If you run an online store using Magento, you know how important it is to keep your store secure from hackers and malicious attacks. Installing Magento security patches regularly is one of the best ways to do that.
Security patches are updates that fix vulnerabilities and bugs in Magento and improve its performance and functionality. They can prevent hackers from exploiting your Magento store and stealing or taking over customer data.
In this blog post, I will show you how to install a Magento security patch in a few simple steps, including best practices for applying the security patch, reverting the patch, and testing post-patch strategies for the Magento store.
- Overview of Magento Security Patches
- Difference Between Vulnerability and Patch
- Preparing for Patch Installation in Magento 2
- Applying Magento 2 Security Patch
- Verifying the Patch Installation in Magento 2
- Reverting the Security Patch in Magento 2
- Post-Patch Tasks Setup in Magento 2
- Best Practices for Magento Security Patches
Overview of Magento Security Patches
Like any software, Magento is not immune to security vulnerabilities and cyberattacks. That’s why Magento releases security patches on a regular basis to fix bugs and improve the security of its system.
Security patches are updates that address specific issues or risks in the Magento codebase. They are usually released as part of a larger version update, but sometimes they are also released separately to address urgent or critical issues.
However, applying security patches can be challenging and time-consuming, especially if you have a complex or customized Magento store. You must ensure the patch is compatible with your Magento version, extensions, themes, and customizations.
That’s why you need to understand how Magento security patches work, how to apply them correctly and safely, and what patches are available to troubleshoot common issues that may arise after patching.
Magento has 2 types of security patches:
- Official Patches – patches are published on Adobe Commerce Help Center.
- Custom Patches – patches you can download and create from a Git commit.
Difference Between Vulnerability and Patch
Here are some key highlights showing the difference between Magento vulnerability vs. patch.
| Magento Vulnerability | Magento Patch | |
| Definition | Flaw or weakness in the Magento system. | A script or package of files aiming to fix the vulnerability and security bugs in the earlier versions. |
| Examples | Include SQL injection, cross-site scripting (XSS), remote code execution (RCE), or insecure file uploads. | Example patch: SUPEE-12345, Magento Security Patch (e.g., Magento 2.3.7-p1) |
| Purpose | Exploit unauthorized access to restricted resources by an unauthenticated attacker. | Updates or fixes security issues and vulnerabilities of Magento. |
| Version | Applicable to specific Magento 2 versions. | Version-specific to ensure compatibility with the Magento application. |
There could be multiple different areas to point out vulnerabilities caused in Magento 2. However, regarding the security patches, Magento 2 recommends regularly applying the patches and updates to keep your store secure.
Preparing for Patch Installation in Magento 2
These measures help mitigate risks, minimize potential downtime, and ensure that the patch is implemented seamlessly, enhancing the security and functionality of your Magento 2 store.
1. Back up Your Magento Store
Before applying any security patches or making significant changes to your Magento installation, creating a backup of the Magento 2 store, including the database and files, is highly recommended. See back up and roll back the file system.
💡Tip: Before beginning an upgrade or a patching process, create an active branch from the Integration environment and check out the new branch to your local workstation to avoid interference with your work in progress.
2. Check Version Compatibility
Verify to check the version compatibility of the security patch with release notes and documentation provided by Magento with your Magento 2 version.
Run the following command to check the Magento version:
bin/magento --version
For Example:
Adobe Commerce APSB22-12 is the security patch for Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2 and 2.4.0 – 2.4.3-p1.
3. Enable Maintenance Mode
To enable maintenance mode on the website that displays a maintenance page or temporarily disable access to your site during patching.
Run the following command:
php bin/magento maintenance:enable
4. Test Patch on Staging
Testing all Magento patches in a staging or development environment before deploying to production is highly recommended.
Don’t risk losing your customers’ trust and revenue.
Switch to Cloudways today and enjoy peace of mind with Magento Security on Cloudways.
Applying Magento 2 Security Patch
Applying a patch script that is not experienced can break a Magento store, and hence it is the best option that this should be left to developers or system administrators who are experienced in Magento development.
Follow the below steps for applying a Magento security patch.
