Website security is no joke. Every time security methods progress and evolve, so do the methods for hacking and the potential vulnerability to it – it can seem like a losing battle. Strong website security comes from a lifetime of making the right decisions, careful review, and constant vigilance.
Even if you’ve made all the right moves in the past, one wrong move in the present can unknowingly open you up to potential hacks in the future. We’ve seen some of it with Magento sites in recent months. It doesn’t matter what platform you’re using, hacks and vulnerabilities are still your concern. We just happen to work extensively with Magento, so that’s the platform we’re focusing on. If your store runs on Magento, pay attention. Consider this your survival guide to site security.
There are numerous different hacks to be aware of, each with their own signature. We’ve seen at least 4 in recent months. With some of the hacks we’ve seen, they were able to get in because Magento security patches were not applied in a timely manner, which created an easy vulnerability. A more common cause, and one that has occurred with others, is the Magmi importer not being secured properly. However, it’s important to remember that how the hacks get into your site varies and can be difficult to identify. What potentially caused the hack in another site, may not be the same cause for a potential hack into yours.
Potential Consequences
Consequences of hacks into your site varies a lot and, well, it just depends. Common vulnerabilities are outdated WordPress (WP) versions and WP plugins; these hacks tend to be more focused towards blog and SEO spam. For a Magento site or other ecommerce sites, the attacks tend to go directly for confidential information, like: emails, passwords, addresses, credit card info, etc. Basically, if you have an ecommerce site and it gets hacked, more often than not the goal of the hacker is to obtain confidential, valuable information.
Superficially, hacks like these can cause a site to slow down or produce sporadic errors. More seriously, your loyal customers are having personal information (that they entrusted to you) stolen and potentially abused. This can cause you to lose customers, obtain a negative reputation, receive tons of chargebacks, create problems with your payment processing company (to the point of even closing your account), and even a lawsuit.
Signs You’ve Been Hacked
1. You may find a piece of malicious code during the course of site maintenance and this would indicate a potential hack or vulnerability.
2. If you intentionally look for hacks or modified files and see any of the following (these are the identifiers of some of the hacks we’ve seen):
- Modified file: app/code/core/Mage/Customer/controllers/AccountController.php (lines added to loginPostAction to scrape login data)
- Modified file: app/code/core/Mage/Checkout/controllers/OnePageController.php (lines added to savePaymentAction to scrape payment data)
- Modified file: app/code/core/Mage/Paygate/Model/Authorizenet.php (lines added to _buildRequest to scrape payment data)
- Modified file: app/code/core/Mage/Core/functions.php (encoded lines added to the end to scrape all form data)
- Rogue shell file in skin folders: skin/frontend/frontend.php, or skin/frontend/base/info.php, or skin/install/mage_db.php, or other such. ‘skin’ should not contain any executable PHP files.
- Rogue SQL tables, like ‘salesrule_customer_item’
- Rogue files in var/export/ named ‘export_mage_*.csv’ or such
3. If you notice an increase in customer complaints, don’t brush it off. Be sure to investigate thoroughly in order to identify potential vulnerabilities, current hacks, or, more simply and the more preferable of the options, a customer service issue.
4. If you’ve noticed a sudden, sharp decrease in site speed and/or increase in errors, a hack might be at fault.
If you’ve noticed some of these things or none of these things, but are still wary and want to be certain, you can compare your entire website to a clean copy of Magento to identify any differences or modified files.
How To Protect Yourself
Perhaps the most important follow-up question of the day, what can you do to protect yourself? Aside from security measures for Magento, you can:
- make sure everything is up to date
- create and maintain good security policies
- invest in good, PCI-compliant managed hosting
- check for obvious hacks (like the list in the previous section)
- don’t use Magmi on production (or, if you must, make sure it’s out of the way and totally locked down)
- if something comes up, don’t assume it’s nothing – take a deep look at the entire website & environment
- keep things locked down
- review any changes being made to the site
- conduct regular reviews to catch anything out of place or potentially malicious
- consider a service like Sucuri for scanning and protection
- if there’s any concern, don’t be afraid to contact a professional
Security is a big deal and you need to make it a priority to protect your customers and yourself. It’s true, one slip-up in pristine security practices or a combination of little oversights over time can lead to your site’s security being compromised; however, if you’re conscious of it and take the necessary steps to remain vigilant, you’ll set yourself up to, not only promote a strong, secure environment on your site, but also be more prepared should your security be compromised.