Knowledgebase: Magento
Magento Critical Security Patches & 403 errors
Posted by Rick G. on 03 May 2015 09:34 PM

If you have been redirected to this page please read this important article.

As we previously announced on multiple occassions, a major exploit now coined "ShopLift" has been made public. Crucial Hosting, as well as Magento, announced the urgency of applying the latest security patches immediately.

Regretfully, a portion of our customer's have still not applied the latest security patches, making them vulnerable to this attack.

In order to protect our customer's Magento installations, we have put in security rules which help to reduce the risk to un-patched stores. Without these restrictions, hundreds of stores would be exploited on a daily basis.

If you've already applied the appropriate security patches to your Magento installation, these security rules we've put in place will still prevent access to pages you may use.

If you have been redirected to this page, this is likely applicable to your installation.

If you change your Magento admin area from the default /admin path, the rule we put in place will not affect you. In order to change your Magento admin URL, follow these steps.

1. In your Magento installation edit the app/etc/local.xml file

2. Save a copy of this file in case of an accidental problem and you need to put the original back in place

3. Look for the following section

 <admin>
    <routers>
        <adminhtml>
            <args>
                <frontName><![CDATA[admin]]></frontName>
            </args>
        </adminhtml>
    </routers>
 </admin>

Change the following line to something other than 'admin'. Anything will work - for example, 'xlogin'. This makes it far more difficult for an attacker to guess your admin login URL which is also the attack vector of the ShopLift exploit.

<frontName><![CDATA[admin]]></frontName>

4. Once this change has been made and the local.xml file saved you need to flush the Magento cache, or delete the contents of the var/cache directory for the changes to take affect.

At this point, you can now access your Magento backend at the following URL if you have followed the directions above and you will find that you no longer redirected to this page when accessing your Magento Admin WYSIWYG editor.

http://www.your-domin.com/xlogin/

Crucial Hosting's Paid Support department can apply both critical security patches for you as well as change your admin URL for a one time service fee of $100. Simply open a ticket with our "Paid Support" department with your request and we'll schedule this work for you as soon as possible. There is no downtime associated with applying the patches or changing the admin URL.

Regardless of whether you change the admin URL, you must apply the critical security patches to all versions of the Magento software or your website will be exloited in a matter of time.

(2 vote(s))
This article was helpful
This article was not helpful