1. Download the Patch
Download the Magento 2 security patch that addresses the vulnerability to fix from official Magento Security or GitHub. Adobe also releases the latest patches for the affected Adobe Commerce & Magento open-source versions.
For Example:
| Adobe Commerce | 2.4.3-p3_Hotfix | ACSD-47578 patch |
| Magento Open Source | 2.4.3-p3_Hotfix |
2. Upload the Patch to the Server
To apply the security patch, connect to your Magento server via SSH or use an FTP client to access the file system. Upload the patch files to the root directory of your Magento installation.
3. Apply the Patch With the Command Line
In the command-line interface, run the following commands according to the patch extension:
patch < patch_file_name.patch
The command assumes the file to be patched is located relative to the patch file. To reflect the changes, refresh the cache in the Magento Admin → System → Tools → Cache Management.
4. Apply the Patch With GitHub
Once you have downloaded the security patch from the GitHub repository of Magento 2, follow the below steps to apply the patch:
Step 1: Create the directory for patches: Navigate to the website’s working directory and create a patch directory for storing the Magento security patches. For example, create patches in the Magento root directory.
Step 2: Copy the required patches to the generated directory: Connect to the Magento root directory using SSH, FTP-client, and other suitable tools.
Step 3: Create a patch file: Run the following command.
git diff > ./patches/patchForModule.patch.
5. Apply the Patch With Composer
To apply the patch with the Composer, follow the below steps:
Step 1: Access SSH/FTP: Connect to the command line with SSH or FTP access, and navigate to the Magento 2 root directory.
Step 2: Add a plugin: Add the cweagans/composer-patches plugin to the composer.json file.
composer require cweagans/composer-patches
💡 Note: cweagans/composer-patches also helps create the custom patch with composer installation.
Step 3: Edit Composer File Edit the composer.json file and add the following section to specify:
- Module: “magento/module-payment”
- Title: “MAGETWO-56934: Checkout page freezes when ordering with Authorize.net with invalid credit card”
- Path to patch: “patches/composer/github-issue-6474.diff”
Locate the extra section in composer.json and add the patch version under patches based on the above format.
For Example:
"extra": {
"composer-exit-on-patch-failure": true,
"patches": {
"magento/module-payment": {
"MAGETWO-56934: Checkout page freezes when ordering with Authorize.net with invalid credit card": "patches/composer/github-issue-6474.diff"
}
}
}
You must create multiple patch files targeting multiple modules if a patch affects multiple modules.
Step 4: Apply the patch: Run the following command from the application’s root directory. Use the -v option only if you want to see debugging information.
composer -v install
Step 5: Update the composer.lock file: The lock file tracks which patches have been applied to each Composer package in an object.
composer update --lock
💡 Note: For the changes to appear, refresh the cache in Magento Admin → System → Tools → Cache Management.
Verifying the Patch Installation in Magento 2
After successfully applying the patch to the Magento website, you must verify and test that the addressed vulnerability is resolved completely.
1. Check Patch Files
Check the specific files intended to be modified for the patch you have applied. To perform this, you can follow the below steps:
- Compare the patched files with the original files of the website to ensure the changes are applied correctly.
- Open each modified file and check if the changes mentioned in the patch documentation are present in the file.
- Ensure the modified lines or code sections match the changes specified in the patch. If you find discrepancies, it may indicate an issue with the patch installation.
2. Test for Vulnerabilities
After the patch is installed, test the Magento 2 store against the fixed vulnerability to which you applied the patch.
- Perform some different case scenarios to ensure that they are working properly.
- Check for unusual errors if caused by the patch installation.
Reverting the Security Patch in Magento 2
There must be a case of reverting the security patches in Magento 2 due to any error or critical feature. Follow the below steps to revert the security patch:
- Navigate to the Magento 2 installation root directory.
- Run the following command to revert the same patch.
sh patch_file_name.sh -R
For Example:
sh PATCH_SUPEE-6285_CE_1.9.1.1_v1-2015-07-07-09-03-34.sh -R
You will receive the message “Patch was applied/reverted successfully.”
