How to simplify your eCommerce site security with new Magento Security Scan Tool
Magento Jun 27, 2020
Main / Blog / How to simplify your eCommerce site security with new Magento Security Scan Tool
Magento is a very popular CMS for building online stores, above 270,000 e-shops uses it worldwide as of 2018. Among the tempting benefits that brought the love of users is the cutting-edge functionality and the open-source code. This means that Magento allows you to create a powerful online store along with the ability to flexibly scale it as long as your business grows.
Because of its popularity, open-source code, and linkage to money transactions, Magento has also become an appealing target to hackers. That’s why the Magento creators started to release security patches which strive to eliminate the majority of platform vulnerabilities. But the most valuable gift was waiting for us until 2017. We mean the appearance of a new Magento Security Scan tool.
Lets talk about it
Have a project in mind?
Lets talk about itRequest a quote
In this article, we’ll go over the Magento Security Scan and show how to begin using it right away. Besides, we’ll cover the significance of regular security updates and how to apply them properly. After all, you don’t want to lose the customers’ personal data or having your site blocked by search engines because of being hacked, do you?
Is your eCommerce site secure?
Even if you have implemented various means of protection, some weak places may have been left untouched. Apparently, that’s what often happens with Magento stores security. According to getastra.com, 62% of Magento eCommerce websites possess a minimum one vulnerability problem.
Statistics of Magento stores security issues
We suggest you stop reading and start a free scan of your e-store security on Mozilla Observatory. After that, let’s review the results. It’s necessary to point out that each missing percent out of 100% means a potential chance of breaking into your site.
Scan results on Mozilla Observatory
You can achieve an approximately 50% score on this test just by keeping your Magento updated to the most recent version. Some eCommerce managers or owners can have a carefree attitude regarding this matter. This often happens because of unwillingness to expend some funds and time to install security patches for Magento 2 or 1. However, you should do it regularly unless you want to become an easy target for malicious users.
A key reason for this is that villains observe these patch releases too. Since this gives them information about the weak places fixed, they use these weaknesses to hack unpatched Magento instances. Form yourself a good habit by following the 30-day rule as stated in the PCI compliance requirements. This means it’s better to apply crucial security updates throughout 30 days of release.
If you have never faced what getting your store hacked feels like, you might not realize the necessity of patches installation. On the contrary, site owners who faced it install each update urgently. At Dinarys, in the 5 years we’ve been developing eCommerce stores, the longest term a client ignored performing security updates was 3 years. That resulted in getting hacked. In theory, there’s a chance of breaking into a site on the first day after launch but it hardly ever occurs for Magento sites. Anyway, those who don't install the latest Magento security patches for their site for more than a year put it at a high risk.
The arrival of Magento Security Scan made complying with the 30-day rule much easier. It allows to schedule automatic weekly check-ups. Now let’s get acquainted with the major advantages of a new service.
Magento Security Scan Tool: Key Benefits
In 2015, Magento shared the official handy tool for convenient scanning of your Magento e-store security. It allows you to monitor your website’s security condition and get regular updates including configuration issues, data protection hints, and patches. The good news is that Security Scan is cost-free and available for any Magento Open Source or Magento Commerce versions.
This service enables amazing opportunities including:
- A complex overview of the security condition of your e-shop in about 10 seconds;
- Data about the failed and passed tests and steps needed to rectify the first ones;
- Possibility to assign automatic Magento security patch scans that recur periodically (daily or weekly)
- More than 30 various tests to detect site vulnerabilities, useful recommendations, and configuration troubles;
- History of reports to follow up progress concerning store security.
The Magento 2 Security Scan tool offers recommendations of patches and best practices
It’s important to note that Security Scan results are private and accessible only to their owners. To begin using this tool, you just need to create an account on account.magento.com and have access to your Magento admin section. No software installation on your website is needed.
Magento plans to append the SSH scan soon which claims to be an attractive feature. It can boost your site information security because it enables scanning vulnerabilities on a server-side of your store.
However, according to Dinarys developers’ opinion, it will likely require sharing access to your site’s database with the 3rd party.
Read more: 10 Best Practices for improving site search of your eCommerce store in 2019
How to use the Magento Security Scan Tool
If you prefer a video format, please feel free to launch a video introduction to Magento Security Scan. In other cases, there’s a brief text description below.
Step 1. Confirm that a Magento Site belongs to you
At first, you should provide your e-store web address and add the confirmation code through Magento Admin. That’s pretty simple to perform by utilizing the directives shown on the right of the screenshot below.
Ownership verification of your Magento store
Step 2. Starting automatic or manual Security Scans
If you scroll down below you’ll find the scheduling section. It’s a handy feature that saves your time relieving you from the routine of conducting manual scans. Furthermore, you can receive results and service patch announcements on your email by filling the corresponding text box.
