I am going to buy a SSL for my website, which type of SSL offers green address bar ?
Normally, Extended Validation SSL Certificates offer green address bar and Organization Validation offer green lock.
I have a Magento store but got malware last week. How can I find our the malware codes from my Magento store and remove it
To remove malware by yourself, you will need programming skills. It is not easy and may take your time to identify the malware codes.
However, it does not mean you can do nothing. you still can use plugin/extension to scan your site.
if you are using cPanel, log in the cPanel and move to “advanced” section. Then click “Virus Scanner” to scan your Magento store ( you can scan Mail, Entire Home Directory, Public FTP Space, Public Web Space).
* This method only for cPanel & WHM version 62 or over.
* This method only can be found if you / your hosting provider install the ClamAV Scanner software in WHM’s Manage Plugins interface (Home >> cPanel >> Manage Plugins).
If you have a Magento store host on a VPS or Dedicated Server, you need to install Linux virus scanner software. e.g “Linux Malware Detect”
Once installed the software, just run the command
maldet -a ./
and see the results.
To make your site secure, find a good hosting always is the easy way.
SiteGround is the best choice, which I have used for my clients over the last 3 years.
They have Magento plans which are using Magento Optimized Server, so can make both yours and your customers’ experience with your Magento store really fast and enjoyable and help you to increase the conversation rate.
Also, SiteGround offer site scanning service – SG Site Scanner (It is powered by one of the most prominent web security experts – Sucuri.net,) which scans all the pages that are linked on your website homepage (or any other page you have select) on a daily basis.
New Magento security patch SUPEE-7405 was released, what security issues have been solved
Most of the changes are html escaping and data sanitizing regarding XSS issues.
1. Form key validation has been added to the admin login, admin forgot password, admin reset password and frontend cart delete action.
2. A new validator to check if an uploaded file is an image
3. A new Import/Export section appears : System => Escape CSV Fields
4. Events are now dispatched all lower case.
5. New event dispatched: admin_user_validate
6. SVG is not a valid favicon extension anymore
7. New Zend class: Zend_Xml_Security. Its purpose is to scan XML string for potential XXE and XEE attacks.
8. Files uploaded via admin panel are now not world readable by default
9. Directories are also not world executable
10.Add data escaping for frontend template
Version: | Issues Addressed with Patch: |
Magento Community / Enterprise Edition |
|
Additionally, the patch resolves issues identified by Magento merchants after installing previous security patches:
Recently, my WordPress site was attacked by XML-RPC Brute Force, I would like how to protect this kind of attack or any patch I can install
Brute Force attacks are one of the oldest and most common types of attacks. In fact, Brute Force attacks against any CMS. XML-RPC is a simple, portable way to make remote procedure calls over HTTP. It can be used with Perl, Java, Python, C, C++, PHP and many other programming languages. WordPress, Drupal and most content management systems support XML-RPC. One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. So the attackers could try thousands of passwords with only 3 or 4 HTTP requests.
You can do following methods to protect your site.
1. If you have a dedicated server, you can install OSSEC
2. If you dont need XML-RPC, you can block all access to xmlrpc.php
3. If you can’t block XML-RPC, you can block system.multicall requests only
A security patch SUPEE-1533 for Magento has been released on 3/Oct/2014, What has been changed and any known exploits for Magento ?
Magento released a new security patch – SUPEE-1533 with multiple critical security fixes. Patch SUPEE-1533 addresses two potential remote code execution exploits.
Version: | Issues Addressed with Patch: |
Magento Community / Enterprise Edition |
|
What will be the major changes in the files after installation of patch SUPEE-5344 for Magento?I mean that any particular files permission changes something like that…
This patch addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store.
Version: | Issues Addressed with Patch: |
Magento Community / Enterprise Edition |
|
A security patch SUPEE-5994 for Magento has been released on 14/May/2015, What has been changed and any known exploits for Magento ?
Magento released a new security patch – SUPEE-5994 with multiple critical security fixes. Patch SUPEE-5994 addresses a range of issues, including scenarios where attackers can gain access to customer information.
Version: | Issues Addressed with Patch: |
Magento Community / Enterprise Edition |
|
A new security patch SUPEE-6285 for Magento has been released on 7/July/2015, I would like to know what has been changed and any known exploits of Magento
The patch – SUPEE-6285 addresses 8 issues with both products.
Version: | Issues Addressed with Patch: |
Magento Community / Enterprise Edition |
|
There was a new security patch – SUPEE-6482 released on 04/Aug/2015, I would like to know what are the possible attacks that could affect and un patched shop and worst that could happen?
The patch – SUPEE-6482 addresses 4 issues with both products. Instead, the patch addresses 2 issues with Community Edition and 4 issues with Enterprise Edition.
Version: | Issues Addressed with Patch: |
Magento Community Edition |
|
Magento Enterprise Edition |
|
Zero Day Vulnerability in FancyBox for WordPress
A serious zero day vulnerability ( a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it ) has been discovered from WordPress FancyBox plugin. An initial fix has been released so if you use this plugin on any of your sites, please update immediately to at least version 3.0.4 of this plugin.