Magento hacked? Here’s what you should do immediately

Here’s a post-hack action plan to help you work through a hacked Magento store and mitigate damages.

Step 1: Quarantine your website

Your first step after a security breach should be quarantining your website, especially if you process payments in Magento. Restricting access to the website will help you protect site visitors and give you time to figure out how to tackle the compromise.

We also recommend you to inform your hosting provider of the security breach. Most hosting providers have internal security teams equipped to deal with such situations. They can help you with the preliminary steps of investigating the source of the breach and identify if it may be related to your hosting setup.

Step 2: Confirm the hack

Suppose you’re uncertain of your website hack. In that case, you can run a few simple checks to look for additional signs of a Magento hack. Log in to your Google Search Console account and navigate to the “Security” tab to check for any malware flags for your website.

Alternatively, you can use other tools such as Sucuri, MageReport, and the official Magento Security Scan tool to identify other signs of compromise.

Step 3: Assess the damage

Once you’ve confirmed the breach, you should assess the extent of the damage. This step will help you devise a plan to fix your Magento hacked website. It’s also an excellent opportunity to create an incident report that might prove useful down the road.

Document every piece of evidence you can find and include information such as when you first suspected that your website was compromised, what actions you had taken before then, and what measures you’ve taken since. This information will prove invaluable toward finding and fixing the breach.

Step 4: Check file system user permissions

Misconfigured file system permissions can allow malicious actors to upload files to your server remotely. Therefore, we recommend checking your existing file system permissions as soon as you identify that your Magento store has been hacked.

You should ensure all directories and code files are read-only and assign the ownership of all files and directories to a separate user. You can reference Adobe’s instructions to set file system permissions and ensure your system is configured correctly.

Step 5: Check admin users

A hacker may have accessed your website through the admin panel by using the compromised credentials of one of the existing admin users. In some cases, the hacker may also create a separate admin user to access the admin panel.

Log into your Magento admin panel and check all admin users with valid login credentials. If you find any unknown users in the list, deactivate them immediately. Also, change passwords for all admin users and do a virus scan on the computers of all those who manage content on your website.

Step 6: Change the encryption key

Magento uses an Advanced Encryption Standard (AES-256) algorithm to encrypt all data such as payment and customer information. The encryption key is generated during installation and can be changed through the admin panel or by the Magento file system owner using the Magento command line.

If a hacker has access to your store’s encryption key, they can use it to decrypt sensitive information. Therefore, if you suspect your Magento store is hacked, you should change it immediately by following Adobe’s guide.

Step 7: Check file integrity

Hackers often use vulnerabilities to introduce new files to your website. You should check the integrity of the Magento codebase and identify any new or recently modified files that may be a part of the hack.

You can download the publicly available versions of Magento over SSH and run the following commands to compare the files on your system with the original files by running the following commands in your terminal as the Magento file system owner:

<code>

$ mkdir magento-2.4.2

$ cd magento-2.4.2

$ wget https://github.com/magento/magento2/archive/2.4.2.tar.gz

$ tar -zxvf 2.4.2.tar.gz

$ diff -r 2.4.2 ./public_html

</code>

Note: Ensure that you replace the version numbers in the above commands with those corresponding to your Magento installation.

Also, it won’t be superfluous to change your FTP/SFTP passwords.

Step 8: Look for malware in the database

Hackers often use Base64 format code to perform SQL injections because it allows them to insert code by making it unreadable for humans. You can look for Base64 encoded lines of code in your database and export them to a file by running the following command inside your terminal:

<code>

$ find . -name "*.php" -exec grep "base64"'{}'; -print &> suspiciouscode.txt

</code>

Alternatively, you can also use SSH to view files modified within a specific period using the following command:

<code>

$ find ./ -type f -mtime -30

</code>

Step 9: Report the incident

Suppose you find that the vulnerability is related to a bug in the core code of Magento or one of the extensions from the official Magento Marketplace. In that case, you should report the incident to Adobe.

You can email [email protected] with a description of your findings and all the technical information you have. Sharing information with Adobe will help them resolve the issue promptly and protect other Magento users.

Step 10: Get expert help

When you detect a hack, time is of the essence. The sooner you fix your store, the faster you will be back in business and minimize your losses. Therefore, consider seeking professional assistance if you find dealing with a hacked Magento store beyond your abilities.

Agencies that provide Magento support services can help you identify and patch vulnerabilities in your store. They can also help you create a security action plan to deal with future security incidents.

Adobe works hard to ensure that Magento remains bug-free and secure for its users. However, as an ecommerce business owner, it is your responsibility to protect your customers’ information.

Here are some useful tips to help you protect your store from common attack vectors.

1. Use two-factor authentication

Using a complex password isn’t always enough. It provides a single layer of security and is susceptible to compromise. You can increase the security of your Magento store by using two-factor authentication for all admin users.

When enabled, Magento will require all admins to authenticate their logins using an authentication device. This supplementary layer of protection makes it difficult for hackers to access your store admin panel if your admin password is compromised.

2. Enable Google reCAPTCHA

Hackers often deploy automated scripts to scan the internet for unsafe websites, exploit vulnerabilities, and perform brute-force attacks. This method allows them to cast a wider net and target hundreds of websites each hour.

Fortunately, you can work around this and prevent a Magento hack. You can enable Google reCAPTCHA on your store by following Adobe’s guide and block bots from performing password guessing attacks on your store.

3. Use strict content security policies

Adobe introduced support for content security policy (CSP) headers in Magento 2.3.5. This feature provides your website protection against Cross-Site Scripting and data injection exploits.

Adobe also provides a way for you to configure your website’s CSP headers for the admin panel and frontend separately. You can reference their guide to configure Magento CSP headers for further information.

4. Update software regularly

We strongly recommend you to keep your Magento store, extensions, and all associated server-side technologies updated at all times. And if you’re unable to update your store during the peak shopping season, you can apply a Magento security patch to defer the update temporarily.

Similarly, make sure you’re using extensions from reputed Magento developers that follow the Magento coding standards and regularly update their extensions to ensure compatibility with the latest Magento releases.

5. Use a cloud-based firewall

If you find managing server security and optimizing firewall rules intimidating, you can use a cloud-based firewall service such as Cloudflare. It offers a free plan which provides your website basic protection from common exploits.

If you need advanced protection, you can always upgrade to one of their paid plans that protect you from complex attacks.

Securing your Magento store isn’t a one-off task that you can set and forget. You should always perform regular maintenance and updates for Magento and all its associated software. More importantly, you should always have an action plan to take control of your store and mitigate potential risks in the event of a Magento hack.