Yesterday evening Magento sent out a notification regarding the potential risk of being affected by the Guruincsite Malware. Like other Magento solutions providers we are receiving many queries from our clients to assist them in determining if they are affected, or vulnerable.
What follows is a simple process to follow to identify/remedy many of the vulnerabilities:
Check your site for vulnerabilities using:www.magereport.com
- Cacheleak vulnerability? The solution depends on your web server, but if you are using the Apache web server you can resolve by creating an .htaccess file in the magento/var directory with the following contents
Deny from all”
- Outdated Magento version? Make sure all security patches have been applied
- Security patch XXXX If Any security patches are either not installed or unknown make sure to check the applied.patches.list file in your install. You can use this very handy resource to apply the appropriate patches. Magento Version to Patch Spreadsheet
- Unprotected Magmi? Follow instructions here:wiki.magmi.org
- Unprotected Development Files? 1.9.2.x versions contain the magento/dev directory which should not be released to production.
- Admin or Downloader unprotected? Make sure you have a valid .htaccess file located in your downloader directory, and make sure you have modified your admin url. The admin url can be easily modified by updating your standard local.xml file. Just find and replace admin with a more secure path and share with your team.
- Unmaintained Server? If you are using a reputable hosting provider this should not be a problem.
- Unprotected Version Control? Again like above. If this does not check out, then you should contact your hosting provider or switch to a reputable hosting provider such as Nexcess.
The process above is not complete, and depends on your hosting environment. As always consult with your host/Magento Solutions Provider to assist in resolving any of the above issues.
Contact Us if you are looking for ongoing support of your Magento site.