Vanwege de aard van het probleem is het onderstaande artikel geschreven in het Engels. Met een Engelstalig artikel hopen we shop eigenaren van over de hele wereld een how-to te bieden om het probleem op te lossen en hun shop goed te beveiligen. Een uitleg geschreven in Nederlands vind je in het artikel Magento patches installeren (NL).
Different Magento patches
Every once in a while Magento issues a new patch for Magento Community and Magento Enterprise to increase the security of their software. These patches are basically security releases, and new Magento versions mostly contain all prior patches. Whenever a new patch comes out, make sure to download and install it as soon as possible. A complete overview of Magento patches can be found on Magento.com.
Check your shop with MageReport.com
Not sure whether your shop is vulnerable and needs to be patched? Check MageReport!
The SUPEE-10888, -10752 and -10570 checks result in ‘unknown’?
MageReport is not able to check from ‘the outside’ whether these patches are installed. Checking your shop will likely result in ‘unknown’, unless we see your shop has been updated to a security version in which the patch has been incorporated. If this is the case, the check will be green.
Seven steps to apply the patch and increase your Magento security
You need SSH (shell) access to download and apply the patch. You need only three commands, CD, WGET and BASH, to navigate, download and apply the patch.
Step 1: Make a backup
There’s a chance that certain plugins or elements in your webshop aren’t compatible with the Magento patch. That’s why we always recommend you to make a backup first, in case something goes wrong.
Step 2: Log on to SSH (shell)
Log on to the shell server. If you don’t how to log on, contact your hosting provider or technical contact. Byte customers can follow the steps in the article Inloggen op SSH (shell) (written in Dutch).
Step 3: Download and upload the patch
To download the correct patch for your webshop you need to know what version of Magento you’re using. Don’t know what version you use? Find out using this tutorial.
Download the patch(es) you need via the Magento downloads page. Upload the patch with FTP or SSH to your Magento folder.
Step 4: Apply the patch
Navigate to your Magento folder:
After this, the command BASH will apply the patch you just downloaded:
Let’s assume here that the patch name is: patch_supee-5994.sh . Your actual command would look like this:
Step 5: Clear your cache
It’s important to flush the Magento cache after applying the patch. Flushing your caches can be done in the back-end of your Magento shop under Cache management. More info about flushing your cache in the back-end of Magento can be found in the Magentocommerce Knowledgebase. Don’t forget to flush your OPcode or APC cache as well!
Step 6: Check your shop
Don’t forget to check your shop for vulnerabilities after patching and flushing your caches. Magento’s Security Patch Page provides a list of signs to look out for to determine whether your site is comprised or not.
Step 7: Clean up the patch
After testing your shop, it’s highly advised to remove the patch file. This will help keep the webfolder nice and tidy (no unnecessary files)
I keep getting a Hunk failed error. What should I do?
When you get the Hunk failed error it means you downloaded the patch for the wrong version. Please check what version of Magento you’re running and download the correct patch. If you still receive this error, please check the Magento forum for more information on these patches or discuss your problem on one of their boards.
How long will downloading and applying the patch take?
Downloading and applying the patch doesn’t take much time. We do however recommend that you check your shop thoroughly after applying the patch, which can take up quite some time.
I’ve patched my shop, but I keep getting an notification in the back-end of Magento
Magento doesn’t check whether you’ve applied the patch or not, so that notification will always be visible, patched or not. If you already applied the patch, you can ignore the notification or indicate you’ve read the message.
Can I check if a patch is installed?
Yes you can. You can scan your site with magereport.com to see if a patch is installed or not. If a check comes up grey it’s possible the files that are needed for the check are relocated. Therefore it can’t see whether your shop is patched or not. No worries. Simply use SSH to check if your shop is patched.
Every check that’s been installed can easily be found in the content of your shop. More specifically it’s logged in app/etc/applied.patches.list . So you use the command ‘grep’ to access the list:
grep '|' app/etc/applied.patches.list
The output will look like this:
-e 2015-04-14 08:34:22 UTC | SUPEE-5344 | EE_126.96.36.199 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v188.8.131.52..HEAD
In this example only SUPEE-5344 has been applied. When you uninstalled a patch, you’ll see this:
-e 2015-04-14 15:21:48 UTC | SUPEE-5344 | EE_184.108.40.206 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v220.127.116.11..HEAD | REVERTED
Magereport keeps saying security patch 6482 isn’t installed
We found out that there are several reasons why Patch 6788 comes out as uninstalled on Magereport.com, so we recommend you to check the following:
- When compilation is enabled in the backend of your Magento, SUPEE-6482 doesn’t work properly. Disable compilation (navigate to System > Tools > Compilation page and click on Disable button) to make sure the patch works. After disabling compilation, check your site with magereport.com again. If the check still comes out as not installed, try re-compiling.
- Check if the patch is installed in the correct directory;
- Reload your opcode cache, webserver, php-fpm process and possible other caches. The old code might be still be active;
- Check your shops’ .htaccess. If you’ve made any adjustements in your .htaccess, it’s possible the patch is only partially installed;
- Using a Magento version older them Magento 18.104.22.168? Update to a more recent version. When patching Magento versions older then Magento 22.214.171.124, certain redirects aren’t added.
We hope one of the causes mentioned above can fix your problem. If not, we recommend you to hire a Magento specialist. Unfortunately we can’t help fixing these problems. We’re a hosting company that specializes in Magento hosting. Magento development however is a completely different specialty. A list of Magento developers per country can be found on Magereport.com.