According to the Federal Office for Information Security (BSI), over 6,000 online stores running on Magento platform have been hacked from 2015-17. Even today, hacking a Magento-based website is easy if unpatched or unsecured. Therefore, Magento scanning is the most important task for store owners.

Some of the reasons why Magento gets hacked

  1. Execute code
  2. SQL injection
  3. Directory Traversal
  4. Bypass Something
  5. File Inclusion

Considering the fact that 85% of all the compromised e-commerce is on Magento, the importance of scanning becomes critical. You can protect your Magento store via Internal Scanning and External Scanning.

Internal Scanning

Internal scanning is codebase malware scanning. You can use several free tools to scan your Magento website.

Magento Internal Scanning Tools

Magento Malware Scanner

  • What is it?

An important tool that helps you keep Magento installation secure.

  • How does it work?

You can easily scan a codebase for malware easily.

External Scanning

External scanning is equally important for your Magento. It is necessary to scan your database malware. This is a common attack as the hacker can install malware by simply accessing the admin panel and updating CMS block or “miscellaneous htm”.

How to Perform External Scanning?

  • Download contents of the page via wget
  • Send the returned HTML to Magento malware scanner

Possibilities

Malware not inlined

wget -O will miss the malware if it is referred via a <script> tag. You can use the -p flag to download the “page requisites”. This will catch all the scripts referred via a <script> tag.

Malware Hosted Elsewhere

If the host is different, -p flag won’t download the assets. For downloading, you need to combine it with the -H flag.

Use the -P flag to put everything into one folder.

Malware in CMS

Issue: The Magento malware is in a static block and comes into action when on the checkout page.

Solution: Mpchadwick MwscanUtils. This is an open source and free tool that allows:

Content Dump Endpoint

Send a request to https://www.yourwebsitename.com/mwscanutils/contentdump. It will delete:

  • Content from all CMS pages
  • Content from all CMS blocks
  • Miscellaneous Scripts
  • Miscellaneous HTML

Fetch HTML via wget

You can fetch the HTML for the checkout through wget. The request gets redirected to a session not having any quote items. But if you pass the mwscanutils_force param the page will still be loaded: https://www.yourwebsitename.com/checkout/onepage/index/mwscanutils_force/1

Magereport

You can scan your Magento website with the help of Magereport.

What is it?

Magereport is a free service that scans your Magento shop giving you quick insights on the security status and how to fix vulnerabilities.

How does it work?

It checks all the known vulnerabilities in Magento and also 3rd party extensions.

Bonus tips

  1. While performing external scans, you can use wget’s -q installation to prevent it from making any noise.
  2. Run external scans on a dedicated server (not the ones hosting the Magento installation).

Don’t wait till your Magento Store gets hacked. Get a 30-min FREE consultation with our Magento Expert.

Share This