How to Clean a Hacked Magento Website
Magento websites are suited to businesses that need a robust eCommerce solution and in most cases is quite difficult to hack into, Magento releases regular security updates which ensure that the framework is secure though not all website owners keep their websites updated which is where they get hacked into causing a lot of pain for the website owner.
A hacked eCommerce website can cause a loss in customer confidence, financial loss to get back to a safe position and most important of all facing the implications of Payment Card industry compliance.
Unfortunately, there is no quick fix an easy fix, this article will help you to understand how to clean your hacked Magento website.
Signs of a Hacked Magento Website
- Defacement of Homepage
- Suspension of website by your hosting provider for malicious activity
- Blocking of your website by foremost browsers
- Existence of unapproved administrator accounts
- Customer complaints of credit card data being misused
- Suspicious behavior visible on checkout page
- Greater incidences of abandonment of shopping cart
- Presence of unapproved code in website
Steps to Clean Your Hacked Magento Website
The first step to do is to undertake a total backup of website files, server logs and your databases. This backup is vital as it will help to analyze the details of the hack and will ensure that you comply with PCI DSS Requirement 12.10. One reason that necessitates you to do this activity is for preservation of evidence.
Identification of Hack
Scanning Your Website- There are many online tools that are freely available, and these will help you scan your website for identifying malicious payloads, credit card swipers, intermediary domains and any security problems. You can also register to the Magento free Security Scan which can identify any security issues with your website. If you are using a cPanel hosting account, as your website hosting provider to do a full scan of your account or you can log into cPanel search for “virus” and do a scan of your home directory. In most cases a Maldet can us used and this can pick up any issue though its not full proof as your breach may lay within extensions or poor passwords.
Checking Integrity of Core Files- Your hack may include some new or newly changed files on the server. It is necessary to scrutinize Magento file system in depth for malware injections. Core file integrity can be checked with SSH commands or with the help of some tools that are available for verification. Any changes done up to last month that seem unfamiliar need to be investigated further.
Tip: Using SSH/SFTP/FTPS instead of unencrypted FTP is recommended for accessing the server to heighten the security aspect.
Verifying User Logs: When a Magento site is hacked, malicious user accounts can be encountered; a creation of the hackers. It is therefore essential to check all admin user accounts. You can also verify if there have been requests for access to admin area, lately. All logins of user accounts from unfamiliar geographic locations need to be checked out. If your store is a large one then your Magento installation will benefit from specific plugins available for the purpose of verifying user logs.
Verify for Reports: If your Magento site has been put under a blacklist by Google then its security status can be verified through their diagnostic tools. Ascertain the details of Google Transparency report and investigate if you receive reports from any customer about fraudulent buying that has taken place soon after the execution of his order. It will give an idea if your site has been compromised with a credit card swiper.
Fixing the Hack
The first step here would be to compare your compromised site with a clean backup if it is available as that will enable you to know the areas that have been affected by the actions of the hackers.
Cleaning Compromised Website Files: If any malicious payloads or domains have come to your notice through the above steps then use your Magento web server’s files and compare them with compromised files. Removal of malicious changes becomes easier. A search on the web for malicious domain names or spam which was identified above should be conducted if you do not come across any malicious content. All components, themes, plugins or modules that have been deactivated by you should not exist on your web server henceforth.
Tip: During the comparison between the compromised and good files ensure that the versions of your Magento extensions and core files along with applied patches if any are the same.
Cleaning Compromised Database Tables: The procedure for cleaning your Magento database involves logging into admin section and opening the CMS so that editing static posts, pages and blocks on the site is possible. Modification of database content through this interface is possible and helps in removal of malware infection. A manual search of your Magento database for commonly occurring compromised PHP functions can also be undertaken. Normally, most of Magento malware is located in the core_config_data table. The header and footer region of the site are commonly targeted in the table.
Removal of Hidden Backdoors: There is always some backdoor left behind by the hacker so that he can enter your Magento website after the patching of weak areas. The backdoor locations are often new files which are disguised to seem like authorized Magento core files. The footer area is a susceptible target of the hackers for injecting malware and backdoors. It’s extremely important to close all backdoors if you want your Magento website to be cleaned off completely.
Modify Admin User Passwords: A most vital step, your admin user passwords should be modified, use strong passwords which are unique and try to include upper case, lower case, numbers and other characters such as +=#$%^&. Also, if you see many admin user accounts, disable all of the ones that are not in use and if you don’t recognize them delete them.
Tip: A strong password has three factors to be considered; length, complexity and uniqueness. Ensure yours has them all!
Update Magento & Security Patches: Next you should consider updating Magento to the latest version, if this is out of your budget then ensuring that all security patches have been applied. Magento offers a full list of the most recent security patches on your website and you can also check to see if they have been applied by going to magereport.com and scanning your website. The scan will tell you what has to be updated and provides you with additional advice on issues that they may find.
