Magento is one of our favorite E-commerce platforms, and many store owners around the world agree. No open source E-commerce solution is as scalable, robust, and feature-rich. However, with these advantages comes increased complexity, and its ever-increasing popularity attracts unsavory sorts who seek out to exploit any vulnerabilities that may be present in the vary large (well over 10,000 files for the base package!) codebase.
The Magento development team is constantly hard at work looking for ways to improve the security of Magento. Occasionally they will determine that a security hole is present, and will subsequently release a patch that will address the issue. The patch release typically coincides with a new version of Magento with these code changes incorporated into the framework. As a store owner, it will likely raise some questions.
How do I learn about Magento patches?
The most common way store owners learn about patches is through the automated alerts on their Magento store dashboard. There will be some warning about a critical security updated along with a link that describes the issue in detail. However, that message may be buried amidst other dashboard messages, such as cache warnings, index warnings, extension upgrade notices, etc. Some store owners may go so far as to disable these notifications. The best way to receive notifications is to go to Magento’s own security portal and sign up for their mailing list.
What exactly is a “patch”?
A patch is essentially a script that modifies (and potentially adds new) Magento core files. Patches can update dozens of files at once.
Can I install a Magento patch myself?
Unlike WordPress, Magento updates are far more complex than a simple click of a button. These patches have to be run from a Linux command shell, and should only be attempted by those with the appropriate access and knowledge. Patch installation also provides a good opportunity to assess the overall health of the Magento ecosystem that houses your store.
This seems like a lot of work. Do I really need to install Magento patches?
Absolutely! Once Magento releases a patch, the vulnerability addressed by the patch is essentially broadcasted to the entire world, and hackers immediately take advantage of that fact.
How do I determine what patches I need on my store?
A great resource is MageReport. It will scan your store and determine what patches need to be installed, along with any other notable security issues. However, this convenience comes at a price: any hacker in the world can also easily determine what security holes you may have and exploit them. It certainly emphasizes the importance of installing patches as quickly as possible.
The best protection against hackers is to be proactive, and that involves keeping close tabs on Magento patches as well as regularly maintaining your Magento store.