Security Checklist
Things to make sure for before deploying previously compromised site.
Steps¶
- Apply missing patches
- Remove downloader from project directory
- Change admin access to something more secure. For how to do it follow this link
- Remove magme from project directory
- Limit access to
rss/catalog/notifystockvia .htaccessRewriteEngine On RewriteCond %{REQUEST_URI} ^/(index.php/?)?rss/catalog/notifystock [NC] RewriteCond %{REMOTE_ADDR} !^199\.19\.114\.221$ RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=301,L] - Make sure projects var folder is not accessible
- Images directory not PHP executable
- Move .git folder outside of web root
Useful articles¶
Ebizmarts Sagepaysuite¶
If getting error in the console that "Uncaught reference: Suite config".. something simillar to that.
Therefore onepagecheckout ajax "Add order" doesn't work. Make sure to delete everything from
core_config_data table that path fields contains "sagepay"
DELETE * FROM core_config_data WHERE path LIKE '%sagepay%';
This will recreate the necessary data for the sagepay, and possibly the error will be gone.
Hardening Nginx configuration¶
To limit malicious script execution via unknown php files, we need to let magento run scripts through index.php or anyt other scripts you wish to whitelist.
Below you can see the only entrypoint as index.php, however you can alter the line
to whitelist other files which would look like location ~ ^/(index\.php|someotherfile\.php|someotherfile2\.php)$
Redacted
Also if you're not sure which files you should whitelist, here is a useful command to list those files.
cat access.log | cut -d 'T' -f 2 | grep php | grep -v '^ /index.php' | sort -u
Magento Malware Scanner¶
Detailed info about this tool is at the Magento Malware Scanner github page.
To run the scan change directory to one level above your web root directory. Then run the commands below:
wget git.io/mwscan.txt
grep -Erlf mwscan.txt /{your-magento-directory}
And wait for malicious files to be flagged up. If there is none, it means your project is clean.