Security Checklist

Things to make sure for before deploying previously compromised site.

Steps

  • Apply missing patches
  • Remove downloader from project directory
  • Change admin access to something more secure. For how to do it follow this link
  • Remove magme from project directory
  • Limit access to rss/catalog/notifystock via .htaccess
    1
    2
    3
    4
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/(index.php/?)?rss/catalog/notifystock [NC]
    RewriteCond %{REMOTE_ADDR} !^199\.19\.114\.221$
    RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=301,L]
    
  • Make sure projects var folder is not accessible
  • Images directory not PHP executable
  • Move .git folder outside of web root

Useful articles

Ebizmarts Sagepaysuite

If getting error in the console that "Uncaught reference: Suite config".. something simillar to that. Therefore onepagecheckout ajax "Add order" doesn't work. Make sure to delete everything from core_config_data table that path fields contains "sagepay" DELETE * FROM core_config_data WHERE path LIKE '%sagepay%'; This will recreate the necessary data for the sagepay, and possibly the error will be gone.

Hardening Nginx configuration

To limit malicious script execution via unknown php files, we need to let magento run scripts through index.php or anyt other scripts you wish to whitelist.

Below you can see the only entrypoint as index.php, however you can alter the line to whitelist other files which would look like location ~ ^/(index\.php|someotherfile\.php|someotherfile2\.php)$

Redacted

Also if you're not sure which files you should whitelist, here is a useful command to list those files. cat access.log | cut -d 'T' -f 2 | grep php | grep -v '^ /index.php' | sort -u

Magento Malware Scanner

Detailed info about this tool is at the Magento Malware Scanner github page.

To run the scan change directory to one level above your web root directory. Then run the commands below:

1
2
wget git.io/mwscan.txt
grep -Erlf mwscan.txt /{your-magento-directory}

And wait for malicious files to be flagged up. If there is none, it means your project is clean.