Post-Patch Tasks Setup in Magento 2
After applying a security patch for Magento 2, you should consider several post-patch tasks to ensure the stability and security of your Magento installation.
1. Enable Magento Cache
After the patch installation, enabling the cache to test and improve your store’s performance is highly recommended.
2. Disable Maintenance Mode
Disable the maintenance mode after installing the patch if you enable it earlier to test the website and resume the customer experience.
Run the following command:
php bin/magento maintenance:disable
3. Test Store Functionality
Test the store functionality, including front-end and back-end features, to ensure the security patch installation hasn’t caused any issues or conflicts with your existing code or extensions. Meanwhile, it is important to monitor the potential security issues in the store.
Look for any unexpected errors, access attempts, or unusual patterns that may indicate a security breach.
Best Practices for Magento Security Patches
Here are some tips you can follow for Magento 2 security patches:
1. Backup Your Store: Before applying any security patch, take a complete backup of your Magento 2 installation, including files and the database.
2. Understand the Patch: Before applying a security patch, thoroughly review the patch documentation provided by Magento. Understand the purpose of the patch, the vulnerabilities it addresses, and any specific instructions or prerequisites for installation.
3. Test in Staging: Always apply patches in a staging environment replicating your live production environment. This allows you to test the patch’s compatibility with your customizations, extensions, and themes without affecting your live site.
4. Clear the Cache: Clear the Magento 2 cache and reindex your store after applying the security patch. This ensures that the patch changes take effect and your store operates with the updated security measures.
5. Review Patch Changes: Make a definitive approach to review your store after applying the new security patch, including integrated third-party applications, and ensure the vulnerability is overcome.
6. Check all Patches: After applying the patch, you can quickly check whether the patch has been applied successfully via https://www.magereport.com/. This is useful for verifying the latest patch and quickly analyzing the vulnerability.
Applying security patches is a crucial task for error detection while installing the patch to ensure that you just need to protect your application.
Summary
Magento releases security and quality patches quarterly for its open-source and Adobe Commerce versions. These patches fix bugs and protect against potential exploits. It’s important to install them to keep your Magento store secure.
The latest version, Magento 2.4.6, has improved performance, accessibility, and security. Vulnerabilities can be found in both old and new versions of the software. Stay proactive in maintaining your Magento security to provide customers with a safe and reliable experience.
Q. What is a security patch in Magento 2?
A. A security patch is a software update or fix that is specifically released to address vulnerabilities or security weaknesses in a software application. Attackers can potentially exploit these vulnerabilities to gain unauthorized access, compromise data, or cause harm to the system.
Q. How to install the security patch Magento 2?
A. Follow the below steps to install the security patch in Magento 2:
- Download the security patch file from the official Magento website or trusted sources.
- Connect to your server using SSH or an FTP client.
- Upload the security patch file to your Magento 2 root directory.
- Once the patch file is uploaded, access your server via SSH.
- Navigate to your Magento 2 root directory using the command prompt or terminal.
- Run the command to apply the security patch. The command typically follows this format: php <patch_file_name>.php
- Wait for the patch to be applied.
- Clear the Magento cache to ensure the changes take effect. You can run the command: bin/magento cache:clean
Q. How to improve Magento 2 security?
A. You can improve Magento 2 security by following these few steps:
- Keep your Magento 2 installation up to date with the latest security patches and updates.
- Use strong and unique passwords for all admin and user accounts.
- Enable two-factor authentication (2FA) for added login security.
- Regularly back up your Magento 2 installation and database.
- Use a secure hosting environment with up-to-date server software.
- Employ a web application firewall (WAF) to help block malicious traffic.
- Use secure protocols (HTTPS) for all website communications.
- Regularly monitor your website for any signs of security breaches or suspicious activities.
- Restrict access to sensitive directories and files on your server.
- Implement secure coding practices and review third-party extensions for vulnerabilities.
Jyotishna Kumari
Jyotishina is the Magento Community Expert at Cloudways and has 4 years of experience in web development. She has worked on e-commerce sites since the turn of the millennium and was working with Magento before version 1 was released. She loves to travel and explore new ideas whenever she finds time. Get in touch with her at [email protected].
