Reference https://sucuri.net/website-security/hacked-reports/2016-q2-hacked-website-report

In a report published by website security specialist Sucuri, Magento Community is globally the third most hacked software platform; behind other popular open source software alternatives Wordpress and Joomla.

Whilst Magento makes ongoing efforts to secure their software from such threats, it is found at the point of hacking 96% of eCommerce stores were out of date.  Vulnerabilities can also be caused by at a server level, or via add-on extensions and integrations.


What is at Risk?

  • Credit Card Information
  • Customer personal Information, email addresses and contact details
  • Site Warnings and Blacklisting caused by Malware Detection – The below example of how Google serves a website where malware has been detected – the ultimate conversion rate killer.
  • Site Outages due to Magento errors – a hacked website if not resolved can continually cause the Magento error pages to trigger, or to say it is offine for maintenance

Prevention is better than a cure

There are 7 key ingredients to protect your Magento website from vulnerability of attack

  1. Keep up with Magento Security Patches – these are critical fixes issued by Magento to fix detected software vulnerabilities. At Online Visions we offer affordable Magento maintenance package options
  2. Maintain your Magento Version – as outlined above 97% of hacked Magento sites were shown as being out of date – by keeping Magento regularly maintained you avoid vulnerability in the platform.
  3. Maintain Extensions – where possible minimise the number of extensions used in your store, purchase them from reputable suppliers listed on Magento Marketplace and keep the versions up to date.
  4. Use a PCI compliant Payment Gateway. Using secure iframe options you can avoid from having credit card information entered on your website without redirecting the customer to a separate payment page.
  5. Use a Web Application Firewall (WAF) this provides a layer between incoming traffic and your website and can also assist with improved site performance.
  6. Use a specialist Magento hosting provider that offers 24/7 support – many sites are at risk via self-managed servers or low quality hosting providers. Our hosting partner Nexcess offer affordable Magento hosting options.
  7. Switch to Full-Https – by serving all pages on your website via a https connection you improve site security and look better in the eyes of Google. This change should be undertaken carefully though, as a https and http site is considered as separate websites by Google, meaning if your migration is not handled to best practice you can risk loss of SEO rankings and traffic. At Online Visions we can assist you with a safe switch to https.

Other basic security tips:

  • Always use secure passwords
  • Protect your Magento administration by restricting access by IP address or use Two-Factor Authentication
  • Do not disclose access information including FTP to third-parties and extension developers
  • Always secure FTP connections by IP address

How do I know if my Magento site is hacked?

Online Visions is a trusted Magento Solutions partner and our team has over 8 years experience in Magento. In partnership with Sucuri we perform a Magento Security Audit to detect problems with your Magento install. You can learn more here

You can check vulnerabilities freely via online tool Magereport.com  (this detects if your website is missing critical Magento security fixes). However whilst your site might pass all tests here it does not necessarily mean your website is not hacked.

Some web hosting providers run malware detection upon request but do not continue to monitor the website for threats.

Check your Magento site header scripts for any unknown code input, this is a common place for website vulnerability (removal of this does not fix the key vulnerability in the installation though).


My Magento site is hacked, what do I do?

Immediate removal of the vulnerability is required to prevent any damage. Our Magento Development team can assist with this. You can immediately protect credit card information by switching to a secure iframe solution (as mentioned above) – this prevents customer card details from being vulnerable to any further threat.

For permanent resolution you need to look at software maintenance and / or upgrade. If your website is quite old, we suggest taking the immediate actions mentioned above and then looking at transitioning to Magento 2.