Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
How secure is Magento? 
 
prodigy7
Jr. Member
 
Total Posts:  15
Joined:  2009-02-05
 

Hi guys and sorry for my ignorance but how secure is Magento from hackers etc? Lets face it it is open source and everyone has access to the code so how safe can it be? Does anyone have any idea?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sindre|ProperHost
Mentor
 
Avatar
Total Posts:  1158
Joined:  2008-04-24
 

All computer software has bugs, and one can never be 100% sure it does not have any security holes. However, I would say, Magento is likely more secure than many other open source systems, because it has a solid management and dedicated team working full time with only Magento.

Everyone can access the code, yes, but the core code you download from magentocommerce.com does not include community extensions or other contributions. Therefore you won’t have to worry about someone other than Varien (the company behind Magento) adding unsafe code to the core package.

Finally, due to the software being open source, any potential vulnerabilities will likely be discovered and fixed faster.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Nautica
Sr. Member
 
Avatar
Total Posts:  140
Joined:  2008-01-03
 

Magento is very secure. After my switch from my Oscommerce fork to Magento the Google ranking dropped dramatically and no one was able to find my site. So in that point of view it secure.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 
prodigy7 - 10 March 2009 02:10 AM

Hi guys and sorry for my ignorance but how secure is Magento from hackers etc? Lets face it it is open source and everyone has access to the code so how safe can it be? Does anyone have any idea?

What you’re saying is “How long is a piece of string?”

Your safest bet is to assume Magento, and any other piece of software for that matter, is totally unsecure and you will get hacked in the next 6 months.

If you make that the ground rule of your business, you will save yourself a lot of disappointment down the line.

By taking this view you realise:

- Not having good backups is stupid
- Storing CC details is stupid
- Not getting a decent host is stupid
- Not doing updates shortly after they become available is stupid
- Not maintaining your server and not having at least basic sysadmin skills is stupid (ties in with hosting and patching above)
- Not having well though-out T’s & C’s, Privacy Policy etc. is stupid
- Not having strong passwords is stupid
- Not having SSL pages where customer details are entered is stupid
- Not having a decent firewall for both your server and your office is stupid
- Browsing with IE and ActiveScript on is stupid
- Installing Magento and others in default folders with default admin paths is stupid
- Using one MySQL user & password combo for all your sites/scripts is stupid
- Using one password for all services you use is extremely stupid

Here’s the test you should do daily:

“If my server now gets compromised right now, what could happen and how will this affect me personally and the business I represent?”

My answer today is:

“Only customer names and addresses get stolen, no actual sensitive data unscrupulous people couldn’t get from the telephone book or elsewhere. Their passwords are encrypted so unless they chose bad passwords, there’s no issue here. I can roll back from a choice of confirmed-to-be-working backups going as far back as a year. With my helpful host whom I pay $400 a month I know I can get my machine back up in under 6 hours, any time of day, therefore not loose too much business. With the logs I set up and the firewall I have, there’s a good chance me or my host will find the culprit. If Magento was compromised, as I split all sites by DB user/pass, they won’t have had access to the other sites on this server, most likely.”

If your answer is significantly different, it’s not Magento that is the issue here. It’s you and the way you go about your technology implementation.

 
Magento Community Magento Community
Magento Community
Magento Community
 
theelman
Jr. Member
 
Total Posts:  29
Joined:  2008-08-26
 
fifthave - 10 March 2009 04:36 PM

Nautica - 10 March 2009 03:04 PM
Magento is very secure. After my switch from my Oscommerce fork to Magento the Google ranking dropped dramatically and no one was able to find my site. So in that point of view it secure.
That has nothing to do with security.  Your old store was spidered by search engines they created links to various pages on your store and since the new store doesn’t have the same structure, old links will come up with page not found unless redirect them to your new store.

Its called sarcasm. You probably havent heard of it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Virtual Tiger
Jr. Member
 
Avatar
Total Posts:  24
Joined:  2009-03-30
 

What means “T’s & C’s”?

If Magento is not installed on a server owned by oneself, one will have to trust the host that they installed a decent firewall and keep updating the server regularly.

 
Magento Community Magento Community
Magento Community
Magento Community
 
rickDC
Jr. Member
 
Total Posts:  4
Joined:  2009-01-13
 

I’ve been running Magento for a bit now… haven’t fell victim to a hack yet.

