October 21, 2016
If you’ve unfortunately been impacted by recent malware attacks, it’s important to know what actions you should take to quickly secure your site and protect your customers and brand. Here are recommendations to guide your response:
Clean Your Site
The first thing you need to do is remove the malicious code from your site. We suggest that you work with an experienced developer or Solution Partner to help you with the process outlined below:
Backup of your site’s data and files before making any changes.
Scan your site on magereport.com to identify any missing security patches and to determine if it has been infected with known malware strains.
Install all missing patches and test store functionality in a non-production environment. Enterprise Edition patches are available in the “Security Patches” folder of My Account and Community Edition patches can be found on the Community Edition Download Page.
Install the latest version of each Magento extension you use and test them in a non-production environment.
Go to the Admin panel of your production site. Remove all unknown Admin accounts from System → Permissions → Users. Change passwords on all known Admin accounts and rename overly generic Admin usernames to an unique name (avoid using names like administrator, superuser, or root). It is a good practice to have unique accounts for every user of your Admin system.
Review all SSH and FTP users, remove old or unknown users, and change active users’ passwords.
Verify the malware is no longer present by scanning your site with magereport.com.
Make sure to secure your Admin panel by changing its front name and verifying that your site’s ‘app/etc/local.xml’ and ‘var’ urls are not publicly accessible in a web browser.
Review and apply methods to Protect Your Magento Installation From Password Guessing.
Review and apply Magento Security Best Practices.
Remove Google Warnings
If your site has been flagged by Google as containing malicious code, you can request a review once your site has been cleaned. Reviews for sites infected with malware take a few days and once Google determines your site is clean, warnings from search results and browsers should be removed within 72 hours. Information on how to request a review is available at https://developers.google.com/webmasters/hacked/docs/request_review.
What if there’s more than just the Malware?
Stay Prepared After Cleanup
Protecting yourself and your customers is an ongoing process. The Magento Security Center offers guidance and support; take time to review the articles and sign up to receive security updates at https://magento.com/security/sign-up. Following the best practices outlined in the Security Center will help you prepare for potential future threats.
Should I Have a Data Breach Plan?
Yes. A data breach plan is a preparedness document that you or your staff can use to execute a plan of action in the event of data breach. Having a plan in place can make compromise situations easier and faster to handle. Community members recommend reviewing this open source Magento Data Breach Plan as a starting point. Adopt one of your own and make sure key people in your organization have access to it.
Magento would like to thank the following companies and contributors for helping to create this document: