What should you do if your Magento site got hacked
What should you do if your Magento site got hacked
Magento is a rock solid and secure platform, right? Right. Is it completely safe from hacks, right? Unfortunately, no.
Even with some of the best security features available, Magento websites often get hacked. This article will explain what makes a Magento store vulnerable and what you should do if your site got attacked.
But before we get down to actions there’s one important thing you should understand.
Is it always Magento?
Magento stores are successfully hacked not necessarily because of improper Magento security measure but rather because of insufficient security measures of your entire environment. In other words, it’s not always Magento that is to blame.
If any part of your server or system opens the window to a hacker, Magento becomes vulnerable too. That is why it’s important to monitor and update not only Magento but entire server stack aka LAMP (Linux, Apache, MySQL, PHP) or LEMP (Linux, NGINX, MySQL, PHP).
We’ll touch on Magento security measures later in the end of the article. And now.
My Magento store got hacked. What should I do?
Step 1. Make sure that the hack is there
When a hacker attacks your store, he acquires the rights of a system or component which he hacks. For example, if he gets in your system through NGINX he will have the right to access only www-data which is not a privileged user. A savvy hacker will always try to stay in your system by any means. He will search for more local vulnerabilities to explore what data he can access and how he can raise his privileges and rights.
His final goal is the root of your server. Once he gets the rights to the root there’s a risk that you won’t be able to detect all those changes that a hacker could potentially make to your system which still will influence on its performance. The hacker will be able to hide all his traces so that you may even not be able to get him out.
To find out how far the hacker could come you need to perform a proper and thorough analysis of all the changes and activities made in your environment. This process takes time. The time that you cannot waste.
Therefore, you need to quickly understand if your Magento store got hacked and take measures to prevent unfavorable consequences.
Signs of Magento hack:
- Blacklist warnings.
- Clients’ complaints on suspicious credit card activity.
- Aberrant behavior of any Magento page.
- Spam keywords appear on your site.
- Malicious activities reported by your hosting provider.
- Unknown changes in files or folders.
- Modifications in the Magento core.
- Unknown sessions and admin users.
- Unusual load on server.
Step 2. Decide - To downtime or not to downtime
Once you noticed anything from the above list in your Magento, don’t hesitate to contact a trusted Magento development company or system administrator. He’ll quickly analyze your store and tell you what is going on.
From there you’ll have to make an important decision – to put your store in a downtime mode or not.
Downtime is the time during which your store will be unavailable for use. You turn off your server from the network and your store won’t perform any activity. Your customers won’t be able to make orders and payments. Neither will a hacker be able to take up a remote control over your store and cause you more damage.
If your store processes hundreds of orders per hour and a several-hour downtime will lead to significant profit lost, then you can try to fix everything on the go.
But if you can afford a several-hour downtime we recommend you turn off your server from the network.
Step 3. Set up a clean Magento installation
So, you have your server disabled.
Now you need to reinstall Magento on a new server using the most recent and clean version.
This is the safest way to ensure your store won’t suffer the same hacker’s attack and the quickest way to put your business back online so that not to lose profit.
We recommend installing a Magento version not from a backup but the one that is stored in the git repository.
Why use Magento version from the git repository.
When you develop a Magento store you use a local server. Your frontend and backend are not accessible to anybody except your team – developers, testers, admin, etc. The final version of your store is downloaded to the git repository. And from there it goes to live site.
This means that the last version stored in the git repository is clean for 99.99%. Even if it contains the same vulnerability, you still may be sure that a third person hasn’t accessed it. You’ll have time to detect and eliminate that vulnerability when you launch your store. However, if you install Magento version from the backup, there’s a risk that the hacker’s malicious software may already be there.
Step 4. Install all necessary software and patches.
Once you have a new server with clean Magento installation, make sure that all software updates and Magento security patches are installed.
A patch is a package of modified core files that fixes vulnerability or security issue that was detected in Magento.
There’s a great tool – MageReport.com – which allows you to quickly check if all the necessary patches have been installed and what common security issues your store has.
Step 5. Configure the latest database.
When you have a clean Magento setup, configure the latest version of your client’s database from the backup. This database contains all the latest transactions and recent orders being made at your store. With this, you can restore your business from the moment when you switched off your server.
Another important moment.
If your Magento store got hacked you need to inform your customer about it regardless of what client’s information you store. But in practice hardly there’s a store owner who would feel enthusiastic about the idea of losing his client’s trust. That’s at the least.
If you process payments in your Magento store via safe payment gateways, a hacker won’t be able to access your client’s credit cards credentials. All popular payment gateways like PayPal or Amazon Payments offer advanced encryption. However, if you store any client’s payment data at your database, informing your customers about a hack and requesting them to keep close attention to their credit card transactions is a must.
Step 6. Analyze and monitor
You’ve configured the database and set your store back online. You can accept payments and feel safe that the hacker is left outside of your system.
Now you have time to analyze what led to a successful hacker attack and eliminate all the vulnerabilities.
The most typical Magento vulnerabilities
- Weak passwords in the Admin area or FTP (e.g. “admin”, “company_name”, “11111”, etc.)
- Open server vulnerability in an image upload directory
- Outdated CMS version or Magento installation
- Buggy plugins or extensions
- Insecure web host
If the hack causes the unusual behavior of your Magento, you’ll notice it quickly.
However, not every attack leads to an obvious change in Magento behavior. Your store can function the usual way and you can think that everything is ok even when a hack has already taken place. Therefore, you need to observe your new server behavior to track new unknown logins, if there’s unknown activity in logs if there’s a similar activity that leads to hacking.
How to secure Magento store from future hacks
- Make sure all components of software installed don’t have vulnerabilities. Update it using a reliable OS like RedHat, Debian or Ubuntu.
- Secure Magento – check if all security patches are in place and install the missing ones.
- Change your path to the admin panel. Generally, the path to admin panel in Magento is /admin which is not fully secure as it can be brute-forced.
- Change all passwords including email and your client’s passwords.
- Install intrusion detection system like Snort.
- Set server monitoring.
- Choose extensions only from a reliable Magento extension provider.
Ensuring the security of an e-commerce store is a broad theme with lots of nuisances. The simplest yet most important thing you can do is to install updates and patches regularly. Timely updates and regular monitoring is the most efficient way to close typical vulnerabilities in your environment and prevent your store from hacker attacks.