Manual Server Inspection: Once you have completed the above steps, ask your developer to scan files on the server. A good Magento developer understands the core structure and can spot any odd files sitting on the server. This will take time as you will find thousands of files. Check all folders to see if there is anything odd and ensure that you delete anything that does not seem in place.
Resolving Malware Warnings: Blacklisting of your website by McAfee, Google or any web spam regulator should be resolved. This is done by requesting a review of your website after correcting the hack. The review request is limited to one per month so, ensure that you have totally cleaned your website before getting it reviewed.
Modules or Extensions: Many Magento websites have modules or extensions installed, in most cases only half of these are used, delete any extensions that are not in use as they can be a weak link. Magento extension developers don’t always keep them up to date so delete anything that is not in use. Also ensure that all extensions that you do have are updated to the latest version. When purchasing extensions, they are normally tried and tested but they do release updates on an on-going basis. You may have a version of an extension that is 5 years old and out of date. Some extension developers release updates every 3-4 months.
Protecting Your Magento Website from Hacks in Future
This step ensures that your Magento site will be protected from being compromised in the future. The section explains the actions to be taken by you to make the Magento store safe and secure.
Updating and Resetting Configuration Settings: Software that is not updated regularly or is not patched properly is vulnerable to hacker attacks. It is necessary to eliminate any such vulnerability from your extensions, reset passwords and ensure the updating of your software including Magento core files, templates, components, plugins and modules. If software such as cPanel, Apache or PHP is encountered as outdated then these should be updated. The cached system should be reset after cleaning your Magento website is done. Follow the process for applying Magento updates and patches systematically.
Setting up Backups: Backups act as your safety cushion. After cleaning your Magento store do a full back up. Certain points about the backup should be kept in mind. Firstly, always use an off-site location for storing your backups and if you update your website regularly, take regular backups. Aback up should include all files in the root directory and full database back up.
Examine your Computer: A good paid anti-virus program should be run by every computer that logs into the Magento store. This eliminates the chance of your Magento site being compromised through a user’s infected computer that is accessing your dashboard. There are certain types of corruptions that can pass from a computer to affect the other’s FTP clients or text editors.
Incorporation of Website Firewall: Custom .htaccess rules and controlling file permissions are two tools by which your Magento site can be strengthened. Other best security practices can be incorporated and installation of a website firewall is one of them. Your Magento website will be safeguarded from weaknesses and admin areas will be restricted to unapproved users. Website firewalls act as a protective defense encircling your website. There are several benefits that can be gained by use of a website firewall:
- Protects against future hack
- Acts as a good security update
- Prevents access to wp-login or wp-admin page to unapproved users
- Eliminates the impact of huge amounts of fake visits or DDos attack
- Reduces bounce rates by providing caching at higher page speed
PCI Compliance: PCI compliance is one of the major requirements of an eCommerce Magento website but this is not done in earnest by most Magento sites processing payments. This is because web stores feel that SSL leverage during the process of checkout is sufficient to eliminate chances of a breach. PCI compliance was devised by key credit card firms like American Express, MasterCard and Visa. Auditing of eCommerce websites is done to ensure the safety of online shoppers from occurrence of credit card embezzlement. A non-compliant website will have to make payments by way of fees, fines and remediation costs. There are 12 requirements to PCI compliance. They are:
- Installation and maintenance of firewall
- Protection of stored data of the card holder
- Use public networks for encrypting communication of card holder info
- Ensure systems are protected from malware and use anti-virus updates on a regular basis
- Design and sustain secure and safe applications as well as systems
- Identifying and authenticating entry into system components
- Limiting physical access to data of the card holder
- Monitoring and controlling access of all kind to cardholder’s info and network resources
- Ensuring testing of security processes and systems on a regular basis
- Maintenance of a policy on information security
- Not basing the security parameters of system passwords on defaults supplied by the vendor
- Preventing card holder data falling into the hands of business need-to-know
Credit card information is safely transmitted by merchants through incorporated payment gateways provided by Magento. The solutions combine with checkout pages of your Magento site and utilize a payment form put on by an outside payment processor. Hence, no information of sensitive nature remains on the application server of your Magento site; instead it is transmitted straight away to the payment gateway.
This article is a guideline that you can follow, all hacked websites are hacked in different ways, following the above suggestions will get you back on your feet but in some cases a hacked website can get hacked into again due to a pre-installed back door. If this is the case you will need to go over the above again until the issue is found. If following the above steps possibly look into hiring an advanced Magento developer that has a better understanding of how fix your problem.
Magento is a robust platform and has strong security features that most other eCommerce solution don’t have but, this does not make it hack-proof and remains a target for hackers. Taking adequate protective measures to ensure that your website is secure will make it extremely difficult for most hackers to get into your website.