New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Remediating Your Site After a Malware Attack

October 21, 2016

If you’ve unfortunately been impacted by recent malware attacks, it’s important to know what actions you should take to quickly secure your site and protect your customers and brand. Here are recommendations to guide your response:

Clean Your Site

The first thing you need to do is remove the malicious code from your site. We suggest that you work with an experienced developer or Solution Partner to help you with the process outlined below:

  • Backup of your site’s data and files before making any changes.

  • Scan your site on magereport.com to identify any missing security patches and to determine if it has been infected with known malware strains.

  • Install all missing patches and test store functionality in a non-production environment. Enterprise Edition patches are available in the “Security Patches” folder of My Account and Community Edition patches can be found on the Community Edition Download Page.

  • Install the latest version of each Magento extension you use and test them in a non-production environment.

  • Go to the Admin panel of your production site. Remove all unknown Admin accounts from System → Permissions → Users. Change passwords on all known Admin accounts and rename overly generic Admin usernames to an unique name (avoid using names like administrator, superuser, or root). It is a good practice to have unique accounts for every user of your Admin system.

  • Review all SSH and FTP users, remove old or unknown users, and change active users’ passwords.

  • Remove all unknown JavaScript code from System → Configuration → Design → HTML Head → Miscellaneous Scripts. Check all configuration scope levels, including multiple ‘website’ and ‘store view.’ Only keep code that you recognize (e.g., tracking snippets).

  • Remove all JavaScript code from System → Configuration → Design → Footer → Miscellaneous HTML. Only put back code that you can recognize (e.g., tracking snippets).

  • Verify the malware is no longer present by scanning your site with magereport.com.

  • Make sure to secure your Admin panel by changing its front name and verifying that your site’s ‘app/etc/local.xml’ and ‘var’ urls are not publicly accessible in a web browser.

  • Review and apply methods to Protect Your Magento Installation From Password Guessing.

  • Review and apply Magento Security Best Practices.

Remove Google Warnings

If your site has been flagged by Google as containing malicious code, you can request a review once your site has been cleaned. Reviews for sites infected with malware take a few days and once Google determines your site is clean, warnings from search results and browsers should be removed within 72 hours. Information on how to request a review is available at https://developers.google.com/webmasters/hacked/docs/request_review.

What if there’s more than just the Malware?

Note that the instructions above should help with the most typical malware infections. However in some cases JavaScript malware may be a symptom that your file system has been attacked via malicious code. This may mean the JavaScript malware can resurface in future. When dealing with advanced attacks like this, your best option is to work with an experienced developer or Solution Partner to fully repair your site and review your security practices. Working with a professional is the key in this situation because deeper steps will have to be taken to ensure safety of your business and your customers.

Stay Prepared After Cleanup

Protecting yourself and your customers is an ongoing process. The Magento Security Center offers guidance and support; take time to review the articles and sign up to receive security updates at https://magento.com/security/sign-up. Following the best practices outlined in the Security Center will help you prepare for potential future threats.

Should I Have a Data Breach Plan?

Yes. A data breach plan is a preparedness document that you or your staff can use to execute a plan of action in the event of data breach. Having a plan in place can make compromise situations easier and faster to handle. Community members recommend reviewing this open source Magento Data Breach Plan as a starting point. Adopt one of your own and make sure key people in your organization have access to it.

Magento would like to thank the following companies and contributors for helping to create this document:

  • Joel Hart from www.mediotype.com, a company specializing in helping Magento clients be more secure.

  • Talesh Seeparsan from www.seeparsan.net, independent Magento security professional.