As for your question .... how secure?? , I’d look at a few things…

1> How quick is the turn around from a major bug find, to a new patch or release of magento…
Thus far its bee quick 7 the bugs have been minor to moderate.
2> http://secunia.com/advisories/search/?search=magento
1 advisory, 4 Vulnerabilities ... but then they have the 1.x listed, so take it with a grain of salt, after all they list 1 advisory as “ advisories”
a simple code fix, but you get the point right ? :D (this site tends to go a bit overboard)

3>http://www.securityfocus.com/

Nothing (to be alarmed of) is there.

Now that doesn’t mean it doesn’t exist, but rather nobody has found it, nor made use of it.

From my experience, most OS products are fairly decent on security. (some more so than others) The key is keep them updated. The place I see most people hacked, is opting int cheap hosting. I’ve seen good software blamed for things bad hosting caused.

My 2 cents :D

 
Magento Community Magento Community
Magento Community
Magento Community
 
fahim23may
Jr. Member
 
Total Posts:  2
Joined:  2009-05-02
 

Thanks for your information. It is really helpful.

 
Magento Community Magento Community
Magento Community
Magento Community
 
yelenakham
Jr. Member
 
Total Posts:  1
Joined:  2009-03-26
 

we’ve been hacked two times, we even did not start put products and change desing yet...and that amount of files to backup...that’s horrible..If it was not my boss...I would not ever use this piece of shit…

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Unsubstantiated claim from a 1st poster. Take with a kilo of salt.

Without knowing all the other software you run on your server, the OS, the people who have access to it, your firewall etc. etc. there is absolutely no reason to believe your experiences were due to Magento.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Oldgamer
Sr. Member
 
Avatar
Total Posts:  142
Joined:  2008-09-12
 
Nautica - 10 March 2009 03:04 PM

Magento is very secure. After my switch from my Oscommerce fork to Magento the Google ranking dropped dramatically and no one was able to find my site. So in that point of view it secure.

This one is hilarious

Oh, btw, I just created a site and it is not in a Google or any search! It must be very secure!!!!!!

 
Magento Community Magento Community
Magento Community
Magento Community
 
itwsanta
Jr. Member
 
Total Posts:  6
Joined:  2009-04-20
 

Hello all you lovely “Sarcastocrats”, I am a noob, so much a noob that I don’t even know if the spelling I just used for ‘noob’ is correct. If not, learn me how!

Anyways, I can’t find any info in any of the forums, so I’m hoping someone here can help.

I am noticing that by default, the installation of Magento allows anyone in the world to access your sites skin, media, etc. folders directly through http (ex. www.mysite.com/skin)

HOW do I protect my poor little folder structure from prying eyes, please someone HELP!

I am using Magento version 1.3.2.1 and use cPanel

Thanks, Liam

 
Magento Community Magento Community
Magento Community
Magento Community
 
Jack Chow
Jr. Member
 
Total Posts:  6
Joined:  2009-04-25
 

Anyone can see the code , means, anyone in the community found a bug, he/she/it can submit it to the magento team, or this forum, or resolve it directly.

 
Magento Community Magento Community
Magento Community
Magento Community
 
CT Schubert
Sr. Member
 
Avatar
Total Posts:  197
Joined:  2008-10-08
Southern California
 
AltEnt - 01 July 2009 10:11 AM

HOW do I protect my poor little folder structure from prying eyes, please someone HELP!

.htaccess

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 
AltEnt - 01 July 2009 10:11 AM

Hello all you lovely “Sarcastocrats”, I am a noob, so much a noob that I don’t even know if the spelling I just used for ‘noob’ is correct. If not, learn me how!

Anyways, I can’t find any info in any of the forums, so I’m hoping someone here can help.

I am noticing that by default, the installation of Magento allows anyone in the world to access your sites skin, media, etc. folders directly through http (ex. www.mysite.com/skin)

HOW do I protect my poor little folder structure from prying eyes, please someone HELP!

I am using Magento version 1.3.2.1 and use cPanel

Thanks, Liam

Here’s a little trick for this one, create a file “index.php” within any folder you don’t want visible, you can place a redirect within the file or just a basic “<html><body bgcolor="#FFFFFF"></body></html>" will do the trick, But this does not offer any security for the directory.

.htaccess will work also.

 
Magento Community Magento Community
Magento Community
Magento Community
 
randnew
Jr. Member
 
Total Posts:  3
Joined:  2009-07-23
 

Not very secure. We have customers seeing each other’s accounts. Magento blames links with the SID in them. We don’t really think that’s the case, but they don’t seem to want to explain how to turn off the SID in the URL to test it.

I do not recommend this product at this point!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2