Magento is loaded with state-of-the-art features having the flexibility of open-source software. Apart from having numerous advantages of an open-source platform, the one serious disadvantage is security threats and vulnerabilities. To protect online stores from possible hacker attacks and make the Magento system much more secure, new patches are regularly released. And it’s extremely essential to timely install Magento security patches for keeping your data safe.
What are security patches in Magento 2?
A security patch is an exchange of code that repairs a certain vulnerability. The repairs are provided in the form of a self-installing patch script, which the place where the code fix belongs, automatically applies the update to it, and saves the result. Remember that security patches depend on core code files for suitable installation, which means that if you alter core code, there is an opportunity the patches will fail to install.
Why do you need Magento security patches?
The major reason is security. If you don’t have a security patch installed, it means that your website is open for exploits that would allow potential attackers to gain access to your website’s admin panel and basically attack your e-store. There are the 4 most common consequences of a Magento store being hacked :
- Credit card information of the clients can get stolen: Actually, certain Magento integrations and modules, especially payment ones, are from time to time identified to be attacked and abused by fraudulent hackers. The recent case involved PayPal integration Payflow Pro, it was attacked and used for stealing debit and credit card numbers.
- Ransomware can be installed on your website: Ransomware is the type of hateful software that encrypts your code and declines your access to it until you pay for its launch.
- Website servers can get compromised by hackers: They can be utilized for illegal activities, particularly, for spam emails.
- Malware can be installed on your website, further spreading and affecting your customers. Consequently, your website gets blocked by search engines until the security is restored, which results in profit loss and a certain reputation loss. In severe cases, you will end up losing critical customer data.
Check out the list of the most critical Magento security patches released over the last year: https://magento.com/security
How to install security patches in Magento?
Because of variations in server access and hosting environments, there is no universal method to install Magento security patches. There are 3 ways to install Magento security patches and you can use any of them as per your convenience and access.
1, Install Magento patch via GitHub
- Generate a directory for patches: Move to the working directory of the website and generate a patches directory for storing Magento patches.
- Copy Magento 2 patches to the generated directory: Utilize SSH, FTP-client, and other suitable tools for this step.
- Create a patch file: Run the follow ing command git diff > ./patches/patchForModule.patch.
2, Install Magento security patches manually
- To install a Magento patch with Composer, utilize git apply or patch commands.
- Connect through SSH and run one of the following commands from the root of the website:
git apply patches/patchForModule.patch
or
patch -p1 < patches/patchForModule.patch3, Install Magento security patches via Composer
- Add a new module with the composer for the patch application.
For this step, run the following command:
composer requires cweagans/composer-patches ~1.0We can solve the issue by utilizing commits.
- Create two new patch files in the patches directory:
GitHub-issue-21734-magento-ui.diff
https://github.com/magento/magento2/commit/6bb24ef4cccf52d56ee5c8ef43c9365509075d8a.diff
GitHub-issue-21734-magento-catalog.diff
https://github.com/magento/magento2/commit/0add8b722cb1591a3a2b8fe74e20d492431f5b18.diff
- Change the paths in the patches for a root directory of the extension to make the correct update.
Before
diff –git a/app/code/Magento/Ui/view/base/web/js/lib/validation/rules.js b/app/code/Magento/Ui/view/base/web/js/lib/validation/rules.jsAfter
diff –git a/view/base/web/js/lib/validation/rules.js b/view/base/web/js/lib/validation/rules.js
For GitHub-issue-21734-magento-ui.diff you will have
- Change the composer.json file.
Add patches command to the extra directive.
| “extra”: { “magento-force”: “override”, “patches”: { “magento/module-ui”: { “Patch for issue 21734”: “patches/github-issue-21734-magento-ui.diff” }, “magento/module-catalog”: { “Patch for issue 21734”: “patches/github-issue-21734-magento-catalog.diff” } } } |
- Apply patches and update the composer.lock:
Run the following commands:
composer -v install
composer update –lockWhat else can you do to keep your store secure?
There are some easy other security ways to help you keep your website safe:
- The best way is to make a security audit at least every quarter to make sure that the store code is secure, especially if you install new modules, and make changes to the website.
- Reset your admin, SSH, or other passwords at least once a quarter and always after you complete working with anyone with whom you have shared access details to your e-store.
Need Magento Support?
Still, having trouble with installing Magento security patches? Contact us if you are a newbie to patch installation or you want to escape this exhausting task. We not only offer an affordable Magento Development Website service for all sizes and budgets but also ensure that it helps your online business grow and sustain itself.
What is Magento PCI compliance and why does your Magento store need it?
