5 Issues Publicly visible on your Magento Site - Fix These ASAP
Its important to provide content to your visitors. However, some content is supposed to work privately in the background of your site. Here is a list of 5 things that may be publicly available on your Magento site that you are unaware of. Check this list below and if you find these items on your site make sure to get them fixes ASAP.
5 Publicly VisiblE Magento Items To Fix
- Security Patches
- Admin Panel
- Log Files
- Version Control
- Development Files
1. Security PAtches
The most important item and the first thing hackers will check on your Magento site is which security patches are installed on your site. More important to them are the security patches that are missing or not patched on your site. Using that information they can tell several of the following:
- Admin Path Disclosure
- Customer Data Leaks
- SSRF API Vulnerability
- Admin Routing
- Ability for Remote Code Execution
2. Admin Panel
A public admin login is vulnerable to exploits (like Shoplift) and brute force attacks. Magento owners should rename these paths to something unguessable, use IP protection, and/or use two factor authentication. The default /admin path is an easy guess for hackers to access your admin panel login screen. From there they can launch their brute force attacks. As mentioned in the last section, if you are missing patches they can also utilize exploits to reveal your admin panel url.
3. Log Files
Log files can contain information about your server, your passwords, and customer’s information. These should not be public on the internet. Most developers and Magento website owners forget to protect the default log folders from being accessible via public urls. Many times the var/report folder is exposed and not protected
4. Version Control
An exposed version control system contains the source code to your application. This sensitive information should not be available to the public. If your using GIT to maintain your code base then its also possible that you are your developer did not remove .git folders or .gitignore files from your public domains. This is a risk to your site because if a hacker can view your source code then they may also be able to see critical login credentials to you site. You don’t want a hacker logging into your database and accessing all your customers data and wreaking havoc.
5. Development Files
Development files may contain sensitive information or let attackers modify data in unexpected ways. They do not belong on a production environment. Their is a default Magento path, /shell, which contains script files that run on your web server. Many Magento owners forget or don't check to make sure this path is not publicly visible. That one mistake exposes a whole list of shell files that may be core to your Magento instance or scripts left behind by developers. You don’t want a hacker coming to your site and running a script file to the nature of www.yourmagentosite.com/shell/clear-all-products.php
We are here to help you with any of your Magento website goals. Use the button below now to talk with us briefly about you needs. We look forward to hearing from you.