Why Magento Patches are so Important & How to apply them?
Patch is a package of core files that are modified that aims at fixing certain security bugs that cause security vulnerabilities that were encountered in earlier Magento versions. Though, Magento versions already include all the security vulnerability fixes at the date of the release. This means if your store is running on the latest version of Magento, then most likely your online store is not vulnerable and you don;t need to install any patches. But, if you are not running the latest version of Magento and have not installed any patches then your website is most likely going to have critical security vulnerabilities. Hence, new vulnerabilities appear all the time and therefore patches are released to keep your online store secure.
Table of Content
- What are Magento Patches?
- What makes Magento Patches so Important?
- How to check if your Magento Store is Secure?
- Updates for Magento Patch Releases
- Applying Security Patches
- Best Practices for Magento Online Store Security
- Installing Magento Patches
- Installing Magento 2 Patches without SSH
- Applying the Magento Patches using the Command Line
What are Magento Patches?
Service Packs: It generally happens while building a software application that the developers need to make changes that were not planned initially. Once the application is launched online, developers fix security vulnerabilities (i.e, bugs), errors, occurring in the future by giving software updates.
These service packs include the whole set of fixed files, while in the case of open-source software solutions, patches are used including only in those files that hold modified data.
Security fixes are being released by Magento.
There are 2 types of Patches in Magento:
- Official Patches - patches that are published on Magento Security Center.
- Custom Patches - patches that you can download and create from a git commit.
What makes Magento Patches so Important?
Security fixes or Security patches are the most noticeable ones, because they help to protect your software application against potential attackers by handling security vulnerabilities. Whenever a security patch files are released for your software application, they must be installed as soon as possible.
These security fixes should be installed from an official and reliable source, as other sources might provide harmful patches.
Dynamic software development type fixes can also be installed even when your application is running as they do not cause any system errors or system crashes.
How can you check if your Magento store is secure or not?
Magento Community came up with new amazing tools that allow you to check what security issues your store might have and whether you have applied all the patches or not. The most popular used tool is Magereport.
Using these tools can be helpful as well as harmful. It is very easy to use these types of tools, but these online tools cannot be used only by the store owners. Using these online tools, the potential attackers can easily check if the Magento online store has security vulnerabilities or not. If there is, then they can gain control over these unprotected online stores. Hence, all the patches must be installed as soon as they are released to solve the critical security issues to keep your online store protected from the attackers.
New Updates for Magento Patch Releases
Earlier hackers are able to activate non verified users and they’re also executing payload which are malicious in nature into online web stores. And now Magento Community is already giving warning to their users about security updates for Magento Commenrce v2.3.1 and Page Builder.
Magento recommends that merchants take the action described as soon as possible to avoid attacks:
Merchants that are running Magento 2.3.1:
- Install the MDVA-22979_EE_2.3.1_v1 patch, and then schedule your store to upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
- Look out for any signs of malicious activities.
Merchants that are running Magento 2.3.2:
- Install the MDVA-22979_EE_2.3.2_v1 patch, and then schedule your store to upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
- To check for malicious activities you need to review your store on a daily basis.
Let us now dive into applying security patches
First things first, you will need access to your server’s CLI in order to apply a patch script. Applying a patch script who is not experienced can break a Magento site, and hence it is a best option that this should be left upon developers or system administrators who are experienced in Magento development. Though running a patch script on a non-production environment of your website would be the best practice.
Then, before shifting the code to your production server to verify if the changes have been successfully applied or not. It is highly recommended to keep a backup of your files and database before applying the patch, if you are working only on the production server.
Sometimes you will encounter a patch failing because it cannot find where the update should go. One of the reasons could be because of missing previous patches. You can tell your developer what patches have been installed by looking in the app/etc/applied.patches.list file on the website, in which the file lists all the patches that were installed, the date that they were applied and the files that were modified, because Magento’s patch relies on previous security patches installed. Installation of missing patches is first necessary and then you can try applying the current most patch again and verify it.
If you want to keep my Magento online store more secure. Following are the Best practices you can follow:
- Change and keep updated your Magento admin password every 90 days. You can go to Admin > Configuration > Advanced > Admin > Expand Security and set “Set the Password Lifetime to 90 days and Password Change to Forced”.
- Disable or remove any admin users that are no longer needed.
- Keep updating your password after working with any outside members.
- Never share your shell login details or FTP details with people working outside your organization.
- Remove all the unused extensions.
- Always use dedicated servers. You are at risk from security breaches if you use any shared servers.
- Take backups of the database and your online website.
Installing Magento Patches
Undoubtedly, Magento has a large user base, so to ease the process, Magento notifies its users if there is any new update or version launched.
The CE patches can be downloaded and installed into the system from Magento’s official site by following the below-given steps:
Step 1: Login to your account through Magento & Patches download.
Step 2: Click on My account and if you don’t have one, then create by registration- the registration process is totally free of charge.
Step3: You can choose your patch that you want to install under Magento CE Patches. Step 4: You can choose your own CE version from the given list that is given next to the Patch list. And then, click on the Download.
Step 5: Once the download is finished, the installation procedure can start
Installation of Magento Patches can be done in 2 ways:
- With SSH
- Without SSH
Installing Magento 2 Patches without SSH
Magento Open source 2.3.2, 2.2.9, and 2.1.18 contain 75 security enhancements that help close Cross-site Scripting and Remote Code Execution (RCE), and other vulnerabilities.
To download the patch releases, download from the following:
Magento Open Source 2.1.18, 2.2.9 and 2.3.2 (New .zip file installations)
Magento Open Source Download Page > Download Tab
Magento Open Source 2.1.18, 2.2.9 and 2.3.2(New composer installations)
Magento Open Source 2.1.18, 2.2.9 and 2.3.2 (Composer upgrades)
Magento Open Source 2.1.18, 2.2.9 and 2.3.2 (Developers contributing to the Open Source codebase)
Applying the patches using the command line
- Upload the patch file into the <Magento root>.
- Login to your server as a Magento admin user.
- In the CLI, run the following command according to patch extension:
For example, for Magento 2.3.3, you installed the patch Fixed method chaining contract for the Product Collection patch for Magento 2.3.3. This patch is used to introduce changes in Magento 2.3.3, because this version has some problems with the customizations and extensions.
- Download the composer/ git patch file from Magento and place it in the Magento root folder.
In the CLI, you can run the below command according to patch extension:
$ patch < patch_file_name.patch.
In the below example, the command will be:
patch -p1 < Fixed_method_chaining_contract_for_Product_Collection_composer-2019-10-18-07-02-37.patch.
Note: If the command line results: File to patch: like the one in the picture below, then it means that it cannot locate that particular file, even if the path seems correct.
- For the changes to appear, refresh the cache into the [Magento Admin] > System > Tools > Cache Management.
If you encounter any error as Hunk #5 Failed at 140 shown as below, then make sure that you have downloaded the previous patches.