also prevents an attack from remote admin users from being able to execute code on a site (and stealing credit card data in the process).
The process of running a security patch on a site is fairly easy to do. It’s just a few commands that you run via SSH on your site. But the problem is that running a security patch on a live site can break things, and prevent pages from loading and people from being able to check out.
If you have a site that doesn’t process many orders, and you don’t care if it breaks, then run the patch on the live site, and then fix what happens after that over the next couple of days.
If you have a site that you can’t afford to go down, and you don’t want to lose orders and customers, then I’d recommend implementing a process before you run a patch like SUPEE-10415. I’ve outlined a more rigorous, methodical process below.
So why don’t more people keep their sites up to date?
The truth is that when a security patch is applied to a site, the security patch “fixes” security holes, but can also cause sub-systems to stop working properly.
Let’s say you have an extension running on your eCommerce site that synchronizes your inventory levels with a third party warehouse system. In order to make sure your site has the most up-to-date inventory levels for your products, the system maybe updating the database, or working with the system in a way that the latest security patch brake.
This is the reason why a lot of companies don’t regularly patch their sites – they are worried that the patches will break things. And the truth is, patches can break things, unfortunately, especially if the site was coded with core file changes, etc.
What’s the danger of not patching?
One of the best things about an open source software system like Magento is that you can look under the covers and see what the system is doing.
Unlike a closed source system, where the code is not able to be examined (and they rely on the secrecy of the code baser for protection), and open source system allows you to find out what’s happening with the inner workings of a site.
When a security patch is released, one of the first things that hackers will do is try to reverse engineer the security patch. By looking at the patch, and what changes it makes to a site, a hacker is able to figure out the specific attack vector that can be used to inject malware into a site, or skim credit card information during the checkout process.
Security patches work if you apply them. The Equifax data breach this past summer? That was caused by a server person not applying a security patch to a server.
Best practices for running SUPEE-10415 patch on your Magento site:
The best practice is to create a copy of the live site in a test area, including the database and media files. Once your test site is up and running, ensure that the site work properly. Place a test order, create an account, add items to the cart and remove them. Process orders in the admin. Make sure that transactional emails are working properly, etc.
I’d recommend running a Magento Security Scan on your test site (as well as the live site) to help identify other patches or security issues that you may want to address at this time as well.
We’re happy to run the Magento Security scan for you at no charge.
Once you have a baseline that your test site works, run the SUPEE-10415 security patch on the test version of the site using SSH, and then re-test all of the various functionality on your test site. You may wish to put your test site into maintenance mode, so that you can replicate your process when you push the site live.
Please note that your test site may not be an exact copy of your live site. Your server configuration may be slightly different, you may not have SSL enabled on your test site, or some extensions may not be set up properly. You may also have hard-coded links or images on your site, too, and this is something that might be difficult to test.
If everything looks good on your test site, then you can run the patch on the live site.
Key tips when patching your Magento site:
- Be sure to have a recent backup of your store, in-case something goes wrong and you need to revert (check out our guide on M2 backups.)
- Don’t run patches or updates at 4:30 pm – when everyone is running out the door at 5:00 pm
- Run patches early in the morning when you have a full team available to help
- Run your patches earlier in the week so that you have a few days to work out any bugs that may occur – we don’t recommend running patches on a Friday unless you want your team to work over the weekend!
- If you are running patches on a live site, make sure your site is in maintenance mode
- Test, test, and test again – test everything you can on your site after making changes. Including: making sure you can place live orders with real credit cards, processing an order from the admin, etc.
- Have a hard stop time for when you’ll revert – if critical issues arise with the site after the patch has been applied. For example, you may want to give yourself three hours for the patch installation and troubleshooting, and if there are critical site issues, you’ll revert after that.
- Not feeling confident when applying patches? Work with a Certified Magento Development company.
Keep your site secure with the SUPEE-10415 Patch, before your site is targeted by hackers looking for unpatched, vulnerable sites to attack. However – remember to always test out the patch first on a test site, and have a clear strategy for reverting if the patch breaks your site.
Need help securing your Magento store? Have Customer Paradigm patch your Magento site with the SUPEE-10415 patch: Call 303.473.4400 or fill out our simple contact form to connect with a member of our strategy team today – we’re here to help.
About Jeff Finkelstein
Jeff Finkelstein is the founder of Boulder, Colorado based Customer Paradigm, an interactive marketing firm that helps clients achieve their goals through Search Engine Optimization, eCommerce, Web Design and various other marketing strategies. An expert on Internet Privacy and Web Marketing, Jeff evangelizes the customer experience and helps businesses design sequenced interactions that lead to loyal, delighted customers.