Scheduling automatic security scans
If cluttering your email with lots of scan reports is inappropriate for you, it’s possible to run a manual check-up. On the monitored websites page, click “Run Scan” in the Actions column. As soon as it is finished, downloading a report in the “Reports” column is available to you. Let us note that performing occasional scans are not enough to provide a sufficient level of your site’s protection. Only persistent Magento security patch checks and fixes result in steady positive outcomes.
Running a manual scan
Step 3. Scan outcomes analysis
The check-up results will be presented in three tables called the successful, unidentified, and failed scans. You should focus on the two latter ones and perform the recommended activities to improve your website’s security. To do it correctly and not damage your website files, it’s better to contact skilled developers.
For instance, Dinarys has extensive experience regarding eCommerce site development. Get acquainted with our portfolio here.
Among the suggested activities after scanning, there are the security patches to set up. In the next section, you’ll learn what they are and how to install them.
Failed Magento Security Scan results and recommended actions
Passed Magento Security Scan results
Unidentified Magento Security Scan results
Security patches for Magento: why needed
At first, security updates for Magento were only released as a part of version updates. Later on, in 2015, Magento developers began to place even more emphasis on the security improvements and post regular security patches for Magento 2 in addition to version updates. That didn’t lead to resolving every possible security vulnerability, nevertheless, it greatly increased information security.
By the way, the platform representatives have officially announced that they will stop supporting Magento 1 by June 2020. That means if you use this version, you won’t be able to receive security updates any longer. We recommend you consider Magento 1 to Magento 2 migration in the nearest future.
What is a security patch?
It’s a self-installing code that fixes certain software security flaws. When launched, it detects the core code and modifies it. Thus, the cybercriminals can’t utilize this vulnerability and steal data. And since patches rely on the source code, it’s better not to alter it or Magento security patch may install incorrectly.
What can happen if you don’t install patches systematically?
Installing security patches isn’t a low-priority task that can be done once in a while. Here are some of the consequences of ignoring them:
- If you get malware on your site, search engines may block it up to the time you deal with the virus. Therefore, this leads to losing a part of your income and harms your repute.
- Your internet store can become infected with ransomware. It’s a virus that blocks your access to the site unless you transfer a sum of money to villains.
- The web server of your internet shop can get jeopardized to initiate harmful activities, e.g. dispatching spam email messages.
Where to download security patches for Magento?
There are two sections where you can find official patches on Magento’s web resource. Get acquainted and read about them on the Security center. Download them on the Technical Resources web page. Notifications concerning the availability of a new patch version are delivered by email and also pop-up in Magento’s admin panel.
Magento’s security center contains thorough information on every Magento security patch. It includes the fixed vulnerability description and the related risk level. Thus, this data shows the scale of the patch which is important to install it correctly. That’s because patch installation may affect the rest of the parts of your e-store resulting in bugs and errors.
Official Magento’s site is the only place where you should download security patches. Being found elsewhere, it can be a falsified installation file made by hackers. The outcome of launching such a file brings significantly more trouble than benefits the original patch intended to bring. Here is a blog post about one of the fake patches.
Security patches are produced for different versions of Magento. Certain ones are intended for a series of versions while the rest are designed for one specific version. To find out the Magento version of your shop have a look at the footer of your admin panel. This can help you download the appropriate patch.
Magento security patch installation
Patch setup requires you to have permissions to the command line of your web server. To do it right, patch setup involves launching it on your website’s non-production version. If everything went fine, the code can be transferred to the production server. If you don’t have a non-production server then creating a backup copy of your database and files is recommended beforehand.
In some cases, the installation will be unsuccessful because the preceding security patches for Magento 2 were skipped. According to Magento’s approach to patching, you should install missing patches initially and the latest ones afterward. But where can you find the list of applied patches? The Mage Report web service can help you do that. Likewise, there is a convenient way to perform it right in Magento’s admin section. It just demands you to set up the Applied Patches plugin.
We hope you’ve realized the importance of checking security patches for Magento. The good thing is that Security Scan tool makes it easy for you by streamlining and automating this process.
As you can see, applying patches demands specialized knowledge of how to work with a command line and a web server. A better decision may be to delegate this task to the professional developers that are competent in this field.
Dinarys is a full-cycle software development company that can provide website maintenance services including modification of your app/site functionality, security, and design. Clutch, a customer reviews platform named us a top web developer in 2019.
Get a free consultation by contacting us right now.
Do you want to be the first to find out the changes in the software development or eCommerce worlds? Subscribe to our blog on LinkedIn, Facebook or Twitter.
Want to read more
Get fresh articles, news and case studies to your email firstly