Managing Magento Security Updates


We’ve mentioned before that it is a lot of work to keep your ecommerce environment secure, today we’re sharing some specific recommendations for managing Magento security updates.

  • Keep an eye on vendor communications – Magento typically sends notices of any security updates or serious breaches so keep an eye on your email – if you’re not signed up – do so here. You can also keep an eye out for updates and notices in the admin panel.
  • If you’re a Tenzing customer you can also look out for notices in the CSC. For example, we posted the following earlier this year:

“Please be informed that a security update to Magento has been released. Tenzing recommends reviewing the patch notes and applying the updates as soon as possible to help protect your Magento environment. To download the patch, go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – January 2016.”

  • As the above message suggests, your best bet is to get the patches from within the app, or through the Magento portal. For higher profile patches you may find external links but be wary as these could be dupes set up to further compromise your site. It’s been reported that attackers are exploiting Magento users by pretending to offer a patch for the Shoplift bug, but instead appending JavaScript to application files, allowing them to strip payment information from order forms. In some cases, hackers are including the names of core Magento team members to make their code look more legitimate.
  • Magento makes it fairly easy to check if your site has been patched – for the above mentioned Shoplift bug, you can check if the patch has been applied here.

Although I’m sure you’ve heard it before, it bears repeating that the security of your Magento store is paramount to your success. Any breaches can have serious consequences to your business – from payment vendor penalties, to loss of customer trust.

Beyond responding to specific bugs, it’s worthwhile to research industry and platform best practices for security.

Aisling McCaffrey

Demand Marketing Specialist at Thinkwrap
Aisling is our Demand Marketing Specialist at Thinkwrap, and loves working with both technology and humans. She studied International Business (concentrating in Marketing) and has spent several years living and working in China, mostly in Shanghai, where she became passionate about global innovation and how the use of social media changes in different cultures. Aisling likes to keep up on internet trends - from business to memes - and is always looking for new ways to learn or entertain herself.